8:15 a.m.
Hi,
I am trying to secure my REST services using the method described in the
document --
http://blog.keycloak.org/2015/10/getting-started-with-keycloak-securing.html
I am securing my war using JBoss subsystem , instead of per-war option. The
relevant sections from my standalone.xml are posted below.
<extensions>
......
<extension module="org.keycloak.keycloak-adapter-subsystem"/>
</extensions>
<security-domains>
.....
<security-domain name="keycloak">
<authentication>
<login-module
code="org.keycloak.adapters.jboss.KeycloakLoginModule"
flag="required"/>
</authentication>
</security-domain>
</security-domains>
<subsystem xmlns="urn:jboss:domain:keycloak:1.1">
<secure-deployment name="my war file.war">
<realm>bkofc</realm>
<resource>bkofc-svc</resource>
<use-resource-role-mappings>true</use-resource-role-mappings>
<bearer-only>true</bearer-only>
<auth-server-url>http://192.168.99.100/30001/auth
</auth-server-url>
<ssl-required>none</ssl-required>
<credential
name="secret">9bcc6d9f-9c72-4b58-b297-79f0f207d9e1</credential>
</secure-deployment>
</subsystem>
I am able to obtain the access token.
curl -i curl --data
"grant_type=password&client_id=bkofc-web&username=user&password=password"
http://192.168.99.100:30001/auth/realms/bkofc/protocol/openid-connect/token
Note:- I have created 2 clients -- i) bkofc-svc which is bearer only, for
my REST services ii) bkofc-web , a public client to simulate UI login
However when I try to use the access token to invoke a service, I am
getting the error -
Status: 401
WWW-Authenticate Bearer realm="bkofc", error="invalid_token",
error_description="Didn't find publicKey for specified kid"
Please let me know if I am missing something here. I have been breaking my
head last few days without any luck ! I have also tried rotating the realm
keys.
Thanks,
Rajesh
9:26 a.m.
Which version of Keycloak are you using ?
On Mon, Jul 24, 2017 at 3:15 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com>
wrote:
Hi,
I am trying to secure my REST services using the method described in the
document --
http://blog.keycloak.org/2015/10/getting-started-with-
keycloak-securing.html
I am securing my war using JBoss subsystem , instead of per-war option. The
relevant sections from my standalone.xml are posted below.
<extensions>
......
<extension module="org.keycloak.keycloak-adapter-subsystem"/>
</extensions>
<security-domains>
.....
<security-domain name="keycloak">
<authentication>
<login-module
code="org.keycloak.adapters.jboss.KeycloakLoginModule"
flag="required"/>
</authentication>
</security-domain>
</security-domains>
<subsystem xmlns="urn:jboss:domain:keycloak:1.1">
<secure-deployment name="my war file.war">
<realm>bkofc</realm>
<resource>bkofc-svc</resource>
<use-resource-role-mappings>true</use-resource-role-mappings>
<bearer-only>true</bearer-only>
<auth-server-url>http://192.168.99.100/30001/auth
</auth-server-url>
<ssl-required>none</ssl-required>
<credential
name="secret">9bcc6d9f-9c72-4b58-b297-79f0f207d9e1</credential>
</secure-deployment>
</subsystem>
I am able to obtain the access token.
curl -i curl --data
"grant_type=password&client_id=bkofc-web&username=user&password=password"
http://192.168.99.100:30001/auth/realms/bkofc/protocol/
openid-connect/token
Note:- I have created 2 clients -- i) bkofc-svc which is bearer only, for
my REST services ii) bkofc-web , a public client to simulate UI login
However when I try to use the access token to invoke a service, I am
getting the error -
Status: 401
WWW-Authenticate Bearer realm="bkofc", error="invalid_token",
error_description="Didn't find publicKey for specified kid"
Please let me know if I am missing something here. I have been breaking my
head last few days without any luck ! I have also tried rotating the realm
keys.
Thanks,
Rajesh
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
9:35 a.m.
Hello Sebastien,
I am using 3.1.0.Final build.
Thanks,
Rajesh
On Mon, Jul 24, 2017 at 7:56 PM, Sebastien Blanc <sblanc(a)redhat.com> wrote:
Which version of Keycloak are you using ?
On Mon, Jul 24, 2017 at 3:15 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com>
wrote:
> Hi,
>
> I am trying to secure my REST services using the method described in the
> document --
>
>
> http://blog.keycloak.org/2015/10/getting-started-with-keyclo
> ak-securing.html
>
>
> I am securing my war using JBoss subsystem , instead of per-war option.
> The
> relevant sections from my standalone.xml are posted below.
>
> <extensions>
> ......
> <extension
module="org.keycloak.keycloak-adapter-subsystem"/>
> </extensions>
>
> <security-domains>
> .....
> <security-domain name="keycloak">
> <authentication>
> <login-module
> code="org.keycloak.adapters.jboss.KeycloakLoginModule"
flag="required"/>
> </authentication>
> </security-domain>
> </security-domains>
>
> <subsystem xmlns="urn:jboss:domain:keycloak:1.1">
> <secure-deployment name="my war file.war">
> <realm>bkofc</realm>
> <resource>bkofc-svc</resource>
>
> <use-resource-role-mappings>true</use-resource-role-mappings>
> <bearer-only>true</bearer-only>
> <auth-server-url>http://192.168.99.100/30001/auth
> </auth-server-url>
> <ssl-required>none</ssl-required>
> <credential
> name="secret">9bcc6d9f-9c72-4b58-b297-79f0f207d9e1</credential>
> </secure-deployment>
> </subsystem>
>
> I am able to obtain the access token.
>
> curl -i curl --data
>
"grant_type=password&client_id=bkofc-web&username=user&password=password"
> http://192.168.99.100:30001/auth/realms/bkofc/protocol/openi
> d-connect/token
>
> Note:- I have created 2 clients -- i) bkofc-svc which is bearer only, for
> my REST services ii) bkofc-web , a public client to simulate UI login
>
> However when I try to use the access token to invoke a service, I am
> getting the error -
>
> Status: 401
>
> WWW-Authenticate Bearer realm="bkofc", error="invalid_token",
> error_description="Didn't find publicKey for specified kid"
>
> Please let me know if I am missing something here. I have been breaking my
> head last few days without any luck ! I have also tried rotating the
> realm
> keys.
>
> Thanks,
> Rajesh
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
9:42 a.m.
Ok and for :
<secure-deployment name="my war file.war">
Did you replace that with the actual name of your war file ?
On Mon, Jul 24, 2017 at 4:35 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com>
wrote:
Hello Sebastien,
I am using 3.1.0.Final build.
Thanks,
Rajesh
On Mon, Jul 24, 2017 at 7:56 PM, Sebastien Blanc <sblanc(a)redhat.com>
wrote:
> Which version of Keycloak are you using ?
>
> On Mon, Jul 24, 2017 at 3:15 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com>
> wrote:
>
>> Hi,
>>
>> I am trying to secure my REST services using the method described in the
>> document --
>>
>>
>> http://blog.keycloak.org/2015/10/getting-started-with-keyclo
>> ak-securing.html
>>
>>
>> I am securing my war using JBoss subsystem , instead of per-war option.
>> The
>> relevant sections from my standalone.xml are posted below.
>>
>> <extensions>
>> ......
>> <extension
module="org.keycloak.keycloak-adapter-subsystem"/>
>> </extensions>
>>
>> <security-domains>
>> .....
>> <security-domain name="keycloak">
>> <authentication>
>> <login-module
>> code="org.keycloak.adapters.jboss.KeycloakLoginModule"
flag="required"/>
>> </authentication>
>> </security-domain>
>> </security-domains>
>>
>> <subsystem xmlns="urn:jboss:domain:keycloak:1.1">
>> <secure-deployment name="my war file.war">
>> <realm>bkofc</realm>
>> <resource>bkofc-svc</resource>
>>
>> <use-resource-role-mappings>true</use-resource-role-mappings>
>> <bearer-only>true</bearer-only>
>> <auth-server-url>http://192.168.99.100/30001/auth
>> </auth-server-url>
>> <ssl-required>none</ssl-required>
>> <credential
>>
name="secret">9bcc6d9f-9c72-4b58-b297-79f0f207d9e1</credential>
>> </secure-deployment>
>> </subsystem>
>>
>> I am able to obtain the access token.
>>
>> curl -i curl --data
>> "grant_type=password&client_id=bkofc-web&username=user&passw
>> ord=password"
>> http://192.168.99.100:30001/auth/realms/bkofc/protocol/openi
>> d-connect/token
>>
>> Note:- I have created 2 clients -- i) bkofc-svc which is bearer only,
>> for
>> my REST services ii) bkofc-web , a public client to simulate UI login
>>
>> However when I try to use the access token to invoke a service, I am
>> getting the error -
>>
>> Status: 401
>>
>> WWW-Authenticate Bearer realm="bkofc",
error="invalid_token",
>> error_description="Didn't find publicKey for specified kid"
>>
>> Please let me know if I am missing something here. I have been breaking
>> my
>> head last few days without any luck ! I have also tried rotating the
>> realm
>> keys.
>>
>> Thanks,
>> Rajesh
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
9:54 a.m.
Yes definitely. I did replace it with the actual war name. Let me know if
you would like me to paste screen shots of realm configurations, client
configurations.
Thanks,
Rajesh
On Mon, Jul 24, 2017 at 8:12 PM, Sebastien Blanc <sblanc(a)redhat.com> wrote:
Ok and for :
<secure-deployment name="my war file.war">
Did you replace that with the actual name of your war file ?
On Mon, Jul 24, 2017 at 4:35 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com>
wrote:
> Hello Sebastien,
>
> I am using 3.1.0.Final build.
>
> Thanks,
> Rajesh
>
> On Mon, Jul 24, 2017 at 7:56 PM, Sebastien Blanc <sblanc(a)redhat.com>
> wrote:
>
>> Which version of Keycloak are you using ?
>>
>> On Mon, Jul 24, 2017 at 3:15 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com>
>> wrote:
>>
>>> Hi,
>>>
>>> I am trying to secure my REST services using the method described in the
>>> document --
>>>
>>>
>>> http://blog.keycloak.org/2015/10/getting-started-with-keyclo
>>> ak-securing.html
>>>
>>>
>>> I am securing my war using JBoss subsystem , instead of per-war option.
>>> The
>>> relevant sections from my standalone.xml are posted below.
>>>
>>> <extensions>
>>> ......
>>> <extension
module="org.keycloak.keycloak-adapter-subsystem"/>
>>> </extensions>
>>>
>>> <security-domains>
>>> .....
>>> <security-domain name="keycloak">
>>> <authentication>
>>> <login-module
>>> code="org.keycloak.adapters.jboss.KeycloakLoginModule"
>>> flag="required"/>
>>> </authentication>
>>> </security-domain>
>>> </security-domains>
>>>
>>> <subsystem xmlns="urn:jboss:domain:keycloak:1.1">
>>> <secure-deployment name="my war file.war">
>>> <realm>bkofc</realm>
>>> <resource>bkofc-svc</resource>
>>>
>>> <use-resource-role-mappings>true</use-resource-role-mappings>
>>> <bearer-only>true</bearer-only>
>>> <auth-server-url>http://192.168.99.100/30001/auth
>>> </auth-server-url>
>>> <ssl-required>none</ssl-required>
>>> <credential
>>>
name="secret">9bcc6d9f-9c72-4b58-b297-79f0f207d9e1</credential>
>>> </secure-deployment>
>>> </subsystem>
>>>
>>> I am able to obtain the access token.
>>>
>>> curl -i curl --data
>>>
"grant_type=password&client_id=bkofc-web&username=user&passw
>>> ord=password"
>>> http://192.168.99.100:30001/auth/realms/bkofc/protocol/openi
>>> d-connect/token
>>>
>>> Note:- I have created 2 clients -- i) bkofc-svc which is bearer only,
>>> for
>>> my REST services ii) bkofc-web , a public client to simulate UI login
>>>
>>> However when I try to use the access token to invoke a service, I am
>>> getting the error -
>>>
>>> Status: 401
>>>
>>> WWW-Authenticate Bearer realm="bkofc",
error="invalid_token",
>>> error_description="Didn't find publicKey for specified kid"
>>>
>>> Please let me know if I am missing something here. I have been breaking
>>> my
>>> head last few days without any luck ! I have also tried rotating the
>>> realm
>>> keys.
>>>
>>> Thanks,
>>> Rajesh
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
10:43 a.m.
yes please
On Mon, Jul 24, 2017 at 4:54 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com>
wrote:
Yes definitely. I did replace it with the actual war name. Let me
know if
you would like me to paste screen shots of realm configurations, client
configurations.
Thanks,
Rajesh
On Mon, Jul 24, 2017 at 8:12 PM, Sebastien Blanc <sblanc(a)redhat.com>
wrote:
> Ok and for :
> <secure-deployment name="my war file.war">
>
> Did you replace that with the actual name of your war file ?
>
> On Mon, Jul 24, 2017 at 4:35 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com>
> wrote:
>
>> Hello Sebastien,
>>
>> I am using 3.1.0.Final build.
>>
>> Thanks,
>> Rajesh
>>
>> On Mon, Jul 24, 2017 at 7:56 PM, Sebastien Blanc <sblanc(a)redhat.com>
>> wrote:
>>
>>> Which version of Keycloak are you using ?
>>>
>>> On Mon, Jul 24, 2017 at 3:15 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> I am trying to secure my REST services using the method described in
>>>> the
>>>> document --
>>>>
>>>>
>>>> http://blog.keycloak.org/2015/10/getting-started-with-keyclo
>>>> ak-securing.html
>>>>
>>>>
>>>> I am securing my war using JBoss subsystem , instead of per-war
>>>> option. The
>>>> relevant sections from my standalone.xml are posted below.
>>>>
>>>> <extensions>
>>>> ......
>>>> <extension
module="org.keycloak.keycloak-adapter-subsystem"/>
>>>> </extensions>
>>>>
>>>> <security-domains>
>>>> .....
>>>> <security-domain name="keycloak">
>>>> <authentication>
>>>> <login-module
>>>> code="org.keycloak.adapters.jboss.KeycloakLoginModule"
>>>> flag="required"/>
>>>> </authentication>
>>>> </security-domain>
>>>> </security-domains>
>>>>
>>>> <subsystem
xmlns="urn:jboss:domain:keycloak:1.1">
>>>> <secure-deployment name="my war file.war">
>>>> <realm>bkofc</realm>
>>>> <resource>bkofc-svc</resource>
>>>>
>>>>
<use-resource-role-mappings>true</use-resource-role-mappings>
>>>> <bearer-only>true</bearer-only>
>>>> <auth-server-url>http://192.168.99.100/30001/auth
>>>> </auth-server-url>
>>>> <ssl-required>none</ssl-required>
>>>> <credential
>>>>
name="secret">9bcc6d9f-9c72-4b58-b297-79f0f207d9e1</credential>
>>>> </secure-deployment>
>>>> </subsystem>
>>>>
>>>> I am able to obtain the access token.
>>>>
>>>> curl -i curl --data
>>>>
"grant_type=password&client_id=bkofc-web&username=user&passw
>>>> ord=password"
>>>> http://192.168.99.100:30001/auth/realms/bkofc/protocol/openi
>>>> d-connect/token
>>>>
>>>> Note:- I have created 2 clients -- i) bkofc-svc which is bearer only,
>>>> for
>>>> my REST services ii) bkofc-web , a public client to simulate UI login
>>>>
>>>> However when I try to use the access token to invoke a service, I am
>>>> getting the error -
>>>>
>>>> Status: 401
>>>>
>>>> WWW-Authenticate Bearer realm="bkofc",
error="invalid_token",
>>>> error_description="Didn't find publicKey for specified
kid"
>>>>
>>>> Please let me know if I am missing something here. I have been
>>>> breaking my
>>>> head last few days without any luck ! I have also tried rotating the
>>>> realm
>>>> keys.
>>>>
>>>> Thanks,
>>>> Rajesh
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
>
11:47 a.m.
Sebastien,
I am attaching a pdf containing the screen shots. Few more points I wanted
to mention.
i) I didn't install the public client -- "bkofc-web" in the wildfly
container which hosts my REST services. I did it for "bkofc-svc" client
which is bearer only. I hope that is the correct approach.
ii) Both keycloak and my application are running on docker containers
locally in my laptop.
Let me know if you need anything else to analyze.
Thanks,
Rajesh
On Mon, Jul 24, 2017 at 9:13 PM, Sebastien Blanc <sblanc(a)redhat.com> wrote:
yes please
On Mon, Jul 24, 2017 at 4:54 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com>
wrote:
> Yes definitely. I did replace it with the actual war name. Let me know if
> you would like me to paste screen shots of realm configurations, client
> configurations.
>
> Thanks,
> Rajesh
>
> On Mon, Jul 24, 2017 at 8:12 PM, Sebastien Blanc <sblanc(a)redhat.com>
> wrote:
>
>> Ok and for :
>> <secure-deployment name="my war file.war">
>>
>> Did you replace that with the actual name of your war file ?
>>
>> On Mon, Jul 24, 2017 at 4:35 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com>
>> wrote:
>>
>>> Hello Sebastien,
>>>
>>> I am using 3.1.0.Final build.
>>>
>>> Thanks,
>>> Rajesh
>>>
>>> On Mon, Jul 24, 2017 at 7:56 PM, Sebastien Blanc <sblanc(a)redhat.com>
>>> wrote:
>>>
>>>> Which version of Keycloak are you using ?
>>>>
>>>> On Mon, Jul 24, 2017 at 3:15 PM, Rajesh Ghosh
<ghosh.rajesh(a)gmail.com>
>>>> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I am trying to secure my REST services using the method described in
>>>>> the
>>>>> document --
>>>>>
>>>>>
>>>>> http://blog.keycloak.org/2015/10/getting-started-with-keyclo
>>>>> ak-securing.html
>>>>>
>>>>>
>>>>> I am securing my war using JBoss subsystem , instead of per-war
>>>>> option. The
>>>>> relevant sections from my standalone.xml are posted below.
>>>>>
>>>>> <extensions>
>>>>> ......
>>>>> <extension
module="org.keycloak.keycloak-adapter-subsystem"/>
>>>>> </extensions>
>>>>>
>>>>> <security-domains>
>>>>> .....
>>>>> <security-domain name="keycloak">
>>>>> <authentication>
>>>>> <login-module
>>>>> code="org.keycloak.adapters.jboss.KeycloakLoginModule"
>>>>> flag="required"/>
>>>>> </authentication>
>>>>> </security-domain>
>>>>> </security-domains>
>>>>>
>>>>> <subsystem
xmlns="urn:jboss:domain:keycloak:1.1">
>>>>> <secure-deployment name="my war
file.war">
>>>>> <realm>bkofc</realm>
>>>>> <resource>bkofc-svc</resource>
>>>>>
>>>>>
<use-resource-role-mappings>true</use-resource-role-mappings>
>>>>> <bearer-only>true</bearer-only>
>>>>>
<auth-server-url>http://192.168.99.100/30001/auth
>>>>> </auth-server-url>
>>>>> <ssl-required>none</ssl-required>
>>>>> <credential
>>>>>
name="secret">9bcc6d9f-9c72-4b58-b297-79f0f207d9e1</credential>
>>>>> </secure-deployment>
>>>>> </subsystem>
>>>>>
>>>>> I am able to obtain the access token.
>>>>>
>>>>> curl -i curl --data
>>>>>
"grant_type=password&client_id=bkofc-web&username=user&passw
>>>>> ord=password"
>>>>> http://192.168.99.100:30001/auth/realms/bkofc/protocol/openi
>>>>> d-connect/token
>>>>>
>>>>> Note:- I have created 2 clients -- i) bkofc-svc which is bearer
>>>>> only, for
>>>>> my REST services ii) bkofc-web , a public client to simulate UI
login
>>>>>
>>>>> However when I try to use the access token to invoke a service, I am
>>>>> getting the error -
>>>>>
>>>>> Status: 401
>>>>>
>>>>> WWW-Authenticate Bearer realm="bkofc",
error="invalid_token",
>>>>> error_description="Didn't find publicKey for specified
kid"
>>>>>
>>>>> Please let me know if I am missing something here. I have been
>>>>> breaking my
>>>>> head last few days without any luck ! I have also tried rotating
the
>>>>> realm
>>>>> keys.
>>>>>
>>>>> Thanks,
>>>>> Rajesh
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user(a)lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>
>>
>
12:42 a.m.
This looks all correct. Could you try paste your access token or even check
it your self on jwt.io to see if the kid is present ?
On Mon, Jul 24, 2017 at 6:47 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com>
wrote:
Sebastien,
I am attaching a pdf containing the screen shots. Few more points I
wanted to mention.
i) I didn't install the public client -- "bkofc-web" in the wildfly
container which hosts my REST services. I did it for "bkofc-svc" client
which is bearer only. I hope that is the correct approach.
ii) Both keycloak and my application are running on docker containers
locally in my laptop.
Let me know if you need anything else to analyze.
Thanks,
Rajesh
On Mon, Jul 24, 2017 at 9:13 PM, Sebastien Blanc <sblanc(a)redhat.com>
wrote:
> yes please
>
> On Mon, Jul 24, 2017 at 4:54 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com>
> wrote:
>
>> Yes definitely. I did replace it with the actual war name. Let me know
>> if you would like me to paste screen shots of realm configurations, client
>> configurations.
>>
>> Thanks,
>> Rajesh
>>
>> On Mon, Jul 24, 2017 at 8:12 PM, Sebastien Blanc <sblanc(a)redhat.com>
>> wrote:
>>
>>> Ok and for :
>>> <secure-deployment name="my war file.war">
>>>
>>> Did you replace that with the actual name of your war file ?
>>>
>>> On Mon, Jul 24, 2017 at 4:35 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com>
>>> wrote:
>>>
>>>> Hello Sebastien,
>>>>
>>>> I am using 3.1.0.Final build.
>>>>
>>>> Thanks,
>>>> Rajesh
>>>>
>>>> On Mon, Jul 24, 2017 at 7:56 PM, Sebastien Blanc
<sblanc(a)redhat.com>
>>>> wrote:
>>>>
>>>>> Which version of Keycloak are you using ?
>>>>>
>>>>> On Mon, Jul 24, 2017 at 3:15 PM, Rajesh Ghosh
<ghosh.rajesh(a)gmail.com
>>>>> > wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I am trying to secure my REST services using the method described
in
>>>>>> the
>>>>>> document --
>>>>>>
>>>>>>
>>>>>> http://blog.keycloak.org/2015/10/getting-started-with-keyclo
>>>>>> ak-securing.html
>>>>>>
>>>>>>
>>>>>> I am securing my war using JBoss subsystem , instead of per-war
>>>>>> option. The
>>>>>> relevant sections from my standalone.xml are posted below.
>>>>>>
>>>>>> <extensions>
>>>>>> ......
>>>>>> <extension module="org.keycloak.keycloak-
>>>>>> adapter-subsystem"/>
>>>>>> </extensions>
>>>>>>
>>>>>> <security-domains>
>>>>>> .....
>>>>>> <security-domain
name="keycloak">
>>>>>> <authentication>
>>>>>> <login-module
>>>>>> code="org.keycloak.adapters.jboss.KeycloakLoginModule"
>>>>>> flag="required"/>
>>>>>> </authentication>
>>>>>> </security-domain>
>>>>>> </security-domains>
>>>>>>
>>>>>> <subsystem
xmlns="urn:jboss:domain:keycloak:1.1">
>>>>>> <secure-deployment name="my war
file.war">
>>>>>> <realm>bkofc</realm>
>>>>>> <resource>bkofc-svc</resource>
>>>>>>
>>>>>>
<use-resource-role-mappings>true</use-resource-role-mappings>
>>>>>> <bearer-only>true</bearer-only>
>>>>>>
<auth-server-url>http://192.168.99.100/30001/auth
>>>>>> </auth-server-url>
>>>>>> <ssl-required>none</ssl-required>
>>>>>> <credential
>>>>>>
name="secret">9bcc6d9f-9c72-4b58-b297-79f0f207d9e1</credential>
>>>>>> </secure-deployment>
>>>>>> </subsystem>
>>>>>>
>>>>>> I am able to obtain the access token.
>>>>>>
>>>>>> curl -i curl --data
>>>>>>
"grant_type=password&client_id=bkofc-web&username=user&passw
>>>>>> ord=password"
>>>>>> http://192.168.99.100:30001/auth/realms/bkofc/protocol/openi
>>>>>> d-connect/token
>>>>>>
>>>>>> Note:- I have created 2 clients -- i) bkofc-svc which is bearer
>>>>>> only, for
>>>>>> my REST services ii) bkofc-web , a public client to simulate UI
>>>>>> login
>>>>>>
>>>>>> However when I try to use the access token to invoke a service, I
am
>>>>>> getting the error -
>>>>>>
>>>>>> Status: 401
>>>>>>
>>>>>> WWW-Authenticate Bearer realm="bkofc",
error="invalid_token",
>>>>>> error_description="Didn't find publicKey for specified
kid"
>>>>>>
>>>>>> Please let me know if I am missing something here. I have been
>>>>>> breaking my
>>>>>> head last few days without any luck ! I have also tried
rotating
>>>>>> the realm
>>>>>> keys.
>>>>>>
>>>>>> Thanks,
>>>>>> Rajesh
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user(a)lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>
8:50 a.m.
Sebastien,
Here is a token response -
{
"access_token":
"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXeXVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiJkNmY2MmM5YS1hNjAwLTQ4ZmQtYmI3Ny0wMTI1NDQ0YmIzNWMiLCJleHAiOjE1MDA5OTAyNDgsIm5iZiI6MCwiaWF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzdWIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJia29mYy13ZWIiLCJhdXRoX3RpbWUiOjAsInNlc3Npb25fc3RhdGUiOiIzMjMxZjQ2Zi0yMjliLTQyZDMtYTQxOS0wODlhMjEzOTZlNjciLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2MC03ZTkyLTQ1ZDQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjgwODAvIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiIsInVzZXIiXX0sInJlc291cmNlX2FjY2VzcyI6eyJyZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzIjpbInZpZXctcmVhbG0iLCJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycyIsIm1hbmFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwicmVhbG0tYWRtaW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlldy1hdXRob3JpemF0aW9uIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsbSIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsIm1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiXX0sImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiIiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzdXBlcmFkbWluIiwiZW1haWwiOiJ0cmlsaWEudGVjaEBnbWFpbC5jb20ifQ.JCGcaQ-8yYhoOT_DfHvNa5HvG3x5WBI3ZcC4WEcBA3NUL-mQdUhU1aEK9G5VulcRbMeYp9f_rFnFip-N9g3JwPGhR6ozgwdXlI09JAjM6zLk7cy0UKig5ghHX1-gXb5EHChzhmGI_xtV77t9dcKBjW4V3f7eFwDmCMyWj8bqyoFMDTIp_Gz67Wt1iUXAaCZ5fIdXs3epdG82NhJrjQsIKiYGzUg9JY2Dkvg_tHGHESN85KsW2TNj8Jd0CuS-cF0rOqx82pohW6RQMAZmGyMVofsxH_uRrEbvpmI_ofkAUF6qCuLDD7idZC_j1ARXH-EOWxHgnSEDXc6SF2aAegmCpw",
"expires_in": 300,
"refresh_expires_in": 1800,
"refresh_token":
"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXeXVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiIyYzE4ZjkxYi0yMDljLTQwY2ItYTE5OS02NGIwZTEyYjRkOGIiLCJleHAiOjE1MDA5OTE3NDgsIm5iZiI6MCwiaWF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzdWIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0eXAiOiJSZWZyZXNoIiwiYXpwIjoiYmtvZmMtd2ViIiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiMzIzMWY0NmYtMjI5Yi00MmQzLWE0MTktMDg5YTIxMzk2ZTY3IiwiY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2MC03ZTkyLTQ1ZDQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsidW1hX2F1dGhvcml6YXRpb24iLCJ1c2VyIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsicmVhbG0tbWFuYWdlbWVudCI6eyJyb2xlcyI6WyJ2aWV3LXJlYWxtIiwidmlldy1pZGVudGl0eS1wcm92aWRlcnMiLCJtYW5hZ2UtaWRlbnRpdHktcHJvdmlkZXJzIiwiaW1wZXJzb25hdGlvbiIsInJlYWxtLWFkbWluIiwiY3JlYXRlLWNsaWVudCIsIm1hbmFnZS11c2VycyIsInZpZXctYXV0aG9yaXphdGlvbiIsIm1hbmFnZS1ldmVudHMiLCJtYW5hZ2UtcmVhbG0iLCJ2aWV3LWV2ZW50cyIsInZpZXctdXNlcnMiLCJ2aWV3LWNsaWVudHMiLCJtYW5hZ2UtYXV0aG9yaXphdGlvbiIsIm1hbmFnZS1jbGllbnRzIl19LCJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19fQ.Uz0rqNlj09T_SdnfZK9ZxBcJ5EIEwwHCN5VwKIhIF6Ua32fDlf1UvZSoZTmr5jiHeiwpp4JALWGTXsda4p-PlzMvwmMN5Qp46-EXGJQkqH4NNqZ1W_1mRGySYokQCSkmdvAZPFGrqxpeb1seuKgaaiXXMsrvaiucFCa8H599Ox6QRE3MkoLmm8w7_08kPG1_JjXIviHtwoWgsb0zCcMPyHRdCv_rs6FIoTQiCRZ2joaXSvIsmVAkchgZbeB-_RSWzlk3_oaOCQw7OWZJRqnAdGgDnL5jCCRLTVFnPo9TqKrt88h3fKkVuNuI8Y06sZ1If8wgSWRDRLUf0X8sampLww",
"token_type": "bearer",
"id_token":
"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXeXVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiI2ZDJkNWMxNS01YmE3LTRhNTgtOTJkNC0wNGU0NTkyMjNkNGYiLCJleHAiOjE1MDA5OTAyNDgsIm5iZiI6MCwiaWF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzdWIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0eXAiOiJJRCIsImF6cCI6ImJrb2ZjLXdlYiIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjMyMzFmNDZmLTIyOWItNDJkMy1hNDE5LTA4OWEyMTM5NmU2NyIsImFjciI6IjEiLCJuYW1lIjoiIiwicHJlZmVycmVkX3VzZXJuYW1lIjoic3VwZXJhZG1pbiIsImVtYWlsIjoidHJpbGlhLnRlY2hAZ21haWwuY29tIn0.eFVxG7MImPS4yCEiLOzhvZ5M_XjRWuHJlt_T4r3djak7sH_XOXUmHAuihxXrm7HLv8DU3OzHpN3FinOWufOdTCv9Ywww0DRq4ha1M7dodqMuv1H5d3XVBn_kuHK68zWRI3t9WI4ZNeaEU0whLSnBqcbJ54dQrBloUPS4bpYG-BqfSNYs6bG8cyJHQ4_FRpAi3X9qWOCwaPrZ5Z_vQfNbYcgIfON_puN8QfRxihg90KQYOp4lJpU5JqeaVmYp9eOYTb5iQzOuLWDXenyIBmvT_K84HZKh8t5eWsqH01st-Ls7uJcNAUM9PXRM7JswCjhouuQGBM6dn5iICoL00acuxg",
"not-before-policy": 0,
"session_state": "3231f46f-229b-42d3-a419-089a21396e67"
}
I checked it in jwt.io . The kid is same as the "rsa-generated" one, shown
in the screen shot I shared yesterday. Although jwt complained as "Invalid
Signature" .
Thomas, the connectivity should not be an issue as I am able to get the
access token from my app wildfly server using curl. So keycloak is
reachable from my wildfly server. Anything specific you did to resolve your
issue ?
Regards,
Rajesh
On Tue, Jul 25, 2017 at 11:12 AM, Sebastien Blanc <sblanc(a)redhat.com> wrote:
This looks all correct. Could you try paste your access token or
even
check it your self on jwt.io to see if the kid is present ?
On Mon, Jul 24, 2017 at 6:47 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com>
wrote:
> Sebastien,
>
> I am attaching a pdf containing the screen shots. Few more points I
> wanted to mention.
>
> i) I didn't install the public client -- "bkofc-web" in the wildfly
> container which hosts my REST services. I did it for "bkofc-svc" client
> which is bearer only. I hope that is the correct approach.
> ii) Both keycloak and my application are running on docker containers
> locally in my laptop.
>
> Let me know if you need anything else to analyze.
>
> Thanks,
> Rajesh
>
>
> On Mon, Jul 24, 2017 at 9:13 PM, Sebastien Blanc <sblanc(a)redhat.com>
> wrote:
>
>> yes please
>>
>> On Mon, Jul 24, 2017 at 4:54 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com>
>> wrote:
>>
>>> Yes definitely. I did replace it with the actual war name. Let me know
>>> if you would like me to paste screen shots of realm configurations, client
>>> configurations.
>>>
>>> Thanks,
>>> Rajesh
>>>
>>> On Mon, Jul 24, 2017 at 8:12 PM, Sebastien Blanc <sblanc(a)redhat.com>
>>> wrote:
>>>
>>>> Ok and for :
>>>> <secure-deployment name="my war file.war">
>>>>
>>>> Did you replace that with the actual name of your war file ?
>>>>
>>>> On Mon, Jul 24, 2017 at 4:35 PM, Rajesh Ghosh
<ghosh.rajesh(a)gmail.com>
>>>> wrote:
>>>>
>>>>> Hello Sebastien,
>>>>>
>>>>> I am using 3.1.0.Final build.
>>>>>
>>>>> Thanks,
>>>>> Rajesh
>>>>>
>>>>> On Mon, Jul 24, 2017 at 7:56 PM, Sebastien Blanc
<sblanc(a)redhat.com>
>>>>> wrote:
>>>>>
>>>>>> Which version of Keycloak are you using ?
>>>>>>
>>>>>> On Mon, Jul 24, 2017 at 3:15 PM, Rajesh Ghosh <
>>>>>> ghosh.rajesh(a)gmail.com> wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> I am trying to secure my REST services using the method
described
>>>>>>> in the
>>>>>>> document --
>>>>>>>
>>>>>>>
>>>>>>> http://blog.keycloak.org/2015/10/getting-started-with-keyclo
>>>>>>> ak-securing.html
>>>>>>>
>>>>>>>
>>>>>>> I am securing my war using JBoss subsystem , instead of
per-war
>>>>>>> option. The
>>>>>>> relevant sections from my standalone.xml are posted below.
>>>>>>>
>>>>>>> <extensions>
>>>>>>> ......
>>>>>>> <extension module="org.keycloak.keycloak-
>>>>>>> adapter-subsystem"/>
>>>>>>> </extensions>
>>>>>>>
>>>>>>> <security-domains>
>>>>>>> .....
>>>>>>> <security-domain
name="keycloak">
>>>>>>> <authentication>
>>>>>>> <login-module
>>>>>>>
code="org.keycloak.adapters.jboss.KeycloakLoginModule"
>>>>>>> flag="required"/>
>>>>>>> </authentication>
>>>>>>> </security-domain>
>>>>>>> </security-domains>
>>>>>>>
>>>>>>> <subsystem
xmlns="urn:jboss:domain:keycloak:1.1">
>>>>>>> <secure-deployment name="my war
file.war">
>>>>>>> <realm>bkofc</realm>
>>>>>>> <resource>bkofc-svc</resource>
>>>>>>>
>>>>>>>
<use-resource-role-mappings>true</use-resource-role-mappings>
>>>>>>> <bearer-only>true</bearer-only>
>>>>>>>
<auth-server-url>http://192.168.99.100/30001/auth
>>>>>>> </auth-server-url>
>>>>>>>
<ssl-required>none</ssl-required>
>>>>>>> <credential
>>>>>>>
name="secret">9bcc6d9f-9c72-4b58-b297-79f0f207d9e1</credential>
>>>>>>> </secure-deployment>
>>>>>>> </subsystem>
>>>>>>>
>>>>>>> I am able to obtain the access token.
>>>>>>>
>>>>>>> curl -i curl --data
>>>>>>>
"grant_type=password&client_id=bkofc-web&username=user&passw
>>>>>>> ord=password"
>>>>>>> http://192.168.99.100:30001/auth/realms/bkofc/protocol/openi
>>>>>>> d-connect/token
>>>>>>>
>>>>>>> Note:- I have created 2 clients -- i) bkofc-svc which is
bearer
>>>>>>> only, for
>>>>>>> my REST services ii) bkofc-web , a public client to simulate
UI
>>>>>>> login
>>>>>>>
>>>>>>> However when I try to use the access token to invoke a
service, I am
>>>>>>> getting the error -
>>>>>>>
>>>>>>> Status: 401
>>>>>>>
>>>>>>> WWW-Authenticate Bearer realm="bkofc",
error="invalid_token",
>>>>>>> error_description="Didn't find publicKey for
specified kid"
>>>>>>>
>>>>>>> Please let me know if I am missing something here. I have
been
>>>>>>> breaking my
>>>>>>> head last few days without any luck ! I have also tried
rotating
>>>>>>> the realm
>>>>>>> keys.
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Rajesh
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user(a)lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
8:54 a.m.
Okay, to have the complete picture could paste the command you issue to
call your REST service ?
On Tue, Jul 25, 2017 at 3:50 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com>
wrote:
Sebastien,
Here is a token response -
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOi
AiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXeX
VUbzIwemJ6T280SGZRIn0.eyJqdGkiOiJkNmY2MmM5YS1hNjAwLT
Q4ZmQtYmI3Ny0wMTI1NDQ0YmIzNWMiLCJleHAiOjE1MDA5OTAyNDgsIm5iZi
I6MCwiaWF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS
4xMDA6MzAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZW
IiLCJzdWIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOT
giLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJia29mYy13ZWIiLCJhdXRoX3RpbW
UiOjAsInNlc3Npb25fc3RhdGUiOiIzMjMxZjQ2Zi0yMjliLTQyZDMtYTQxOS
0wODlhMjEzOTZlNjciLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb24iOiI5Mj
FjYzM2MC03ZTkyLTQ1ZDQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJhbGxvd2VkLW
9yaWdpbnMiOlsiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjgwODAvIl0sInJlYW
xtX2FjY2VzcyI6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiIsInVzZX
IiXX0sInJlc291cmNlX2FjY2VzcyI6eyJyZWFsbS1tYW5hZ2VtZW50Ijp7In
JvbGVzIjpbInZpZXctcmVhbG0iLCJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycy
IsIm1hbmFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIi
wicmVhbG0tYWRtaW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIi
widmlldy1hdXRob3JpemF0aW9uIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS
1yZWFsbSIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW
50cyIsIm1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiXX
0sImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2
UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiIiLC
JwcmVmZXJyZWRfdXNlcm5hbWUiOiJzdXBlcmFkbWluIiwiZW1haWwiOiJ0cm
lsaWEudGVjaEBnbWFpbC5jb20ifQ.JCGcaQ-8yYhoOT_DfHvNa5HvG3x5WBI3ZcC4WEcBA3NUL
-mQdUhU1aEK9G5VulcRbMeYp9f_rFnFip-N9g3JwPGhR6ozgwdXlI09JAjM6zLk7
cy0UKig5ghHX1-gXb5EHChzhmGI_xtV77t9dcKBjW4V3f7eFwDmCMyWj8bqyoFMDTIp_
Gz67Wt1iUXAaCZ5fIdXs3epdG82NhJrjQsIKiYGzUg9JY2Dkvg_
tHGHESN85KsW2TNj8Jd0CuS-cF0rOqx82pohW6RQMAZmGyMVofsxH_
uRrEbvpmI_ofkAUF6qCuLDD7idZC_j1ARXH-EOWxHgnSEDXc6SF2aAegmCpw",
"expires_in": 300,
"refresh_expires_in": 1800,
"refresh_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOi
AiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXeX
VUbzIwemJ6T280SGZRIn0.eyJqdGkiOiIyYzE4ZjkxYi0yMDljLT
QwY2ItYTE5OS02NGIwZTEyYjRkOGIiLCJleHAiOjE1MDA5OTE3NDgsIm5iZi
I6MCwiaWF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS
4xMDA6MzAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZW
IiLCJzdWIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOT
giLCJ0eXAiOiJSZWZyZXNoIiwiYXpwIjoiYmtvZmMtd2ViIiwiYXV0aF90aW
1lIjowLCJzZXNzaW9uX3N0YXRlIjoiMzIzMWY0NmYtMjI5Yi00MmQzLWE0MT
ktMDg5YTIxMzk2ZTY3IiwiY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2MC03ZT
kyLTQ1ZDQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJyZWFsbV9hY2Nlc3MiOnsicm
9sZXMiOlsidW1hX2F1dGhvcml6YXRpb24iLCJ1c2VyIl19LCJyZXNvdXJjZV
9hY2Nlc3MiOnsicmVhbG0tbWFuYWdlbWVudCI6eyJyb2xlcyI6WyJ2aWV3LX
JlYWxtIiwidmlldy1pZGVudGl0eS1wcm92aWRlcnMiLCJtYW5hZ2UtaWRlbn
RpdHktcHJvdmlkZXJzIiwiaW1wZXJzb25hdGlvbiIsInJlYWxtLWFkbWluIi
wiY3JlYXRlLWNsaWVudCIsIm1hbmFnZS11c2VycyIsInZpZXctYXV0aG9yaX
phdGlvbiIsIm1hbmFnZS1ldmVudHMiLCJtYW5hZ2UtcmVhbG0iLCJ2aWV3LW
V2ZW50cyIsInZpZXctdXNlcnMiLCJ2aWV3LWNsaWVudHMiLCJtYW5hZ2UtYX
V0aG9yaXphdGlvbiIsIm1hbmFnZS1jbGllbnRzIl19LCJhY2NvdW50Ijp7In
JvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3
MiLCJ2aWV3LXByb2ZpbGUiXX19fQ.Uz0rqNlj09T_SdnfZK9ZxBcJ5EIEwwHCN5VwKIhIF6
Ua32fDlf1UvZSoZTmr5jiHeiwpp4JALWGTXsda4p-PlzMvwmMN5Qp46-EXGJQkqH4NNqZ1W_
1mRGySYokQCSkmdvAZPFGrqxpeb1seuKgaaiXXMsrvaiucFCa8H599Ox6QRE
3MkoLmm8w7_08kPG1_JjXIviHtwoWgsb0zCcMPyHRdCv_
rs6FIoTQiCRZ2joaXSvIsmVAkchgZbeB-_RSWzlk3_oaOCQw7OWZJRqnAdGgDnL5jCCRLTVF
nPo9TqKrt88h3fKkVuNuI8Y06sZ1If8wgSWRDRLUf0X8sampLww",
"token_type": "bearer",
"id_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOi
AiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXeX
VUbzIwemJ6T280SGZRIn0.eyJqdGkiOiI2ZDJkNWMxNS01YmE3LT
RhNTgtOTJkNC0wNGU0NTkyMjNkNGYiLCJleHAiOjE1MDA5OTAyNDgsIm5iZi
I6MCwiaWF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS
4xMDA6MzAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZW
IiLCJzdWIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOT
giLCJ0eXAiOiJJRCIsImF6cCI6ImJrb2ZjLXdlYiIsImF1dGhfdGltZSI6MC
wic2Vzc2lvbl9zdGF0ZSI6IjMyMzFmNDZmLTIyOWItNDJkMy1hNDE5LTA4OW
EyMTM5NmU2NyIsImFjciI6IjEiLCJuYW1lIjoiIiwicHJlZmVycmVkX3VzZX
JuYW1lIjoic3VwZXJhZG1pbiIsImVtYWlsIjoidHJpbGlhLnRlY2hAZ21haWwuY29tIn0.
eFVxG7MImPS4yCEiLOzhvZ5M_XjRWuHJlt_T4r3djak7sH_
XOXUmHAuihxXrm7HLv8DU3OzHpN3FinOWufOdTCv9Ywww0DRq4ha1M7dodqMuv1H5d3XVBn_
kuHK68zWRI3t9WI4ZNeaEU0whLSnBqcbJ54dQrBloUPS4bpYG-BqfSNYs6bG8cyJHQ4_
FRpAi3X9qWOCwaPrZ5Z_vQfNbYcgIfON_puN8QfRxihg90KQYOp4lJpU5JqeaVm
Yp9eOYTb5iQzOuLWDXenyIBmvT_K84HZKh8t5eWsqH01st-
Ls7uJcNAUM9PXRM7JswCjhouuQGBM6dn5iICoL00acuxg",
"not-before-policy": 0,
"session_state": "3231f46f-229b-42d3-a419-089a21396e67"
}
I checked it in jwt.io . The kid is same as the "rsa-generated" one,
shown in the screen shot I shared yesterday. Although jwt complained as
"Invalid Signature" .
Thomas, the connectivity should not be an issue as I am able to get the
access token from my app wildfly server using curl. So keycloak is
reachable from my wildfly server. Anything specific you did to resolve your
issue ?
Regards,
Rajesh
On Tue, Jul 25, 2017 at 11:12 AM, Sebastien Blanc <sblanc(a)redhat.com>
wrote:
> This looks all correct. Could you try paste your access token or even
> check it your self on jwt.io to see if the kid is present ?
>
>
> On Mon, Jul 24, 2017 at 6:47 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com>
> wrote:
>
>> Sebastien,
>>
>> I am attaching a pdf containing the screen shots. Few more points I
>> wanted to mention.
>>
>> i) I didn't install the public client -- "bkofc-web" in the
wildfly
>> container which hosts my REST services. I did it for "bkofc-svc"
client
>> which is bearer only. I hope that is the correct approach.
>> ii) Both keycloak and my application are running on docker containers
>> locally in my laptop.
>>
>> Let me know if you need anything else to analyze.
>>
>> Thanks,
>> Rajesh
>>
>>
>> On Mon, Jul 24, 2017 at 9:13 PM, Sebastien Blanc <sblanc(a)redhat.com>
>> wrote:
>>
>>> yes please
>>>
>>> On Mon, Jul 24, 2017 at 4:54 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com>
>>> wrote:
>>>
>>>> Yes definitely. I did replace it with the actual war name. Let me know
>>>> if you would like me to paste screen shots of realm configurations,
client
>>>> configurations.
>>>>
>>>> Thanks,
>>>> Rajesh
>>>>
>>>> On Mon, Jul 24, 2017 at 8:12 PM, Sebastien Blanc
<sblanc(a)redhat.com>
>>>> wrote:
>>>>
>>>>> Ok and for :
>>>>> <secure-deployment name="my war file.war">
>>>>>
>>>>> Did you replace that with the actual name of your war file ?
>>>>>
>>>>> On Mon, Jul 24, 2017 at 4:35 PM, Rajesh Ghosh
<ghosh.rajesh(a)gmail.com
>>>>> > wrote:
>>>>>
>>>>>> Hello Sebastien,
>>>>>>
>>>>>> I am using 3.1.0.Final build.
>>>>>>
>>>>>> Thanks,
>>>>>> Rajesh
>>>>>>
>>>>>> On Mon, Jul 24, 2017 at 7:56 PM, Sebastien Blanc
<sblanc(a)redhat.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Which version of Keycloak are you using ?
>>>>>>>
>>>>>>> On Mon, Jul 24, 2017 at 3:15 PM, Rajesh Ghosh <
>>>>>>> ghosh.rajesh(a)gmail.com> wrote:
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I am trying to secure my REST services using the method
described
>>>>>>>> in the
>>>>>>>> document --
>>>>>>>>
>>>>>>>>
>>>>>>>>
http://blog.keycloak.org/2015/10/getting-started-with-keyclo
>>>>>>>> ak-securing.html
>>>>>>>>
>>>>>>>>
>>>>>>>> I am securing my war using JBoss subsystem , instead of
per-war
>>>>>>>> option. The
>>>>>>>> relevant sections from my standalone.xml are posted
below.
>>>>>>>>
>>>>>>>> <extensions>
>>>>>>>> ......
>>>>>>>> <extension
module="org.keycloak.keycloak-
>>>>>>>> adapter-subsystem"/>
>>>>>>>> </extensions>
>>>>>>>>
>>>>>>>> <security-domains>
>>>>>>>> .....
>>>>>>>> <security-domain
name="keycloak">
>>>>>>>> <authentication>
>>>>>>>> <login-module
>>>>>>>>
code="org.keycloak.adapters.jboss.KeycloakLoginModule"
>>>>>>>> flag="required"/>
>>>>>>>> </authentication>
>>>>>>>> </security-domain>
>>>>>>>> </security-domains>
>>>>>>>>
>>>>>>>> <subsystem
xmlns="urn:jboss:domain:keycloak:1.1">
>>>>>>>> <secure-deployment name="my war
file.war">
>>>>>>>> <realm>bkofc</realm>
>>>>>>>>
<resource>bkofc-svc</resource>
>>>>>>>>
>>>>>>>>
<use-resource-role-mappings>true</use-resource-role-mappings>
>>>>>>>>
<bearer-only>true</bearer-only>
>>>>>>>>
<auth-server-url>http://192.168.99.100/30001/auth
>>>>>>>> </auth-server-url>
>>>>>>>>
<ssl-required>none</ssl-required>
>>>>>>>> <credential
>>>>>>>>
name="secret">9bcc6d9f-9c72-4b58-b297-79f0f207d9e1</credential>
>>>>>>>> </secure-deployment>
>>>>>>>> </subsystem>
>>>>>>>>
>>>>>>>> I am able to obtain the access token.
>>>>>>>>
>>>>>>>> curl -i curl --data
>>>>>>>>
"grant_type=password&client_id=bkofc-web&username=user&passw
>>>>>>>> ord=password"
>>>>>>>>
http://192.168.99.100:30001/auth/realms/bkofc/protocol/openi
>>>>>>>> d-connect/token
>>>>>>>>
>>>>>>>> Note:- I have created 2 clients -- i) bkofc-svc which is
bearer
>>>>>>>> only, for
>>>>>>>> my REST services ii) bkofc-web , a public client to
simulate UI
>>>>>>>> login
>>>>>>>>
>>>>>>>> However when I try to use the access token to invoke a
service, I
>>>>>>>> am
>>>>>>>> getting the error -
>>>>>>>>
>>>>>>>> Status: 401
>>>>>>>>
>>>>>>>> WWW-Authenticate Bearer realm="bkofc",
error="invalid_token",
>>>>>>>> error_description="Didn't find publicKey for
specified kid"
>>>>>>>>
>>>>>>>> Please let me know if I am missing something here. I have
been
>>>>>>>> breaking my
>>>>>>>> head last few days without any luck ! I have also tried
rotating
>>>>>>>> the realm
>>>>>>>> keys.
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Rajesh
>>>>>>>> _______________________________________________
>>>>>>>> keycloak-user mailing list
>>>>>>>> keycloak-user(a)lists.jboss.org
>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
9 a.m.
Sure. I was using postman to invoke the service. This is the command used
by postman --
------------------------------------------------------------------------
GET /OlpUIFwk2-1.0-SNAPSHOT/services/sec/rest/userservice/users HTTP/1.1
Host: 192.168.99.100:8080
Authorization: Bearer
eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXeXVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiJkNmY2MmM5YS1hNjAwLTQ4ZmQtYmI3Ny0wMTI1NDQ0YmIzNWMiLCJleHAiOjE1MDA5OTAyNDgsIm5iZiI6MCwiaWF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzdWIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJia29mYy13ZWIiLCJhdXRoX3RpbWUiOjAsInNlc3Npb25fc3RhdGUiOiIzMjMxZjQ2Zi0yMjliLTQyZDMtYTQxOS0wODlhMjEzOTZlNjciLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2MC03ZTkyLTQ1ZDQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjgwODAvIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiIsInVzZXIiXX0sInJlc291cmNlX2FjY2VzcyI6eyJyZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzIjpbInZpZXctcmVhbG0iLCJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycyIsIm1hbmFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwicmVhbG0tYWRtaW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlldy1hdXRob3JpemF0aW9uIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsbSIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsIm1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiXX0sImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiIiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzdXBlcmFkbWluIiwiZW1haWwiOiJ0cmlsaWEudGVjaEBnbWFpbC5jb20ifQ.JCGcaQ-8yYhoOT_DfHvNa5HvG3x5WBI3ZcC4WEcBA3NUL-mQdUhU1aEK9G5VulcRbMeYp9f_rFnFip-N9g3JwPGhR6ozgwdXlI09JAjM6zLk7cy0UKig5ghHX1-gXb5EHChzhmGI_xtV77t9dcKBjW4V3f7eFwDmCMyWj8bqyoFMDTIp_Gz67Wt1iUXAaCZ5fIdXs3epdG82NhJrjQsIKiYGzUg9JY2Dkvg_tHGHESN85KsW2TNj8Jd0CuS-cF0rOqx82pohW6RQMAZmGyMVofsxH_uRrEbvpmI_ofkAUF6qCuLDD7idZC_j1ARXH-EOWxHgnSEDXc6SF2aAegmCpw
Cache-Control: no-cache
Postman-Token: d378eefe-82c8-9c3d-0140-ef56c62f9b97
---------------------------------------------------------------------------
The "userservice" is my own service for other attributes of users. I also
made sure that the service executes without the security.
Thanks,
Rajesh
On Tue, Jul 25, 2017 at 7:24 PM, Sebastien Blanc <sblanc(a)redhat.com> wrote:
Okay, to have the complete picture could paste the command you issue
to
call your REST service ?
On Tue, Jul 25, 2017 at 3:50 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com>
wrote:
> Sebastien,
>
> Here is a token response -
>
> {
> "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgO
> iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
> XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiJkNmY2MmM5YS1hNjAwLTQ4ZmQtY
> mI3Ny0wMTI1NDQ0YmIzNWMiLCJleHAiOjE1MDA5OTAyNDgsIm5iZiI6MCwia
> WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
> zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
> WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
> XAiOiJCZWFyZXIiLCJhenAiOiJia29mYy13ZWIiLCJhdXRoX3RpbWUiOjAsI
> nNlc3Npb25fc3RhdGUiOiIzMjMxZjQ2Zi0yMjliLTQyZDMtYTQxOS0wODlhM
> jEzOTZlNjciLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2M
> C03ZTkyLTQ1ZDQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJhbGxvd2VkLW9yaWdpb
> nMiOlsiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjgwODAvIl0sInJlYWxtX2FjY
> 2VzcyI6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiIsInVzZXIiXX0sI
> nJlc291cmNlX2FjY2VzcyI6eyJyZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzI
> jpbInZpZXctcmVhbG0iLCJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycyIsIm1hb
> mFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwicmVhb
> G0tYWRtaW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlld
> y1hdXRob3JpemF0aW9uIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsb
> SIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsI
> m1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiXX0sImFjY
> 291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb
> 3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiIiLCJwcmVmZ
> XJyZWRfdXNlcm5hbWUiOiJzdXBlcmFkbWluIiwiZW1haWwiOiJ0cmlsaWEud
> GVjaEBnbWFpbC5jb20ifQ.JCGcaQ-8yYhoOT_DfHvNa5HvG3x5WBI3ZcC4WEcBA3NUL-
> mQdUhU1aEK9G5VulcRbMeYp9f_rFnFip-N9g3JwPGhR6ozgwdXlI09JAjM6z
> Lk7cy0UKig5ghHX1-gXb5EHChzhmGI_xtV77t9dcKBjW4V3
> f7eFwDmCMyWj8bqyoFMDTIp_Gz67Wt1iUXAaCZ5fIdXs3epdG82NhJrjQsIK
> iYGzUg9JY2Dkvg_tHGHESN85KsW2TNj8Jd0CuS-cF0rOqx82pohW6RQMAZmG
> yMVofsxH_uRrEbvpmI_ofkAUF6qCuLDD7idZC_j1ARXH-EOWxHgnSEDXc6SF2aAegmCpw",
> "expires_in": 300,
> "refresh_expires_in": 1800,
> "refresh_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgO
> iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
> XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiIyYzE4ZjkxYi0yMDljLTQwY2ItY
> TE5OS02NGIwZTEyYjRkOGIiLCJleHAiOjE1MDA5OTE3NDgsIm5iZiI6MCwia
> WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
> zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
> WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
> XAiOiJSZWZyZXNoIiwiYXpwIjoiYmtvZmMtd2ViIiwiYXV0aF90aW1lIjowL
> CJzZXNzaW9uX3N0YXRlIjoiMzIzMWY0NmYtMjI5Yi00MmQzLWE0MTktMDg5Y
> TIxMzk2ZTY3IiwiY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2MC03ZTkyLTQ1Z
> DQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiO
> lsidW1hX2F1dGhvcml6YXRpb24iLCJ1c2VyIl19LCJyZXNvdXJjZV9hY2Nlc
> 3MiOnsicmVhbG0tbWFuYWdlbWVudCI6eyJyb2xlcyI6WyJ2aWV3LXJlYWxtI
> iwidmlldy1pZGVudGl0eS1wcm92aWRlcnMiLCJtYW5hZ2UtaWRlbnRpdHktc
> HJvdmlkZXJzIiwiaW1wZXJzb25hdGlvbiIsInJlYWxtLWFkbWluIiwiY3JlY
> XRlLWNsaWVudCIsIm1hbmFnZS11c2VycyIsInZpZXctYXV0aG9yaXphdGlvb
> iIsIm1hbmFnZS1ldmVudHMiLCJtYW5hZ2UtcmVhbG0iLCJ2aWV3LWV2ZW50c
> yIsInZpZXctdXNlcnMiLCJ2aWV3LWNsaWVudHMiLCJtYW5hZ2UtYXV0aG9ya
> XphdGlvbiIsIm1hbmFnZS1jbGllbnRzIl19LCJhY2NvdW50Ijp7InJvbGVzI
> jpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2a
> WV3LXByb2ZpbGUiXX19fQ.Uz0rqNlj09T_SdnfZK9ZxBcJ5EIEwwHCN5VwKI
> hIF6Ua32fDlf1UvZSoZTmr5jiHeiwpp4JALWGTXsda4p-PlzMvwmMN5Qp46-
> EXGJQkqH4NNqZ1W_1mRGySYokQCSkmdvAZPFGrqxpeb1seuKgaaiXXMsrvai
> ucFCa8H599Ox6QRE3MkoLmm8w7_08kPG1_JjXIviHtwoWgsb0zCcMPyHR
> dCv_rs6FIoTQiCRZ2joaXSvIsmVAkchgZbeB-_RSWzlk3_oaOCQw7OWZJRqn
> AdGgDnL5jCCRLTVFnPo9TqKrt88h3fKkVuNuI8Y06sZ1If8wgSWRDRLUf0X8sampLww",
> "token_type": "bearer",
> "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgO
> iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
> XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiI2ZDJkNWMxNS01YmE3LTRhNTgtO
> TJkNC0wNGU0NTkyMjNkNGYiLCJleHAiOjE1MDA5OTAyNDgsIm5iZiI6MCwia
> WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
> zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
> WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
> XAiOiJJRCIsImF6cCI6ImJrb2ZjLXdlYiIsImF1dGhfdGltZSI6MCwic2Vzc
> 2lvbl9zdGF0ZSI6IjMyMzFmNDZmLTIyOWItNDJkMy1hNDE5LTA4OWEyMTM5N
> mU2NyIsImFjciI6IjEiLCJuYW1lIjoiIiwicHJlZmVycmVkX3VzZXJuYW1lI
> joic3VwZXJhZG1pbiIsImVtYWlsIjoidHJpbGlhLnRlY2hAZ21haWwuY29tI
> n0.eFVxG7MImPS4yCEiLOzhvZ5M_XjRWuHJlt_T4r3djak7sH_XOXUmHAuih
> xXrm7HLv8DU3OzHpN3FinOWufOdTCv9Ywww0DRq4ha1M7dodqMuv1H5d3XVB
> n_kuHK68zWRI3t9WI4ZNeaEU0whLSnBqcbJ54dQrBloUPS4bpYG-BqfSNYs6
> bG8cyJHQ4_FRpAi3X9qWOCwaPrZ5Z_vQfNbYcgIfON_puN8QfRxihg90KQYO
> p4lJpU5JqeaVmYp9eOYTb5iQzOuLWDXenyIBmvT_K84HZKh8t5eWsqH01st-
> Ls7uJcNAUM9PXRM7JswCjhouuQGBM6dn5iICoL00acuxg",
> "not-before-policy": 0,
> "session_state": "3231f46f-229b-42d3-a419-089a21396e67"
> }
>
>
> I checked it in jwt.io . The kid is same as the "rsa-generated" one,
> shown in the screen shot I shared yesterday. Although jwt complained as
> "Invalid Signature" .
>
>
> Thomas, the connectivity should not be an issue as I am able to get the
> access token from my app wildfly server using curl. So keycloak is
> reachable from my wildfly server. Anything specific you did to resolve your
> issue ?
>
> Regards,
> Rajesh
>
> On Tue, Jul 25, 2017 at 11:12 AM, Sebastien Blanc <sblanc(a)redhat.com>
> wrote:
>
>> This looks all correct. Could you try paste your access token or even
>> check it your self on jwt.io to see if the kid is present ?
>>
>>
>> On Mon, Jul 24, 2017 at 6:47 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com>
>> wrote:
>>
>>> Sebastien,
>>>
>>> I am attaching a pdf containing the screen shots. Few more points I
>>> wanted to mention.
>>>
>>> i) I didn't install the public client -- "bkofc-web" in the
wildfly
>>> container which hosts my REST services. I did it for "bkofc-svc"
client
>>> which is bearer only. I hope that is the correct approach.
>>> ii) Both keycloak and my application are running on docker containers
>>> locally in my laptop.
>>>
>>> Let me know if you need anything else to analyze.
>>>
>>> Thanks,
>>> Rajesh
>>>
>>>
>>> On Mon, Jul 24, 2017 at 9:13 PM, Sebastien Blanc <sblanc(a)redhat.com>
>>> wrote:
>>>
>>>> yes please
>>>>
>>>> On Mon, Jul 24, 2017 at 4:54 PM, Rajesh Ghosh
<ghosh.rajesh(a)gmail.com>
>>>> wrote:
>>>>
>>>>> Yes definitely. I did replace it with the actual war name. Let me
>>>>> know if you would like me to paste screen shots of realm
configurations,
>>>>> client configurations.
>>>>>
>>>>> Thanks,
>>>>> Rajesh
>>>>>
>>>>> On Mon, Jul 24, 2017 at 8:12 PM, Sebastien Blanc
<sblanc(a)redhat.com>
>>>>> wrote:
>>>>>
>>>>>> Ok and for :
>>>>>> <secure-deployment name="my war file.war">
>>>>>>
>>>>>> Did you replace that with the actual name of your war file ?
>>>>>>
>>>>>> On Mon, Jul 24, 2017 at 4:35 PM, Rajesh Ghosh <
>>>>>> ghosh.rajesh(a)gmail.com> wrote:
>>>>>>
>>>>>>> Hello Sebastien,
>>>>>>>
>>>>>>> I am using 3.1.0.Final build.
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Rajesh
>>>>>>>
>>>>>>> On Mon, Jul 24, 2017 at 7:56 PM, Sebastien Blanc
<sblanc(a)redhat.com
>>>>>>> > wrote:
>>>>>>>
>>>>>>>> Which version of Keycloak are you using ?
>>>>>>>>
>>>>>>>> On Mon, Jul 24, 2017 at 3:15 PM, Rajesh Ghosh <
>>>>>>>> ghosh.rajesh(a)gmail.com> wrote:
>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> I am trying to secure my REST services using the
method described
>>>>>>>>> in the
>>>>>>>>> document --
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
http://blog.keycloak.org/2015/10/getting-started-with-keyclo
>>>>>>>>> ak-securing.html
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I am securing my war using JBoss subsystem , instead
of per-war
>>>>>>>>> option. The
>>>>>>>>> relevant sections from my standalone.xml are posted
below.
>>>>>>>>>
>>>>>>>>> <extensions>
>>>>>>>>> ......
>>>>>>>>> <extension
module="org.keycloak.keycloak-
>>>>>>>>> adapter-subsystem"/>
>>>>>>>>> </extensions>
>>>>>>>>>
>>>>>>>>> <security-domains>
>>>>>>>>> .....
>>>>>>>>> <security-domain
name="keycloak">
>>>>>>>>> <authentication>
>>>>>>>>> <login-module
>>>>>>>>>
code="org.keycloak.adapters.jboss.KeycloakLoginModule"
>>>>>>>>> flag="required"/>
>>>>>>>>> </authentication>
>>>>>>>>> </security-domain>
>>>>>>>>> </security-domains>
>>>>>>>>>
>>>>>>>>> <subsystem
xmlns="urn:jboss:domain:keycloak:1.1">
>>>>>>>>> <secure-deployment name="my war
file.war">
>>>>>>>>> <realm>bkofc</realm>
>>>>>>>>>
<resource>bkofc-svc</resource>
>>>>>>>>>
>>>>>>>>>
<use-resource-role-mappings>true</use-resource-role-mappings>
>>>>>>>>>
<bearer-only>true</bearer-only>
>>>>>>>>>
<auth-server-url>http://192.168.99.100/30001/auth
>>>>>>>>> </auth-server-url>
>>>>>>>>>
<ssl-required>none</ssl-required>
>>>>>>>>> <credential
>>>>>>>>>
name="secret">9bcc6d9f-9c72-4b58-b297-79f0f207d9e1</credential>
>>>>>>>>> </secure-deployment>
>>>>>>>>> </subsystem>
>>>>>>>>>
>>>>>>>>> I am able to obtain the access token.
>>>>>>>>>
>>>>>>>>> curl -i curl --data
>>>>>>>>>
"grant_type=password&client_id=bkofc-web&username=user&passw
>>>>>>>>> ord=password"
>>>>>>>>>
http://192.168.99.100:30001/auth/realms/bkofc/protocol/openi
>>>>>>>>> d-connect/token
>>>>>>>>>
>>>>>>>>> Note:- I have created 2 clients -- i) bkofc-svc
which is bearer
>>>>>>>>> only, for
>>>>>>>>> my REST services ii) bkofc-web , a public client to
simulate UI
>>>>>>>>> login
>>>>>>>>>
>>>>>>>>> However when I try to use the access token to invoke
a service, I
>>>>>>>>> am
>>>>>>>>> getting the error -
>>>>>>>>>
>>>>>>>>> Status: 401
>>>>>>>>>
>>>>>>>>> WWW-Authenticate Bearer realm="bkofc",
error="invalid_token",
>>>>>>>>> error_description="Didn't find publicKey for
specified kid"
>>>>>>>>>
>>>>>>>>> Please let me know if I am missing something here. I
have been
>>>>>>>>> breaking my
>>>>>>>>> head last few days without any luck ! I have also
tried rotating
>>>>>>>>> the realm
>>>>>>>>> keys.
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>> Rajesh
>>>>>>>>> _______________________________________________
>>>>>>>>> keycloak-user mailing list
>>>>>>>>> keycloak-user(a)lists.jboss.org
>>>>>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
9:06 a.m.
Here is the response from curl ---
$ curl -v
http://192.168.99.100:8080/OlpUIFwk2-1.0-SNAPSHOT/services/sec/rest/us
erservice/users -H "Authorization: Bearer $KEY"
* Trying 192.168.99.100...
* Connected to 192.168.99.100 (192.168.99.100) port 8080 (#0)
< HTTP/1.1 401 Unauthorized
< Expires: 0
< Cache-Control: no-cache, no-store, must-revalidate
< X-Powered-By: Undertow/1
< Server: WildFly/10
< Pragma: no-cache
< Date: Tue, 25 Jul 2017 14:04:31 GMT
< Connection: keep-alive
< WWW-Authenticate: Bearer realm="bkofc", error="invalid_token",
error_description="Didn't find publicKey for specified kid"
< Content-Type: text/html;charset=UTF-8
< Content-Length: 71
<
* Connection #0 to host 192.168.99.100 left intact
<html><head><title>Error</title></head><body>Unauthorized</body></html>$
$
Thanks,
Rajesh
On Tue, Jul 25, 2017 at 7:30 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com wrote:
> Sure. I was using postman to invoke the service. This is the command used
> by postman --
>
------------------------------------------------------------------------
> GET
/OlpUIFwk2-1.0-SNAPSHOT/services/sec/rest/userservice/users HTTP/1.1
> Host: 192.168.99.100:8080
> Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOi
> AiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXeX
> VUbzIwemJ6T280SGZRIn0.eyJqdGkiOiJkNmY2MmM5YS1hNjAwLT
> Q4ZmQtYmI3Ny0wMTI1NDQ0YmIzNWMiLCJleHAiOjE1MDA5OTAyNDgsIm5iZi
> I6MCwiaWF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS
> 4xMDA6MzAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZW
> IiLCJzdWIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOT
> giLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJia29mYy13ZWIiLCJhdXRoX3RpbW
> UiOjAsInNlc3Npb25fc3RhdGUiOiIzMjMxZjQ2Zi0yMjliLTQyZDMtYTQxOS
> 0wODlhMjEzOTZlNjciLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb24iOiI5Mj
> FjYzM2MC03ZTkyLTQ1ZDQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJhbGxvd2VkLW
> 9yaWdpbnMiOlsiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjgwODAvIl0sInJlYW
> xtX2FjY2VzcyI6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiIsInVzZX
> IiXX0sInJlc291cmNlX2FjY2VzcyI6eyJyZWFsbS1tYW5hZ2VtZW50Ijp7In
> JvbGVzIjpbInZpZXctcmVhbG0iLCJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycy
> IsIm1hbmFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIi
> wicmVhbG0tYWRtaW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIi
> widmlldy1hdXRob3JpemF0aW9uIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS
> 1yZWFsbSIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW
> 50cyIsIm1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiXX
> 0sImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2
> UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiIiLC
> JwcmVmZXJyZWRfdXNlcm5hbWUiOiJzdXBlcmFkbWluIiwiZW1haWwiOiJ0cm
> lsaWEudGVjaEBnbWFpbC5jb20ifQ.JCGcaQ-8yYhoOT_DfHvNa5HvG3x5WBI3ZcC4WEcBA3NUL
> -mQdUhU1aEK9G5VulcRbMeYp9f_rFnFip-N9g3JwPGhR6ozgwdXlI09JAjM6zLk7
> cy0UKig5ghHX1-gXb5EHChzhmGI_xtV77t9dcKBjW4V3f7eFwDmCMyWj8bqyoFMDTIp_
> Gz67Wt1iUXAaCZ5fIdXs3epdG82NhJrjQsIKiYGzUg9JY2Dkvg_
> tHGHESN85KsW2TNj8Jd0CuS-cF0rOqx82pohW6RQMAZmGyMVofsxH_
> uRrEbvpmI_ofkAUF6qCuLDD7idZC_j1ARXH-EOWxHgnSEDXc6SF2aAegmCpw
> Cache-Control: no-cache
> Postman-Token: d378eefe-82c8-9c3d-0140-ef56c62f9b97
>
------------------------------------------------------------
> ---------------
> The "userservice" is my own service for other
attributes of users. I also
> made sure that the service executes without the security.
> Thanks,
> Rajesh
> On Tue, Jul 25, 2017 at 7:24
PM, Sebastien Blanc <sblanc(a)redhat.com >
wrote:
>> Okay, to have the complete picture could paste the
command you issue to
>> call your REST service ?
> > >> On Tue, Jul 25, 2017 at
3:50 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com >>
wrote:
> >>> Sebastien,
>> >>> Here is a token
response -
>> >>> {
>>> "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>> iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>> XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiJkNmY2MmM5YS1hNjAwLTQ4ZmQtY
>>> mI3Ny0wMTI1NDQ0YmIzNWMiLCJleHAiOjE1MDA5OTAyNDgsIm5iZiI6MCwia
>>> WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>> zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>> WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>> XAiOiJCZWFyZXIiLCJhenAiOiJia29mYy13ZWIiLCJhdXRoX3RpbWUiOjAsI
>>> nNlc3Npb25fc3RhdGUiOiIzMjMxZjQ2Zi0yMjliLTQyZDMtYTQxOS0wODlhM
>>> jEzOTZlNjciLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2M
>>> C03ZTkyLTQ1ZDQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJhbGxvd2VkLW9yaWdpb
>>> nMiOlsiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjgwODAvIl0sInJlYWxtX2FjY
>>> 2VzcyI6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiIsInVzZXIiXX0sI
>>> nJlc291cmNlX2FjY2VzcyI6eyJyZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzI
>>> jpbInZpZXctcmVhbG0iLCJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycyIsIm1hb
>>> mFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwicmVhb
>>> G0tYWRtaW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlld
>>> y1hdXRob3JpemF0aW9uIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsb
>>> SIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsI
>>> m1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiXX0sImFjY
>>> 291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb
>>> 3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiIiLCJwcmVmZ
>>> XJyZWRfdXNlcm5hbWUiOiJzdXBlcmFkbWluIiwiZW1haWwiOiJ0cmlsaWEud
>>> GVjaEBnbWFpbC5jb20ifQ.JCGcaQ-8yYhoOT_DfHvNa5HvG3x5WBI3ZcC4WE
>>> cBA3NUL-mQdUhU1aEK9G5VulcRbMeYp9f_rFnFip-N9g3JwPGhR6ozgwdXlI09JAjM6zLk7
>>> cy0UKig5ghHX1-gXb5EHChzhmGI_xtV77t9dcKBjW4V3f7eFwDmCMyWj8b
>>> qyoFMDTIp_Gz67Wt1iUXAaCZ5fIdXs3epdG82NhJrjQsIKiYGzUg9JY2Dkvg
>>> _tHGHESN85KsW2TNj8Jd0CuS-cF0rOqx82pohW6RQMAZmGyMVofsxH_
>>> uRrEbvpmI_ofkAUF6qCuLDD7idZC_j1ARXH-EOWxHgnSEDXc6SF2aAegmCpw",
>>> "expires_in": 300,
>>> "refresh_expires_in": 1800,
>>> "refresh_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>> iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>> XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiIyYzE4ZjkxYi0yMDljLTQwY2ItY
>>> TE5OS02NGIwZTEyYjRkOGIiLCJleHAiOjE1MDA5OTE3NDgsIm5iZiI6MCwia
>>> WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>> zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>> WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>> XAiOiJSZWZyZXNoIiwiYXpwIjoiYmtvZmMtd2ViIiwiYXV0aF90aW1lIjowL
>>> CJzZXNzaW9uX3N0YXRlIjoiMzIzMWY0NmYtMjI5Yi00MmQzLWE0MTktMDg5Y
>>> TIxMzk2ZTY3IiwiY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2MC03ZTkyLTQ1Z
>>> DQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiO
>>> lsidW1hX2F1dGhvcml6YXRpb24iLCJ1c2VyIl19LCJyZXNvdXJjZV9hY2Nlc
>>> 3MiOnsicmVhbG0tbWFuYWdlbWVudCI6eyJyb2xlcyI6WyJ2aWV3LXJlYWxtI
>>> iwidmlldy1pZGVudGl0eS1wcm92aWRlcnMiLCJtYW5hZ2UtaWRlbnRpdHktc
>>> HJvdmlkZXJzIiwiaW1wZXJzb25hdGlvbiIsInJlYWxtLWFkbWluIiwiY3JlY
>>> XRlLWNsaWVudCIsIm1hbmFnZS11c2VycyIsInZpZXctYXV0aG9yaXphdGlvb
>>> iIsIm1hbmFnZS1ldmVudHMiLCJtYW5hZ2UtcmVhbG0iLCJ2aWV3LWV2ZW50c
>>> yIsInZpZXctdXNlcnMiLCJ2aWV3LWNsaWVudHMiLCJtYW5hZ2UtYXV0aG9ya
>>> XphdGlvbiIsIm1hbmFnZS1jbGllbnRzIl19LCJhY2NvdW50Ijp7InJvbGVzI
>>> jpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2a
>>> WV3LXByb2ZpbGUiXX19fQ.Uz0rqNlj09T_SdnfZK9ZxBcJ5EIEwwHCN5VwKI
>>> hIF6Ua32fDlf1UvZSoZTmr5jiHeiwpp4JALWGTXsda4p-PlzMvwmMN5Qp46-
>>> EXGJQkqH4NNqZ1W_1mRGySYokQCSkmdvAZPFGrqxpeb1seuKgaaiXXMsrvai
>>> ucFCa8H599Ox6QRE3MkoLmm8w7_08kPG1_JjXIviHtwoWgsb0zCcMPyHRdCv
>>> _rs6FIoTQiCRZ2joaXSvIsmVAkchgZbeB-_RSWzlk3_oaOCQw7OWZJRqnAdG
>>> gDnL5jCCRLTVFnPo9TqKrt88h3fKkVuNuI8Y06sZ1If8wgSWRDRLUf0X8sampLww",
>>> "token_type": "bearer",
>>> "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>> iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>> XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiI2ZDJkNWMxNS01YmE3LTRhNTgtO
>>> TJkNC0wNGU0NTkyMjNkNGYiLCJleHAiOjE1MDA5OTAyNDgsIm5iZiI6MCwia
>>> WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>> zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>> WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>> XAiOiJJRCIsImF6cCI6ImJrb2ZjLXdlYiIsImF1dGhfdGltZSI6MCwic2Vzc
>>> 2lvbl9zdGF0ZSI6IjMyMzFmNDZmLTIyOWItNDJkMy1hNDE5LTA4OWEyMTM5N
>>> mU2NyIsImFjciI6IjEiLCJuYW1lIjoiIiwicHJlZmVycmVkX3VzZXJuYW1lI
>>> joic3VwZXJhZG1pbiIsImVtYWlsIjoidHJpbGlhLnRlY2hAZ21haWwuY29tI
>>> n0.eFVxG7MImPS4yCEiLOzhvZ5M_XjRWuHJlt_T4r3djak7sH_XOXUmHAuih
>>> xXrm7HLv8DU3OzHpN3FinOWufOdTCv9Ywww0DRq4ha1M7dodqMuv1H5d3XVB
>>> n_kuHK68zWRI3t9WI4ZNeaEU0whLSnBqcbJ54dQrBloUPS4bpYG-BqfSNYs6
>>> bG8cyJHQ4_FRpAi3X9qWOCwaPrZ5Z_vQfNbYcgIfON_puN8QfRxihg90KQYO
>>> p4lJpU5JqeaVmYp9eOYTb5iQzOuLWDXenyIBmvT_K84HZKh8t5eWsqH01st-
>>> Ls7uJcNAUM9PXRM7JswCjhouuQGBM6dn5iICoL00acuxg",
>>> "not-before-policy": 0,
>>> "session_state":
"3231f46f-229b-42d3-a419-089a21396e67"
>>> }
>> >> >>> I checked it in jwt.io . The kid is same as the
"rsa-generated" one,
>>> shown in the screen shot I shared yesterday. Although jwt complained as
>>> "Invalid Signature" .
>> >> >>> Thomas, the connectivity should not be an issue as
I am able to get the
>>> access token from my app wildfly server using curl. So keycloak is
>>> reachable from my wildfly server. Anything specific you did to resolve your
>>> issue ?
>> >>> Regards,
>>> Rajesh
>> >>> On Tue, Jul 25, 2017 at
11:12 AM, Sebastien Blanc <sblanc(a)redhat.com
>>> wrote:
>> >>>> This looks all
correct. Could you try paste your access token or even
>>>> check it your self on jwt.io to see if the kid is present ?
>>> >>> >>>> On Mon, Jul 24, 2017 at 6:47 PM, Rajesh Ghosh
<ghosh.rajesh(a)gmail.com >>>> wrote:
>>> >>>>> Sebastien,
>>>> >>>>> I am attaching
a pdf containing the screen shots. Few more points I
>>>>> wanted to mention.
>>>> >>>>> i) I
didn't install the public client -- "bkofc-web" in the wildfly
>>>>> container which hosts my REST services. I did it for
"bkofc-svc" client
>>>>> which is bearer only. I hope that is the correct approach.
>>>>> ii) Both keycloak and my application are running on docker
containers
>>>>> locally in my laptop.
>>>> >>>>> Let me know if
you need anything else to analyze.
>>>> >>>>> Thanks,
>>>>> Rajesh
>>>> >>>> >>>>> On Mon, Jul 24, 2017 at 9:13 PM, Sebastien
Blanc <sblanc(a)redhat.com >>>>> wrote:
>>>> >>>>>> yes please
>>>>> >>>>>> On Mon, Jul
24, 2017 at 4:54 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com
>>>>>> > wrote:
>>>>> >>>>>>> Yes
definitely. I did replace it with the actual war name. Let me
>>>>>>> know if you would like me to paste screen shots of realm
configurations,
>>>>>>> client configurations.
>>>>>> >>>>>>>
Thanks,
>>>>>>> Rajesh
>>>>>> >>>>>>> On Mon,
Jul 24, 2017 at 8:12 PM, Sebastien Blanc <sblanc(a)redhat.com >>>>>>> wrote:
>>>>>> >>>>>>>> Ok
and for :
>>>>>>>> <secure-deployment name="my war
file.war" >>>>>>> >>>>>>>> Did you replace that with the
actual name of your war file ?
>>>>>>> >>>>>>>> On
Mon, Jul 24, 2017 at 4:35 PM, Rajesh Ghosh <
>>>>>>>> ghosh.rajesh(a)gmail.com> wrote:
>>>>>>> >>>>>>>>>
Hello Sebastien,
>>>>>>>> >>>>>>>>>
I am using 3.1.0.Final build.
>>>>>>>> >>>>>>>>>
Thanks,
>>>>>>>>> Rajesh
>>>>>>>> >>>>>>>>>
On Mon, Jul 24, 2017 at 7:56 PM, Sebastien Blanc <
>>>>>>>>> sblanc(a)redhat.com> wrote:
>>>>>>>>
>>>>>>>>>> Which version of Keycloak are you using ?
>>>>>>>>>
>>>>>>>>>> On Mon, Jul 24, 2017 at 3:15 PM, Rajesh
Ghosh <
>>>>>>>>>> ghosh.rajesh(a)gmail.com> wrote:
>>>>>>>>>
>>>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>>> I am trying to secure my REST services
using the method
>>>>>>>>>>> described in the
>>>>>>>>>>> document --
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>>
http://blog.keycloak.org/2015/10/getting-started-with-keyclo
>>>>>>>>>>> ak-securing.html
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> I am securing my war using JBoss
subsystem , instead of per-war
>>>>>>>>>>> option. The
>>>>>>>>>>> relevant sections from my standalone.xml are
posted below.
>>>>>>>>>>
>>>>>>>>>>> <extensions >>>>>>>>>>> ......
>>>>>>>>>>> <extension
module="org.keycloak.keycloak-
>>>>>>>>>>> adapter-subsystem"/ >>>>>>>>>>>
</extensions
>>>>>>>>>>
>>>>>>>>>>> <security-domains >>>>>>>>>>>
.....
>>>>>>>>>>> <security-domain
name="keycloak"
>>>>>>>>>>>
<authentication
>>>>>>>>>>>
<login-module
>>>>>>>>>>>
code="org.keycloak.adapters.jboss.KeycloakLoginModule"
>>>>>>>>>>> flag="required"/ >>>>>>>>>>>
</authentication
>>>>>>>>>>>
</security-domain
>>>>>>>>>>> </security-domains >>>>>>>>>> >>>>>>>>>>>
<subsystem xmlns="urn:jboss:domain:keycloak:1.1"
>>>>>>>>>>> <secure-deployment
name="my war file.war"
>>>>>>>>>>>
<realm>bkofc</realm
>>>>>>>>>>>
<resource>bkofc-svc</resource
>>>>>>>>>>
>>>>>>>>>>>
<use-resource-role-mappings>true</use-resource-role-mappings >>>>>>>>>>>
<bearer-only>true</bearer-only
>>>>>>>>>>>
<auth-server-url>http://192.16
>>>>>>>>>>> 8.99.100/30001/auth
>>>>>>>>>>> </auth-server-url >>>>>>>>>>>
<ssl-required>none</ssl-required
>>>>>>>>>>> <credential
>>>>>>>>>>>
name="secret">9bcc6d9f-9c72-4b58-b297-79f0f207d9e1</credential >>>>>>>>>>>
</secure-deployment
>>>>>>>>>>> </subsystem >>>>>>>>>> >>>>>>>>>>> I am able to
obtain the access token.
>>>>>>>>>>
>>>>>>>>>>> curl -i curl --data
>>>>>>>>>>>
"grant_type=password&client_id=bkofc-web&username=user&passw
>>>>>>>>>>> ord=password"
>>>>>>>>>>>
http://192.168.99.100:30001/auth/realms/bkofc/protocol/openi
>>>>>>>>>>> d-connect/token
>>>>>>>>>>
>>>>>>>>>>> Note:- I have created 2 clients -- i)
bkofc-svc which is bearer
>>>>>>>>>>> only, for
>>>>>>>>>>> my REST services ii) bkofc-web , a public
client to simulate UI
>>>>>>>>>>> login
>>>>>>>>>>
>>>>>>>>>>> However when I try to use the access
token to invoke a service,
>>>>>>>>>>> I am
>>>>>>>>>>> getting the error -
>>>>>>>>>>
>>>>>>>>>>> Status: 401
>>>>>>>>>>
>>>>>>>>>>> WWW-Authenticate Bearer
realm="bkofc", error="invalid_token",
>>>>>>>>>>> error_description="Didn't find
publicKey for specified kid"
>>>>>>>>>>
>>>>>>>>>>> Please let me know if I am missing
something here. I have been
>>>>>>>>>>> breaking my
>>>>>>>>>>> head last few days without any luck ! I have
also tried
>>>>>>>>>>> rotating the realm
>>>>>>>>>>> keys.
>>>>>>>>>>
>>>>>>>>>>> Thanks,
>>>>>>>>>>> Rajesh
>>>>>>>>>>>
_______________________________________________
>>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>>> keycloak-user(a)lists.jboss.org
>>>>>>>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>> >>>>>> >>>>>
>>>> >>> >> >
GET /OlpUIFwk2-1.0-SNAPSHOT/services/sec/rest/userservice/users
HTTP/1.1
Host: 192.168.99.100:8080
User-Agent: curl/7.50.1
Accept: */*
Authorization: Bearer
eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJSSEV
TaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXeXVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiJkNmY2MmM5YS1
hNjAwLTQ4ZmQtYmI3Ny0wMTI1NDQ0YmIzNWMiLCJleHAiOjE1MDA5OTAyNDgsIm5iZiI6MCwiaWF0Ijo
xNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzAwMDEvYXV0aC9yZWFsbXMvYmt
vZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzdWIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1Zjg
zYjVjOTgiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJia29mYy13ZWIiLCJhdXRoX3RpbWUiOjAsInNlc3N
pb25fc3RhdGUiOiIzMjMxZjQ2Zi0yMjliLTQyZDMtYTQxOS0wODlhMjEzOTZlNjciLCJhY3IiOiIxIiw
iY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2MC03ZTkyLTQ1ZDQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJhbGx
vd2VkLW9yaWdpbnMiOlsiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjgwODAvIl0sInJlYWxtX2FjY2VzcyI
6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiIsInVzZXIiXX0sInJlc291cmNlX2FjY2VzcyI6eyJ
yZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzIjpbInZpZXctcmVhbG0iLCJ2aWV3LWlkZW50aXR5LXByb3Z
pZGVycyIsIm1hbmFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwicmVhbG0tYWR
taW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlldy1hdXRob3JpemF0aW9uIiwibWF
uYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsbSIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXc
tY2xpZW50cyIsIm1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiXX0sImFjY291bnQ
iOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJ
vZmlsZSJdfX0sIm5hbWUiOiIiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzdXBlcmFkbWluIiwiZW1haWw
iOiJ0cmlsaWEudGVjaEBnbWFpbC5jb20ifQ.JCGcaQ-8yYhoOT_DfHvNa5HvG3x5WBI3ZcC4WEcBA3NU
L-mQdUhU1aEK9G5VulcRbMeYp9f_rFnFip-N9g3JwPGhR6ozgwdXlI09JAjM6zLk7cy0UKig5ghHX1-g
Xb5EHChzhmGI_xtV77t9dcKBjW4V3f7eFwDmCMyWj8bqyoFMDTIp_Gz67Wt1iUXAaCZ5fIdXs3epdG82
NhJrjQsIKiYGzUg9JY2Dkvg_tHGHESN85KsW2TNj8Jd0CuS-cF0rOqx82pohW6RQMAZmGyMVofsxH_uR
rEbvpmI_ofkAUF6qCuLDD7idZC_j1ARXH-EOWxHgnSEDXc6SF2aAegmCpw
9:12 a.m.
Hello Sebastien,
I was looking at the logs of my app wildfly server , as suggested by
another user Thomas . Here is a relevant exception stack which I see.
13:56:29,450 ERROR [org.keycloak.adapters.rotation.JWKPublicKeyLocator]
(default task-12) Error when sending request to retrieve realm keys:
org.keycloak.adapters.HttpClientAdapterException: IO error
at
org.keycloak.adapters.HttpAdapterUtils.sendJsonHttpRequest(HttpAdapterUtils.java:58)
at
org.keycloak.adapters.rotation.JWKPublicKeyLocator.sendRequest(JWKPublicKeyLocator.java:99)
at
org.keycloak.adapters.rotation.JWKPublicKeyLocator.getPublicKey(JWKPublicKeyLocator.java:63)
at
org.keycloak.adapters.rotation.AdapterRSATokenVerifier.getPublicKey(AdapterRSATokenVerifier.java:44)
at
org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verifyToken(AdapterRSATokenVerifier.java:55)
at
org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verifyToken(AdapterRSATokenVerifier.java:37)
at
org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticateToken(BearerTokenRequestAuthenticator.java:87)
at
org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticate(BearerTokenRequestAuthenticator.java:82)
at
org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:68)
at
org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)
at
org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:92)
at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:245)
at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:263)
at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:231)
at
io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:125)
at
io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:99)
at
io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:92)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
at
io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
at
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
at
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at
io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
at
io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
at
io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
at
io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
at
io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
at
io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:805)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.net.ConnectException: Connection refused (Connection
refused)
at java.net.PlainSocketImpl.socketConnect(Native Method)
at
java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
at
java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
at
java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
at java.net.Socket.connect(Socket.java:589)
at
org.apache.http.conn.scheme.PlainSocketFactory.connectSocket(PlainSocketFactory.java:117)
at
org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177)
at
org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144)
at
org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:131)
at
org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611)
at
org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446)
at
org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:882)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
at
org.keycloak.adapters.HttpAdapterUtils.sendJsonHttpRequest(HttpAdapterUtils.java:37)
... 52 more
2017-07-25T13:56:29.452564496Z
13:56:29,454 ERROR [org.keycloak.adapters.rotation.AdapterRSATokenVerifier]
(default task-12) Didn't find publicKey for kid:
RHESicBPoNCwhBnBLEk_8X4ufj5WyuTo20zbzOo4HfQ
13:56:29,454 ERROR [org.keycloak.adapters.BearerTokenRequestAuthenticator]
(default task-12) Failed to verify token:
org.keycloak.common.VerificationException: Didn't find publicKey for
specified kid
at
org.keycloak.adapters.rotation.AdapterRSATokenVerifier.getPublicKey(AdapterRSATokenVerifier.java:47)
at
org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verifyToken(AdapterRSATokenVerifier.java:55)
at
org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verifyToken(AdapterRSATokenVerifier.java:37)
at
org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticateToken(BearerTokenRequestAuthenticator.java:87)
at
org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticate(BearerTokenRequestAuthenticator.java:82)
at
org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:68)
at
org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)
at
org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:92)
at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:245)
at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:263)
at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:231)
at
io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:125)
at
io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:99)
at
io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:92)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
at
io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
at
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
at
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at
io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
at
io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
at
io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
at
io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
at
io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
at
io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:805)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:748)
Is there a way to enhance the log level at the client ( i mean keycloak
adapter ) , to see if it is a http connection issue or something else ??
Thanks,
Rajesh
On Tue, Jul 25, 2017 at 7:36 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com>
wrote:
Here is the response from curl ---
$ curl -v http://192.168.99.100:8080/OlpUIFwk2-1.0-SNAPSHOT/
services/sec/rest/us
erservice/users -H "Authorization: Bearer $KEY"
* Trying 192.168.99.100...
* Connected to 192.168.99.100 (192.168.99.100) port 8080 (#0)
> GET /OlpUIFwk2-1.0-SNAPSHOT/services/sec/rest/userservice/users HTTP/1.1
> Host: 192.168.99.100:8080
> User-Agent: curl/7.50.1
> Accept: */*
> Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOi
AiSldUIiwia2lkIiA6ICJSSEV
TaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXeXVUbzIwemJ6T280SGZRIn0.
eyJqdGkiOiJkNmY2MmM5YS1
hNjAwLTQ4ZmQtYmI3Ny0wMTI1NDQ0YmIzNWMiLCJleHAiOjE1MDA5OTAyNDg
sIm5iZiI6MCwiaWF0Ijo
xNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzAwMDE
vYXV0aC9yZWFsbXMvYmt
vZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzdWIiOiIwYTA5MTQ0OC0wNjAyLTQ
2YmMtOWU4MS05MjE1Zjg
zYjVjOTgiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJia29mYy13ZWIiLCJhdXR
oX3RpbWUiOjAsInNlc3N
pb25fc3RhdGUiOiIzMjMxZjQ2Zi0yMjliLTQyZDMtYTQxOS0wODlhMjEzOTZ
lNjciLCJhY3IiOiIxIiw
iY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2MC03ZTkyLTQ1ZDQtYjdmNy0xNWF
kYTY2NmE4Y2EiLCJhbGx
vd2VkLW9yaWdpbnMiOlsiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjgwODAvIl0
sInJlYWxtX2FjY2VzcyI
6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiIsInVzZXIiXX0sInJlc29
1cmNlX2FjY2VzcyI6eyJ
yZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzIjpbInZpZXctcmVhbG0iLCJ2aWV
3LWlkZW50aXR5LXByb3Z
pZGVycyIsIm1hbmFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF
0aW9uIiwicmVhbG0tYWR
taW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlldy1hdXR
ob3JpemF0aW9uIiwibWF
uYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsbSIsInZpZXctZXZlbnRzIiwidml
ldy11c2VycyIsInZpZXc
tY2xpZW50cyIsIm1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWV
udHMiXX0sImFjY291bnQ
iOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1
saW5rcyIsInZpZXctcHJ
vZmlsZSJdfX0sIm5hbWUiOiIiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzdXB
lcmFkbWluIiwiZW1haWw
iOiJ0cmlsaWEudGVjaEBnbWFpbC5jb20ifQ.JCGcaQ-8yYhoOT_
DfHvNa5HvG3x5WBI3ZcC4WEcBA3NU
L-mQdUhU1aEK9G5VulcRbMeYp9f_rFnFip-N9g3JwPGhR6ozgwdXlI09JAjM6zLk7
cy0UKig5ghHX1-g
Xb5EHChzhmGI_xtV77t9dcKBjW4V3f7eFwDmCMyWj8bqyoFMDTIp_
Gz67Wt1iUXAaCZ5fIdXs3epdG82
NhJrjQsIKiYGzUg9JY2Dkvg_tHGHESN85KsW2TNj8Jd0CuS-
cF0rOqx82pohW6RQMAZmGyMVofsxH_uR
rEbvpmI_ofkAUF6qCuLDD7idZC_j1ARXH-EOWxHgnSEDXc6SF2aAegmCpw
>
< HTTP/1.1 401 Unauthorized
< Expires: 0
< Cache-Control: no-cache, no-store, must-revalidate
< X-Powered-By: Undertow/1
< Server: WildFly/10
< Pragma: no-cache
< Date: Tue, 25 Jul 2017 14:04:31 GMT
< Connection: keep-alive
< WWW-Authenticate: Bearer realm="bkofc", error="invalid_token",
error_description="Didn't find publicKey for specified kid"
< Content-Type: text/html;charset=UTF-8
< Content-Length: 71
<
* Connection #0 to host 192.168.99.100 left intact
<html><head><title>Error</title></head><body>Unauthorized</body></html>$
$
Thanks,
Rajesh
On Tue, Jul 25, 2017 at 7:30 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com>
wrote:
> Sure. I was using postman to invoke the service. This is the command used
> by postman --
>
> ------------------------------------------------------------------------
>
> GET /OlpUIFwk2-1.0-SNAPSHOT/services/sec/rest/userservice/users HTTP/1.1
> Host: 192.168.99.100:8080
> Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgO
> iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
> XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiJkNmY2MmM5YS1hNjAwLTQ4ZmQtY
> mI3Ny0wMTI1NDQ0YmIzNWMiLCJleHAiOjE1MDA5OTAyNDgsIm5iZiI6MCwia
> WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
> zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
> WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
> XAiOiJCZWFyZXIiLCJhenAiOiJia29mYy13ZWIiLCJhdXRoX3RpbWUiOjAsI
> nNlc3Npb25fc3RhdGUiOiIzMjMxZjQ2Zi0yMjliLTQyZDMtYTQxOS0wODlhM
> jEzOTZlNjciLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2M
> C03ZTkyLTQ1ZDQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJhbGxvd2VkLW9yaWdpb
> nMiOlsiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjgwODAvIl0sInJlYWxtX2FjY
> 2VzcyI6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiIsInVzZXIiXX0sI
> nJlc291cmNlX2FjY2VzcyI6eyJyZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzI
> jpbInZpZXctcmVhbG0iLCJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycyIsIm1hb
> mFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwicmVhb
> G0tYWRtaW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlld
> y1hdXRob3JpemF0aW9uIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsb
> SIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsI
> m1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiXX0sImFjY
> 291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb
> 3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiIiLCJwcmVmZ
> XJyZWRfdXNlcm5hbWUiOiJzdXBlcmFkbWluIiwiZW1haWwiOiJ0cmlsaWEud
> GVjaEBnbWFpbC5jb20ifQ.JCGcaQ-8yYhoOT_DfHvNa5HvG3x5WBI3ZcC4WEcBA3NUL-
> mQdUhU1aEK9G5VulcRbMeYp9f_rFnFip-N9g3JwPGhR6ozgwdXlI09JAjM6z
> Lk7cy0UKig5ghHX1-gXb5EHChzhmGI_xtV77t9dcKBjW4V3
> f7eFwDmCMyWj8bqyoFMDTIp_Gz67Wt1iUXAaCZ5fIdXs3epdG82NhJrjQsIK
> iYGzUg9JY2Dkvg_tHGHESN85KsW2TNj8Jd0CuS-cF0rOqx82pohW6RQMAZmG
> yMVofsxH_uRrEbvpmI_ofkAUF6qCuLDD7idZC_j1ARXH-EOWxHgnSEDXc6SF2aAegmCpw
> Cache-Control: no-cache
> Postman-Token: d378eefe-82c8-9c3d-0140-ef56c62f9b97
>
>
> ------------------------------------------------------------
> ---------------
>
> The "userservice" is my own service for other attributes of users. I also
> made sure that the service executes without the security.
>
> Thanks,
> Rajesh
>
>
> On Tue, Jul 25, 2017 at 7:24 PM, Sebastien Blanc <sblanc(a)redhat.com>
> wrote:
>
>> Okay, to have the complete picture could paste the command you issue to
>> call your REST service ?
>>
>>
>> On Tue, Jul 25, 2017 at 3:50 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com>
>> wrote:
>>
>>> Sebastien,
>>>
>>> Here is a token response -
>>>
>>> {
>>> "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>> iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>> XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiJkNmY2MmM5YS1hNjAwLTQ4ZmQtY
>>> mI3Ny0wMTI1NDQ0YmIzNWMiLCJleHAiOjE1MDA5OTAyNDgsIm5iZiI6MCwia
>>> WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>> zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>> WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>> XAiOiJCZWFyZXIiLCJhenAiOiJia29mYy13ZWIiLCJhdXRoX3RpbWUiOjAsI
>>> nNlc3Npb25fc3RhdGUiOiIzMjMxZjQ2Zi0yMjliLTQyZDMtYTQxOS0wODlhM
>>> jEzOTZlNjciLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2M
>>> C03ZTkyLTQ1ZDQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJhbGxvd2VkLW9yaWdpb
>>> nMiOlsiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjgwODAvIl0sInJlYWxtX2FjY
>>> 2VzcyI6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiIsInVzZXIiXX0sI
>>> nJlc291cmNlX2FjY2VzcyI6eyJyZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzI
>>> jpbInZpZXctcmVhbG0iLCJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycyIsIm1hb
>>> mFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwicmVhb
>>> G0tYWRtaW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlld
>>> y1hdXRob3JpemF0aW9uIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsb
>>> SIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsI
>>> m1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiXX0sImFjY
>>> 291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb
>>> 3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiIiLCJwcmVmZ
>>> XJyZWRfdXNlcm5hbWUiOiJzdXBlcmFkbWluIiwiZW1haWwiOiJ0cmlsaWEud
>>> GVjaEBnbWFpbC5jb20ifQ.JCGcaQ-8yYhoOT_DfHvNa5HvG3x5WBI3ZcC4WE
>>> cBA3NUL-mQdUhU1aEK9G5VulcRbMeYp9f_rFnFip-N9g3JwPGhR6ozgwdXlI
>>> 09JAjM6zLk7cy0UKig5ghHX1-gXb5EHChzhmGI_xtV77t9dcKBjW4V3
>>> f7eFwDmCMyWj8bqyoFMDTIp_Gz67Wt1iUXAaCZ5fIdXs3epdG82NhJ
>>> rjQsIKiYGzUg9JY2Dkvg_tHGHESN85KsW2TNj8Jd0CuS-cF0rOq
>>> x82pohW6RQMAZmGyMVofsxH_uRrEbvpmI_ofkAUF6qCuLDD7idZC_j1ARXH-
>>> EOWxHgnSEDXc6SF2aAegmCpw",
>>> "expires_in": 300,
>>> "refresh_expires_in": 1800,
>>> "refresh_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>> iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>> XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiIyYzE4ZjkxYi0yMDljLTQwY2ItY
>>> TE5OS02NGIwZTEyYjRkOGIiLCJleHAiOjE1MDA5OTE3NDgsIm5iZiI6MCwia
>>> WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>> zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>> WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>> XAiOiJSZWZyZXNoIiwiYXpwIjoiYmtvZmMtd2ViIiwiYXV0aF90aW1lIjowL
>>> CJzZXNzaW9uX3N0YXRlIjoiMzIzMWY0NmYtMjI5Yi00MmQzLWE0MTktMDg5Y
>>> TIxMzk2ZTY3IiwiY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2MC03ZTkyLTQ1Z
>>> DQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiO
>>> lsidW1hX2F1dGhvcml6YXRpb24iLCJ1c2VyIl19LCJyZXNvdXJjZV9hY2Nlc
>>> 3MiOnsicmVhbG0tbWFuYWdlbWVudCI6eyJyb2xlcyI6WyJ2aWV3LXJlYWxtI
>>> iwidmlldy1pZGVudGl0eS1wcm92aWRlcnMiLCJtYW5hZ2UtaWRlbnRpdHktc
>>> HJvdmlkZXJzIiwiaW1wZXJzb25hdGlvbiIsInJlYWxtLWFkbWluIiwiY3JlY
>>> XRlLWNsaWVudCIsIm1hbmFnZS11c2VycyIsInZpZXctYXV0aG9yaXphdGlvb
>>> iIsIm1hbmFnZS1ldmVudHMiLCJtYW5hZ2UtcmVhbG0iLCJ2aWV3LWV2ZW50c
>>> yIsInZpZXctdXNlcnMiLCJ2aWV3LWNsaWVudHMiLCJtYW5hZ2UtYXV0aG9ya
>>> XphdGlvbiIsIm1hbmFnZS1jbGllbnRzIl19LCJhY2NvdW50Ijp7InJvbGVzI
>>> jpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2a
>>> WV3LXByb2ZpbGUiXX19fQ.Uz0rqNlj09T_SdnfZK9ZxBcJ5EIEwwHCN5VwKI
>>> hIF6Ua32fDlf1UvZSoZTmr5jiHeiwpp4JALWGTXsda4p-PlzMvwmMN5Qp46-
>>> EXGJQkqH4NNqZ1W_1mRGySYokQCSkmdvAZPFGrqxpeb1seuKgaaiXXMsrvai
>>> ucFCa8H599Ox6QRE3MkoLmm8w7_08kPG1_JjXIviHtwoWgsb0zCcMPyHRdCv
>>> _rs6FIoTQiCRZ2joaXSvIsmVAkchgZbeB-_RSWzlk3_oaOCQw7OWZJRqnAdG
>>> gDnL5jCCRLTVFnPo9TqKrt88h3fKkVuNuI8Y06sZ1If8wgSWRDRLUf0X8sampLww",
>>> "token_type": "bearer",
>>> "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>> iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>> XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiI2ZDJkNWMxNS01YmE3LTRhNTgtO
>>> TJkNC0wNGU0NTkyMjNkNGYiLCJleHAiOjE1MDA5OTAyNDgsIm5iZiI6MCwia
>>> WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>> zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>> WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>> XAiOiJJRCIsImF6cCI6ImJrb2ZjLXdlYiIsImF1dGhfdGltZSI6MCwic2Vzc
>>> 2lvbl9zdGF0ZSI6IjMyMzFmNDZmLTIyOWItNDJkMy1hNDE5LTA4OWEyMTM5N
>>> mU2NyIsImFjciI6IjEiLCJuYW1lIjoiIiwicHJlZmVycmVkX3VzZXJuYW1lI
>>> joic3VwZXJhZG1pbiIsImVtYWlsIjoidHJpbGlhLnRlY2hAZ21haWwuY29tI
>>> n0.eFVxG7MImPS4yCEiLOzhvZ5M_XjRWuHJlt_T4r3djak7sH_XOXUmHAuih
>>> xXrm7HLv8DU3OzHpN3FinOWufOdTCv9Ywww0DRq4ha1M7dodqMuv1H5d3XVB
>>> n_kuHK68zWRI3t9WI4ZNeaEU0whLSnBqcbJ54dQrBloUPS4bpYG-BqfSNYs6
>>> bG8cyJHQ4_FRpAi3X9qWOCwaPrZ5Z_vQfNbYcgIfON_puN8QfRxihg90KQYO
>>> p4lJpU5JqeaVmYp9eOYTb5iQzOuLWDXenyIBmvT_K84HZKh8t5eWsqH01st-
>>> Ls7uJcNAUM9PXRM7JswCjhouuQGBM6dn5iICoL00acuxg",
>>> "not-before-policy": 0,
>>> "session_state":
"3231f46f-229b-42d3-a419-089a21396e67"
>>> }
>>>
>>>
>>> I checked it in jwt.io . The kid is same as the "rsa-generated"
one,
>>> shown in the screen shot I shared yesterday. Although jwt complained as
>>> "Invalid Signature" .
>>>
>>>
>>> Thomas, the connectivity should not be an issue as I am able to get the
>>> access token from my app wildfly server using curl. So keycloak is
>>> reachable from my wildfly server. Anything specific you did to resolve your
>>> issue ?
>>>
>>> Regards,
>>> Rajesh
>>>
>>> On Tue, Jul 25, 2017 at 11:12 AM, Sebastien Blanc <sblanc(a)redhat.com>
>>> wrote:
>>>
>>>> This looks all correct. Could you try paste your access token or even
>>>> check it your self on jwt.io to see if the kid is present ?
>>>>
>>>>
>>>> On Mon, Jul 24, 2017 at 6:47 PM, Rajesh Ghosh
<ghosh.rajesh(a)gmail.com>
>>>> wrote:
>>>>
>>>>> Sebastien,
>>>>>
>>>>> I am attaching a pdf containing the screen shots. Few more points I
>>>>> wanted to mention.
>>>>>
>>>>> i) I didn't install the public client -- "bkofc-web"
in the
>>>>> wildfly container which hosts my REST services. I did it for
"bkofc-svc"
>>>>> client which is bearer only. I hope that is the correct approach.
>>>>> ii) Both keycloak and my application are running on docker
>>>>> containers locally in my laptop.
>>>>>
>>>>> Let me know if you need anything else to analyze.
>>>>>
>>>>> Thanks,
>>>>> Rajesh
>>>>>
>>>>>
>>>>> On Mon, Jul 24, 2017 at 9:13 PM, Sebastien Blanc
<sblanc(a)redhat.com>
>>>>> wrote:
>>>>>
>>>>>> yes please
>>>>>>
>>>>>> On Mon, Jul 24, 2017 at 4:54 PM, Rajesh Ghosh <
>>>>>> ghosh.rajesh(a)gmail.com> wrote:
>>>>>>
>>>>>>> Yes definitely. I did replace it with the actual war name.
Let me
>>>>>>> know if you would like me to paste screen shots of realm
configurations,
>>>>>>> client configurations.
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Rajesh
>>>>>>>
>>>>>>> On Mon, Jul 24, 2017 at 8:12 PM, Sebastien Blanc
<sblanc(a)redhat.com
>>>>>>> > wrote:
>>>>>>>
>>>>>>>> Ok and for :
>>>>>>>> <secure-deployment name="my war
file.war">
>>>>>>>>
>>>>>>>> Did you replace that with the actual name of your war
file ?
>>>>>>>>
>>>>>>>> On Mon, Jul 24, 2017 at 4:35 PM, Rajesh Ghosh <
>>>>>>>> ghosh.rajesh(a)gmail.com> wrote:
>>>>>>>>
>>>>>>>>> Hello Sebastien,
>>>>>>>>>
>>>>>>>>> I am using 3.1.0.Final build.
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>> Rajesh
>>>>>>>>>
>>>>>>>>> On Mon, Jul 24, 2017 at 7:56 PM, Sebastien Blanc
<
>>>>>>>>> sblanc(a)redhat.com> wrote:
>>>>>>>>>
>>>>>>>>>> Which version of Keycloak are you using ?
>>>>>>>>>>
>>>>>>>>>> On Mon, Jul 24, 2017 at 3:15 PM, Rajesh Ghosh
<
>>>>>>>>>> ghosh.rajesh(a)gmail.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> Hi,
>>>>>>>>>>>
>>>>>>>>>>> I am trying to secure my REST services using
the method
>>>>>>>>>>> described in the
>>>>>>>>>>> document --
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
http://blog.keycloak.org/2015/10/getting-started-with-keyclo
>>>>>>>>>>> ak-securing.html
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> I am securing my war using JBoss subsystem ,
instead of per-war
>>>>>>>>>>> option. The
>>>>>>>>>>> relevant sections from my standalone.xml are
posted below.
>>>>>>>>>>>
>>>>>>>>>>> <extensions>
>>>>>>>>>>> ......
>>>>>>>>>>> <extension
module="org.keycloak.keycloak-
>>>>>>>>>>> adapter-subsystem"/>
>>>>>>>>>>> </extensions>
>>>>>>>>>>>
>>>>>>>>>>> <security-domains>
>>>>>>>>>>> .....
>>>>>>>>>>> <security-domain
name="keycloak">
>>>>>>>>>>> <authentication>
>>>>>>>>>>> <login-module
>>>>>>>>>>>
code="org.keycloak.adapters.jboss.KeycloakLoginModule"
>>>>>>>>>>> flag="required"/>
>>>>>>>>>>> </authentication>
>>>>>>>>>>> </security-domain>
>>>>>>>>>>> </security-domains>
>>>>>>>>>>>
>>>>>>>>>>> <subsystem
xmlns="urn:jboss:domain:keycloak:1.1">
>>>>>>>>>>> <secure-deployment
name="my war file.war">
>>>>>>>>>>>
<realm>bkofc</realm>
>>>>>>>>>>>
<resource>bkofc-svc</resource>
>>>>>>>>>>>
>>>>>>>>>>>
<use-resource-role-mappings>true</use-resource-role-mappings>
>>>>>>>>>>>
<bearer-only>true</bearer-only>
>>>>>>>>>>>
<auth-server-url>http://192.16
>>>>>>>>>>> 8.99.100/30001/auth
>>>>>>>>>>> </auth-server-url>
>>>>>>>>>>>
<ssl-required>none</ssl-required>
>>>>>>>>>>> <credential
>>>>>>>>>>>
name="secret">9bcc6d9f-9c72-4b58-b297-79f0f207d9e1</credential>
>>>>>>>>>>> </secure-deployment>
>>>>>>>>>>> </subsystem>
>>>>>>>>>>>
>>>>>>>>>>> I am able to obtain the access token.
>>>>>>>>>>>
>>>>>>>>>>> curl -i curl --data
>>>>>>>>>>>
"grant_type=password&client_id=bkofc-web&username=user&passw
>>>>>>>>>>> ord=password"
>>>>>>>>>>>
http://192.168.99.100:30001/auth/realms/bkofc/protocol/openi
>>>>>>>>>>> d-connect/token
>>>>>>>>>>>
>>>>>>>>>>> Note:- I have created 2 clients -- i)
bkofc-svc which is
>>>>>>>>>>> bearer only, for
>>>>>>>>>>> my REST services ii) bkofc-web , a public
client to simulate
>>>>>>>>>>> UI login
>>>>>>>>>>>
>>>>>>>>>>> However when I try to use the access token to
invoke a service,
>>>>>>>>>>> I am
>>>>>>>>>>> getting the error -
>>>>>>>>>>>
>>>>>>>>>>> Status: 401
>>>>>>>>>>>
>>>>>>>>>>> WWW-Authenticate Bearer
realm="bkofc", error="invalid_token",
>>>>>>>>>>> error_description="Didn't find
publicKey for specified kid"
>>>>>>>>>>>
>>>>>>>>>>> Please let me know if I am missing something
here. I have been
>>>>>>>>>>> breaking my
>>>>>>>>>>> head last few days without any luck ! I have
also tried
>>>>>>>>>>> rotating the realm
>>>>>>>>>>> keys.
>>>>>>>>>>>
>>>>>>>>>>> Thanks,
>>>>>>>>>>> Rajesh
>>>>>>>>>>>
_______________________________________________
>>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>>> keycloak-user(a)lists.jboss.org
>>>>>>>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
9:14 a.m.
Oh you were faster than me on this one ;) , well you can change the log
level of you app in the standalone.xml
On Tue, Jul 25, 2017 at 4:12 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com>
wrote:
Hello Sebastien,
I was looking at the logs of my app wildfly server , as suggested by
another user Thomas . Here is a relevant exception stack which I see.
13:56:29,450 ERROR [org.keycloak.adapters.rotation.JWKPublicKeyLocator]
(default task-12) Error when sending request to retrieve realm keys:
org.keycloak.adapters.HttpClientAdapterException: IO error
at org.keycloak.adapters.HttpAdapterUtils.sendJsonHttpRequest(
HttpAdapterUtils.java:58)
at org.keycloak.adapters.rotation.JWKPublicKeyLocator.sendRequest(
JWKPublicKeyLocator.java:99)
at org.keycloak.adapters.rotation.JWKPublicKeyLocator.getPublicKey(
JWKPublicKeyLocator.java:63)
at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.getPublicKey(
AdapterRSATokenVerifier.java:44)
at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verifyToken(
AdapterRSATokenVerifier.java:55)
at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verifyToken(
AdapterRSATokenVerifier.java:37)
at org.keycloak.adapters.BearerTokenRequestAuthenticato
r.authenticateToken(BearerTokenRequestAuthenticator.java:87)
at org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticate(
BearerTokenRequestAuthenticator.java:82)
at org.keycloak.adapters.RequestAuthenticator.authenticate(
RequestAuthenticator.java:68)
at org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMe
ch.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)
at org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(
ServletKeycloakAuthMech.java:92)
at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(
SecurityContextImpl.java:245)
at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(
SecurityContextImpl.java:263)
at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(
SecurityContextImpl.java:231)
at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(
SecurityContextImpl.java:125)
at io.undertow.security.impl.SecurityContextImpl.authTransition(
SecurityContextImpl.java:99)
at io.undertow.security.impl.SecurityContextImpl.authenticate(
SecurityContextImpl.java:92)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandl
er.handleRequest(ServletAuthenticationCallHandler.java:55)
at io.undertow.server.handlers.DisableCacheHandler.handleRequest(
DisableCacheHandler.java:33)
at io.undertow.server.handlers.PredicateHandler.handleRequest(
PredicateHandler.java:43)
at io.undertow.security.handlers.AuthenticationConstraintHandle
r.handleRequest(AuthenticationConstraintHandler.java:53)
at io.undertow.security.handlers.AbstractConfidentialityHandler
.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstrai
ntHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandl
er.handleRequest(ServletSecurityConstraintHandler.java:59)
at io.undertow.security.handlers.AuthenticationMechanismsHandle
r.handleRequest(AuthenticationMechanismsHandler.java:60)
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHand
ler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at io.undertow.security.handlers.NotificationReceiverHandler.
handleRequest(NotificationReceiverHandler.java:50)
at io.undertow.security.handlers.AbstractSecurityContextAssocia
tionHandler.handleRequest(AbstractSecurityContextAssocia
tionHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(
PredicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.
handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(
PredicateHandler.java:43)
at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.
handleRequest(ServletPreAuthActionsHandler.java:69)
at io.undertow.server.handlers.PredicateHandler.handleRequest(
PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(
ServletInitialHandler.java:292)
at io.undertow.servlet.handlers.ServletInitialHandler.access$
100(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(
ServletInitialHandler.java:138)
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(
ServletInitialHandler.java:135)
at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(
ServletRequestContextThreadSetupAction.java:48)
at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(
ContextClassLoaderSetupAction.java:43)
at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(
LegacyThreadSetupActionWrapper.java:44)
at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(
LegacyThreadSetupActionWrapper.java:44)
at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(
LegacyThreadSetupActionWrapper.java:44)
at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(
LegacyThreadSetupActionWrapper.java:44)
at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(
LegacyThreadSetupActionWrapper.java:44)
at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(
LegacyThreadSetupActionWrapper.java:44)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(
ServletInitialHandler.java:272)
at io.undertow.servlet.handlers.ServletInitialHandler.access$
000(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(
ServletInitialHandler.java:104)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at io.undertow.server.HttpServerExchange$1.run(
HttpServerExchange.java:805)
at java.util.concurrent.ThreadPoolExecutor.runWorker(
ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(
ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.net.ConnectException: Connection refused (Connection
refused)
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.AbstractPlainSocketImpl.doConnect(
AbstractPlainSocketImpl.java:350)
at java.net.AbstractPlainSocketImpl.connectToAddress(
AbstractPlainSocketImpl.java:206)
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:
188)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
at java.net.Socket.connect(Socket.java:589)
at org.apache.http.conn.scheme.PlainSocketFactory.connectSocket(
PlainSocketFactory.java:117)
at org.apache.http.impl.conn.DefaultClientConnectionOperato
r.openConnection(DefaultClientConnectionOperator.java:177)
at org.apache.http.impl.conn.AbstractPoolEntry.open(
AbstractPoolEntry.java:144)
at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(
AbstractPooledConnAdapter.java:131)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(
DefaultRequestDirector.java:611)
at org.apache.http.impl.client.DefaultRequestDirector.execute(
DefaultRequestDirector.java:446)
at org.apache.http.impl.client.AbstractHttpClient.doExecute(
AbstractHttpClient.java:882)
at org.apache.http.impl.client.CloseableHttpClient.execute(
CloseableHttpClient.java:82)
at org.apache.http.impl.client.CloseableHttpClient.execute(
CloseableHttpClient.java:107)
at org.apache.http.impl.client.CloseableHttpClient.execute(
CloseableHttpClient.java:55)
at org.keycloak.adapters.HttpAdapterUtils.sendJsonHttpRequest(
HttpAdapterUtils.java:37)
... 52 more
2017-07-25T13:56:29.452564496Z
13:56:29,454 ERROR [org.keycloak.adapters.rotation.AdapterRSATokenVerifier]
(default task-12) Didn't find publicKey for kid: RHESicBPoNCwhBnBLEk_
8X4ufj5WyuTo20zbzOo4HfQ
13:56:29,454 ERROR [org.keycloak.adapters.BearerTokenRequestAuthenticator]
(default task-12) Failed to verify token: org.keycloak.common.VerificationException:
Didn't find publicKey for specified kid
at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.getPublicKey(
AdapterRSATokenVerifier.java:47)
at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verifyToken(
AdapterRSATokenVerifier.java:55)
at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verifyToken(
AdapterRSATokenVerifier.java:37)
at org.keycloak.adapters.BearerTokenRequestAuthenticato
r.authenticateToken(BearerTokenRequestAuthenticator.java:87)
at org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticate(
BearerTokenRequestAuthenticator.java:82)
at org.keycloak.adapters.RequestAuthenticator.authenticate(
RequestAuthenticator.java:68)
at org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMe
ch.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)
at org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(
ServletKeycloakAuthMech.java:92)
at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(
SecurityContextImpl.java:245)
at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(
SecurityContextImpl.java:263)
at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(
SecurityContextImpl.java:231)
at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(
SecurityContextImpl.java:125)
at io.undertow.security.impl.SecurityContextImpl.authTransition(
SecurityContextImpl.java:99)
at io.undertow.security.impl.SecurityContextImpl.authenticate(
SecurityContextImpl.java:92)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandl
er.handleRequest(ServletAuthenticationCallHandler.java:55)
at io.undertow.server.handlers.DisableCacheHandler.handleRequest(
DisableCacheHandler.java:33)
at io.undertow.server.handlers.PredicateHandler.handleRequest(
PredicateHandler.java:43)
at io.undertow.security.handlers.AuthenticationConstraintHandle
r.handleRequest(AuthenticationConstraintHandler.java:53)
at io.undertow.security.handlers.AbstractConfidentialityHandler
.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstrai
ntHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandl
er.handleRequest(ServletSecurityConstraintHandler.java:59)
at io.undertow.security.handlers.AuthenticationMechanismsHandle
r.handleRequest(AuthenticationMechanismsHandler.java:60)
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHand
ler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at io.undertow.security.handlers.NotificationReceiverHandler.
handleRequest(NotificationReceiverHandler.java:50)
at io.undertow.security.handlers.AbstractSecurityContextAssocia
tionHandler.handleRequest(AbstractSecurityContextAssocia
tionHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(
PredicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.
handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(
PredicateHandler.java:43)
at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.
handleRequest(ServletPreAuthActionsHandler.java:69)
at io.undertow.server.handlers.PredicateHandler.handleRequest(
PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(
ServletInitialHandler.java:292)
at io.undertow.servlet.handlers.ServletInitialHandler.access$
100(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(
ServletInitialHandler.java:138)
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(
ServletInitialHandler.java:135)
at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(
ServletRequestContextThreadSetupAction.java:48)
at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(
ContextClassLoaderSetupAction.java:43)
at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(
LegacyThreadSetupActionWrapper.java:44)
at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(
LegacyThreadSetupActionWrapper.java:44)
at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(
LegacyThreadSetupActionWrapper.java:44)
at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(
LegacyThreadSetupActionWrapper.java:44)
at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(
LegacyThreadSetupActionWrapper.java:44)
at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(
LegacyThreadSetupActionWrapper.java:44)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(
ServletInitialHandler.java:272)
at io.undertow.servlet.handlers.ServletInitialHandler.access$
000(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(
ServletInitialHandler.java:104)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at io.undertow.server.HttpServerExchange$1.run(
HttpServerExchange.java:805)
at java.util.concurrent.ThreadPoolExecutor.runWorker(
ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(
ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:748)
Is there a way to enhance the log level at the client ( i mean keycloak
adapter ) , to see if it is a http connection issue or something else ??
Thanks,
Rajesh
On Tue, Jul 25, 2017 at 7:36 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com>
wrote:
> Here is the response from curl ---
>
> $ curl -v http://192.168.99.100:8080/OlpUIFwk2-1.0-SNAPSHOT/services/
> sec/rest/us
> erservice/users -H "Authorization: Bearer $KEY"
> * Trying 192.168.99.100...
> * Connected to 192.168.99.100 (192.168.99.100) port 8080 (#0)
> > GET /OlpUIFwk2-1.0-SNAPSHOT/services/sec/rest/userservice/users
> HTTP/1.1
> > Host: 192.168.99.100:8080
> > User-Agent: curl/7.50.1
> > Accept: */*
> > Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOi
> AiSldUIiwia2lkIiA6ICJSSEV
> TaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXeXVUbzIwemJ6T280SGZRIn0.eyJ
> qdGkiOiJkNmY2MmM5YS1
> hNjAwLTQ4ZmQtYmI3Ny0wMTI1NDQ0YmIzNWMiLCJleHAiOjE1MDA5OTAyNDg
> sIm5iZiI6MCwiaWF0Ijo
> xNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzAwMDE
> vYXV0aC9yZWFsbXMvYmt
> vZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzdWIiOiIwYTA5MTQ0OC0wNjAyLTQ
> 2YmMtOWU4MS05MjE1Zjg
> zYjVjOTgiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJia29mYy13ZWIiLCJhdXR
> oX3RpbWUiOjAsInNlc3N
> pb25fc3RhdGUiOiIzMjMxZjQ2Zi0yMjliLTQyZDMtYTQxOS0wODlhMjEzOTZ
> lNjciLCJhY3IiOiIxIiw
> iY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2MC03ZTkyLTQ1ZDQtYjdmNy0xNWF
> kYTY2NmE4Y2EiLCJhbGx
> vd2VkLW9yaWdpbnMiOlsiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjgwODAvIl0
> sInJlYWxtX2FjY2VzcyI
> 6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiIsInVzZXIiXX0sInJlc29
> 1cmNlX2FjY2VzcyI6eyJ
> yZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzIjpbInZpZXctcmVhbG0iLCJ2aWV
> 3LWlkZW50aXR5LXByb3Z
> pZGVycyIsIm1hbmFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF
> 0aW9uIiwicmVhbG0tYWR
> taW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlldy1hdXR
> ob3JpemF0aW9uIiwibWF
> uYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsbSIsInZpZXctZXZlbnRzIiwidml
> ldy11c2VycyIsInZpZXc
> tY2xpZW50cyIsIm1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWV
> udHMiXX0sImFjY291bnQ
> iOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1
> saW5rcyIsInZpZXctcHJ
> vZmlsZSJdfX0sIm5hbWUiOiIiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzdXB
> lcmFkbWluIiwiZW1haWw
> iOiJ0cmlsaWEudGVjaEBnbWFpbC5jb20ifQ.JCGcaQ-8yYhoOT_DfHvNa5Hv
> G3x5WBI3ZcC4WEcBA3NU
> L-mQdUhU1aEK9G5VulcRbMeYp9f_rFnFip-N9g3JwPGhR6ozgwdXlI09JAjM
> 6zLk7cy0UKig5ghHX1-g
> Xb5EHChzhmGI_xtV77t9dcKBjW4V3f7eFwDmCMyWj8bqyoFMDTIp_Gz67Wt1
> iUXAaCZ5fIdXs3epdG82
> NhJrjQsIKiYGzUg9JY2Dkvg_tHGHESN85KsW2TNj8Jd0CuS-cF0rOqx82poh
> W6RQMAZmGyMVofsxH_uR
> rEbvpmI_ofkAUF6qCuLDD7idZC_j1ARXH-EOWxHgnSEDXc6SF2aAegmCpw
> >
> < HTTP/1.1 401 Unauthorized
> < Expires: 0
> < Cache-Control: no-cache, no-store, must-revalidate
> < X-Powered-By: Undertow/1
> < Server: WildFly/10
> < Pragma: no-cache
> < Date: Tue, 25 Jul 2017 14:04:31 GMT
> < Connection: keep-alive
> < WWW-Authenticate: Bearer realm="bkofc",
error="invalid_token",
> error_description="Didn't find publicKey for specified kid"
> < Content-Type: text/html;charset=UTF-8
> < Content-Length: 71
> <
> * Connection #0 to host 192.168.99.100 left intact
>
<html><head><title>Error</title></head><body>Unauthorized</body></html>$
> $
>
> Thanks,
> Rajesh
>
> On Tue, Jul 25, 2017 at 7:30 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com>
> wrote:
>
>> Sure. I was using postman to invoke the service. This is the command
>> used by postman --
>>
>> ------------------------------------------------------------------------
>>
>> GET /OlpUIFwk2-1.0-SNAPSHOT/services/sec/rest/userservice/users HTTP/1.1
>> Host: 192.168.99.100:8080
>> Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgO
>> iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>> XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiJkNmY2MmM5YS1hNjAwLTQ4ZmQtY
>> mI3Ny0wMTI1NDQ0YmIzNWMiLCJleHAiOjE1MDA5OTAyNDgsIm5iZiI6MCwia
>> WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>> zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>> WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>> XAiOiJCZWFyZXIiLCJhenAiOiJia29mYy13ZWIiLCJhdXRoX3RpbWUiOjAsI
>> nNlc3Npb25fc3RhdGUiOiIzMjMxZjQ2Zi0yMjliLTQyZDMtYTQxOS0wODlhM
>> jEzOTZlNjciLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2M
>> C03ZTkyLTQ1ZDQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJhbGxvd2VkLW9yaWdpb
>> nMiOlsiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjgwODAvIl0sInJlYWxtX2FjY
>> 2VzcyI6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiIsInVzZXIiXX0sI
>> nJlc291cmNlX2FjY2VzcyI6eyJyZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzI
>> jpbInZpZXctcmVhbG0iLCJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycyIsIm1hb
>> mFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwicmVhb
>> G0tYWRtaW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlld
>> y1hdXRob3JpemF0aW9uIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsb
>> SIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsI
>> m1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiXX0sImFjY
>> 291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb
>> 3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiIiLCJwcmVmZ
>> XJyZWRfdXNlcm5hbWUiOiJzdXBlcmFkbWluIiwiZW1haWwiOiJ0cmlsaWEud
>> GVjaEBnbWFpbC5jb20ifQ.JCGcaQ-8yYhoOT_DfHvNa5HvG3x5WBI3ZcC4WE
>> cBA3NUL-mQdUhU1aEK9G5VulcRbMeYp9f_rFnFip-N9g3JwPGhR6ozgwdXlI09JAjM6zLk7
>> cy0UKig5ghHX1-gXb5EHChzhmGI_xtV77t9dcKBjW4V3f7eFwDmCMyWj8b
>> qyoFMDTIp_Gz67Wt1iUXAaCZ5fIdXs3epdG82NhJrjQsIKiYGzUg9JY2Dkvg
>> _tHGHESN85KsW2TNj8Jd0CuS-cF0rOqx82pohW6RQMAZmGyMVofsxH_
>> uRrEbvpmI_ofkAUF6qCuLDD7idZC_j1ARXH-EOWxHgnSEDXc6SF2aAegmCpw
>> Cache-Control: no-cache
>> Postman-Token: d378eefe-82c8-9c3d-0140-ef56c62f9b97
>>
>>
>> ------------------------------------------------------------
>> ---------------
>>
>> The "userservice" is my own service for other attributes of users. I
>> also made sure that the service executes without the security.
>>
>> Thanks,
>> Rajesh
>>
>>
>> On Tue, Jul 25, 2017 at 7:24 PM, Sebastien Blanc <sblanc(a)redhat.com>
>> wrote:
>>
>>> Okay, to have the complete picture could paste the command you issue to
>>> call your REST service ?
>>>
>>>
>>> On Tue, Jul 25, 2017 at 3:50 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com>
>>> wrote:
>>>
>>>> Sebastien,
>>>>
>>>> Here is a token response -
>>>>
>>>> {
>>>> "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>>> iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>>> XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiJkNmY2MmM5YS1hNjAwLTQ4ZmQtY
>>>> mI3Ny0wMTI1NDQ0YmIzNWMiLCJleHAiOjE1MDA5OTAyNDgsIm5iZiI6MCwia
>>>> WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>>> zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>>> WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>>> XAiOiJCZWFyZXIiLCJhenAiOiJia29mYy13ZWIiLCJhdXRoX3RpbWUiOjAsI
>>>> nNlc3Npb25fc3RhdGUiOiIzMjMxZjQ2Zi0yMjliLTQyZDMtYTQxOS0wODlhM
>>>> jEzOTZlNjciLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2M
>>>> C03ZTkyLTQ1ZDQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJhbGxvd2VkLW9yaWdpb
>>>> nMiOlsiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjgwODAvIl0sInJlYWxtX2FjY
>>>> 2VzcyI6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiIsInVzZXIiXX0sI
>>>> nJlc291cmNlX2FjY2VzcyI6eyJyZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzI
>>>> jpbInZpZXctcmVhbG0iLCJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycyIsIm1hb
>>>> mFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwicmVhb
>>>> G0tYWRtaW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlld
>>>> y1hdXRob3JpemF0aW9uIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsb
>>>> SIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsI
>>>> m1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiXX0sImFjY
>>>> 291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb
>>>> 3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiIiLCJwcmVmZ
>>>> XJyZWRfdXNlcm5hbWUiOiJzdXBlcmFkbWluIiwiZW1haWwiOiJ0cmlsaWEud
>>>> GVjaEBnbWFpbC5jb20ifQ.JCGcaQ-8yYhoOT_DfHvNa5HvG3x5WBI3ZcC4WE
>>>> cBA3NUL-mQdUhU1aEK9G5VulcRbMeYp9f_rFnFip-N9g3JwPGhR6ozgwdXlI
>>>> 09JAjM6zLk7cy0UKig5ghHX1-gXb5EHChzhmGI_xtV77t9dcKBjW4V3f7eFw
>>>> DmCMyWj8bqyoFMDTIp_Gz67Wt1iUXAaCZ5fIdXs3epdG82NhJrjQsIKiYGzU
>>>> g9JY2Dkvg_tHGHESN85KsW2TNj8Jd0CuS-cF0rOqx82pohW6RQMAZmGyMVof
>>>> sxH_uRrEbvpmI_ofkAUF6qCuLDD7idZC_j1ARXH-EOWxHgnSEDXc6SF2aAegmCpw",
>>>> "expires_in": 300,
>>>> "refresh_expires_in": 1800,
>>>> "refresh_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>>> iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>>> XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiIyYzE4ZjkxYi0yMDljLTQwY2ItY
>>>> TE5OS02NGIwZTEyYjRkOGIiLCJleHAiOjE1MDA5OTE3NDgsIm5iZiI6MCwia
>>>> WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>>> zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>>> WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>>> XAiOiJSZWZyZXNoIiwiYXpwIjoiYmtvZmMtd2ViIiwiYXV0aF90aW1lIjowL
>>>> CJzZXNzaW9uX3N0YXRlIjoiMzIzMWY0NmYtMjI5Yi00MmQzLWE0MTktMDg5Y
>>>> TIxMzk2ZTY3IiwiY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2MC03ZTkyLTQ1Z
>>>> DQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiO
>>>> lsidW1hX2F1dGhvcml6YXRpb24iLCJ1c2VyIl19LCJyZXNvdXJjZV9hY2Nlc
>>>> 3MiOnsicmVhbG0tbWFuYWdlbWVudCI6eyJyb2xlcyI6WyJ2aWV3LXJlYWxtI
>>>> iwidmlldy1pZGVudGl0eS1wcm92aWRlcnMiLCJtYW5hZ2UtaWRlbnRpdHktc
>>>> HJvdmlkZXJzIiwiaW1wZXJzb25hdGlvbiIsInJlYWxtLWFkbWluIiwiY3JlY
>>>> XRlLWNsaWVudCIsIm1hbmFnZS11c2VycyIsInZpZXctYXV0aG9yaXphdGlvb
>>>> iIsIm1hbmFnZS1ldmVudHMiLCJtYW5hZ2UtcmVhbG0iLCJ2aWV3LWV2ZW50c
>>>> yIsInZpZXctdXNlcnMiLCJ2aWV3LWNsaWVudHMiLCJtYW5hZ2UtYXV0aG9ya
>>>> XphdGlvbiIsIm1hbmFnZS1jbGllbnRzIl19LCJhY2NvdW50Ijp7InJvbGVzI
>>>> jpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2a
>>>> WV3LXByb2ZpbGUiXX19fQ.Uz0rqNlj09T_SdnfZK9ZxBcJ5EIEwwHCN5VwKI
>>>> hIF6Ua32fDlf1UvZSoZTmr5jiHeiwpp4JALWGTXsda4p-PlzMvwmMN5Qp46-
>>>> EXGJQkqH4NNqZ1W_1mRGySYokQCSkmdvAZPFGrqxpeb1seuKgaaiXXMsrvai
>>>> ucFCa8H599Ox6QRE3MkoLmm8w7_08kPG1_JjXIviHtwoWgsb0zCcMPyHRdCv
>>>> _rs6FIoTQiCRZ2joaXSvIsmVAkchgZbeB-_RSWzlk3_oaOCQw7OWZJRqnAdG
>>>> gDnL5jCCRLTVFnPo9TqKrt88h3fKkVuNuI8Y06sZ1If8wgSWRDRLUf0X8sampLww",
>>>> "token_type": "bearer",
>>>> "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>>> iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>>> XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiI2ZDJkNWMxNS01YmE3LTRhNTgtO
>>>> TJkNC0wNGU0NTkyMjNkNGYiLCJleHAiOjE1MDA5OTAyNDgsIm5iZiI6MCwia
>>>> WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>>> zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>>> WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>>> XAiOiJJRCIsImF6cCI6ImJrb2ZjLXdlYiIsImF1dGhfdGltZSI6MCwic2Vzc
>>>> 2lvbl9zdGF0ZSI6IjMyMzFmNDZmLTIyOWItNDJkMy1hNDE5LTA4OWEyMTM5N
>>>> mU2NyIsImFjciI6IjEiLCJuYW1lIjoiIiwicHJlZmVycmVkX3VzZXJuYW1lI
>>>> joic3VwZXJhZG1pbiIsImVtYWlsIjoidHJpbGlhLnRlY2hAZ21haWwuY29tI
>>>> n0.eFVxG7MImPS4yCEiLOzhvZ5M_XjRWuHJlt_T4r3djak7sH_XOXUmHAuih
>>>> xXrm7HLv8DU3OzHpN3FinOWufOdTCv9Ywww0DRq4ha1M7dodqMuv1H5d3XVB
>>>> n_kuHK68zWRI3t9WI4ZNeaEU0whLSnBqcbJ54dQrBloUPS4bpYG-BqfSNYs6
>>>> bG8cyJHQ4_FRpAi3X9qWOCwaPrZ5Z_vQfNbYcgIfON_puN8QfRxihg90KQYO
>>>> p4lJpU5JqeaVmYp9eOYTb5iQzOuLWDXenyIBmvT_K84HZKh8t5eWsqH01st-
>>>> Ls7uJcNAUM9PXRM7JswCjhouuQGBM6dn5iICoL00acuxg",
>>>> "not-before-policy": 0,
>>>> "session_state":
"3231f46f-229b-42d3-a419-089a21396e67"
>>>> }
>>>>
>>>>
>>>> I checked it in jwt.io . The kid is same as the "rsa-generated"
one,
>>>> shown in the screen shot I shared yesterday. Although jwt complained as
>>>> "Invalid Signature" .
>>>>
>>>>
>>>> Thomas, the connectivity should not be an issue as I am able to get
>>>> the access token from my app wildfly server using curl. So keycloak is
>>>> reachable from my wildfly server. Anything specific you did to resolve
your
>>>> issue ?
>>>>
>>>> Regards,
>>>> Rajesh
>>>>
>>>> On Tue, Jul 25, 2017 at 11:12 AM, Sebastien Blanc
<sblanc(a)redhat.com>
>>>> wrote:
>>>>
>>>>> This looks all correct. Could you try paste your access token or
even
>>>>> check it your self on jwt.io to see if the kid is present ?
>>>>>
>>>>>
>>>>> On Mon, Jul 24, 2017 at 6:47 PM, Rajesh Ghosh
<ghosh.rajesh(a)gmail.com
>>>>> > wrote:
>>>>>
>>>>>> Sebastien,
>>>>>>
>>>>>> I am attaching a pdf containing the screen shots. Few more
points I
>>>>>> wanted to mention.
>>>>>>
>>>>>> i) I didn't install the public client --
"bkofc-web" in the
>>>>>> wildfly container which hosts my REST services. I did it for
"bkofc-svc"
>>>>>> client which is bearer only. I hope that is the correct
approach.
>>>>>> ii) Both keycloak and my application are running on docker
>>>>>> containers locally in my laptop.
>>>>>>
>>>>>> Let me know if you need anything else to analyze.
>>>>>>
>>>>>> Thanks,
>>>>>> Rajesh
>>>>>>
>>>>>>
>>>>>> On Mon, Jul 24, 2017 at 9:13 PM, Sebastien Blanc
<sblanc(a)redhat.com>
>>>>>> wrote:
>>>>>>
>>>>>>> yes please
>>>>>>>
>>>>>>> On Mon, Jul 24, 2017 at 4:54 PM, Rajesh Ghosh <
>>>>>>> ghosh.rajesh(a)gmail.com> wrote:
>>>>>>>
>>>>>>>> Yes definitely. I did replace it with the actual war
name. Let me
>>>>>>>> know if you would like me to paste screen shots of realm
configurations,
>>>>>>>> client configurations.
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Rajesh
>>>>>>>>
>>>>>>>> On Mon, Jul 24, 2017 at 8:12 PM, Sebastien Blanc <
>>>>>>>> sblanc(a)redhat.com> wrote:
>>>>>>>>
>>>>>>>>> Ok and for :
>>>>>>>>> <secure-deployment name="my war
file.war">
>>>>>>>>>
>>>>>>>>> Did you replace that with the actual name of your war
file ?
>>>>>>>>>
>>>>>>>>> On Mon, Jul 24, 2017 at 4:35 PM, Rajesh Ghosh <
>>>>>>>>> ghosh.rajesh(a)gmail.com> wrote:
>>>>>>>>>
>>>>>>>>>> Hello Sebastien,
>>>>>>>>>>
>>>>>>>>>> I am using 3.1.0.Final build.
>>>>>>>>>>
>>>>>>>>>> Thanks,
>>>>>>>>>> Rajesh
>>>>>>>>>>
>>>>>>>>>> On Mon, Jul 24, 2017 at 7:56 PM, Sebastien Blanc
<
>>>>>>>>>> sblanc(a)redhat.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> Which version of Keycloak are you using ?
>>>>>>>>>>>
>>>>>>>>>>> On Mon, Jul 24, 2017 at 3:15 PM, Rajesh Ghosh
<
>>>>>>>>>>> ghosh.rajesh(a)gmail.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Hi,
>>>>>>>>>>>>
>>>>>>>>>>>> I am trying to secure my REST services
using the method
>>>>>>>>>>>> described in the
>>>>>>>>>>>> document --
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
http://blog.keycloak.org/2015/10/getting-started-with-keyclo
>>>>>>>>>>>> ak-securing.html
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> I am securing my war using JBoss
subsystem , instead of
>>>>>>>>>>>> per-war option. The
>>>>>>>>>>>> relevant sections from my standalone.xml
are posted below.
>>>>>>>>>>>>
>>>>>>>>>>>> <extensions>
>>>>>>>>>>>> ......
>>>>>>>>>>>> <extension
module="org.keycloak.keycloak-
>>>>>>>>>>>> adapter-subsystem"/>
>>>>>>>>>>>> </extensions>
>>>>>>>>>>>>
>>>>>>>>>>>> <security-domains>
>>>>>>>>>>>> .....
>>>>>>>>>>>> <security-domain
name="keycloak">
>>>>>>>>>>>>
<authentication>
>>>>>>>>>>>> <login-module
>>>>>>>>>>>>
code="org.keycloak.adapters.jboss.KeycloakLoginModule"
>>>>>>>>>>>> flag="required"/>
>>>>>>>>>>>>
</authentication>
>>>>>>>>>>>> </security-domain>
>>>>>>>>>>>> </security-domains>
>>>>>>>>>>>>
>>>>>>>>>>>> <subsystem
xmlns="urn:jboss:domain:keycloak:1.1">
>>>>>>>>>>>> <secure-deployment
name="my war file.war">
>>>>>>>>>>>>
<realm>bkofc</realm>
>>>>>>>>>>>>
<resource>bkofc-svc</resource>
>>>>>>>>>>>>
>>>>>>>>>>>>
<use-resource-role-mappings>true</use-resource-role-mappings>
>>>>>>>>>>>>
<bearer-only>true</bearer-only>
>>>>>>>>>>>>
<auth-server-url>http://192.16
>>>>>>>>>>>> 8.99.100/30001/auth
>>>>>>>>>>>> </auth-server-url>
>>>>>>>>>>>>
<ssl-required>none</ssl-required>
>>>>>>>>>>>> <credential
>>>>>>>>>>>>
name="secret">9bcc6d9f-9c72-4b58-b297-79f0f207d9e1</credenti
>>>>>>>>>>>> al>
>>>>>>>>>>>> </secure-deployment>
>>>>>>>>>>>> </subsystem>
>>>>>>>>>>>>
>>>>>>>>>>>> I am able to obtain the access token.
>>>>>>>>>>>>
>>>>>>>>>>>> curl -i curl --data
>>>>>>>>>>>>
"grant_type=password&client_id=bkofc-web&username=user&passw
>>>>>>>>>>>> ord=password"
>>>>>>>>>>>>
http://192.168.99.100:30001/auth/realms/bkofc/protocol/openi
>>>>>>>>>>>> d-connect/token
>>>>>>>>>>>>
>>>>>>>>>>>> Note:- I have created 2 clients -- i)
bkofc-svc which is
>>>>>>>>>>>> bearer only, for
>>>>>>>>>>>> my REST services ii) bkofc-web , a
public client to simulate
>>>>>>>>>>>> UI login
>>>>>>>>>>>>
>>>>>>>>>>>> However when I try to use the access
token to invoke a
>>>>>>>>>>>> service, I am
>>>>>>>>>>>> getting the error -
>>>>>>>>>>>>
>>>>>>>>>>>> Status: 401
>>>>>>>>>>>>
>>>>>>>>>>>> WWW-Authenticate Bearer
realm="bkofc", error="invalid_token",
>>>>>>>>>>>> error_description="Didn't find
publicKey for specified kid"
>>>>>>>>>>>>
>>>>>>>>>>>> Please let me know if I am missing
something here. I have been
>>>>>>>>>>>> breaking my
>>>>>>>>>>>> head last few days without any luck ! I
have also tried
>>>>>>>>>>>> rotating the realm
>>>>>>>>>>>> keys.
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks,
>>>>>>>>>>>> Rajesh
>>>>>>>>>>>>
_______________________________________________
>>>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>>>> keycloak-user(a)lists.jboss.org
>>>>>>>>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
9:17 a.m.
Oh I think I found it : <auth-server-url>http://192.168.99.100/30001/auth
</auth-server-url>
You have a typo there , shouldn't it be http://192.168.99.100:30001/auth
<http://192.168.99.100:30001/auth/realms/bkofc/protocol/openid-connect/tok...
, notice the ":" instead of "/"
On Tue, Jul 25, 2017 at 4:14 PM, Sebastien Blanc <sblanc(a)redhat.com> wrote:
Oh you were faster than me on this one ;) , well you can change the
log
level of you app in the standalone.xml
On Tue, Jul 25, 2017 at 4:12 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com>
wrote:
> Hello Sebastien,
>
> I was looking at the logs of my app wildfly server , as suggested by
> another user Thomas . Here is a relevant exception stack which I see.
>
> 13:56:29,450 ERROR [org.keycloak.adapters.rotation.JWKPublicKeyLocator]
> (default task-12) Error when sending request to retrieve realm keys:
> org.keycloak.adapters.HttpClientAdapterException: IO error
> at org.keycloak.adapters.HttpAdapterUtils.sendJsonHttpRequest(H
> ttpAdapterUtils.java:58)
> at org.keycloak.adapters.rotation.JWKPublicKeyLocator.sendReque
> st(JWKPublicKeyLocator.java:99)
> at org.keycloak.adapters.rotation.JWKPublicKeyLocator.getPublic
> Key(JWKPublicKeyLocator.java:63)
> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.getPu
> blicKey(AdapterRSATokenVerifier.java:44)
> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verif
> yToken(AdapterRSATokenVerifier.java:55)
> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verif
> yToken(AdapterRSATokenVerifier.java:37)
> at org.keycloak.adapters.BearerTokenRequestAuthenticator.
> authenticateToken(BearerTokenRequestAuthenticator.java:87)
> at org.keycloak.adapters.BearerTokenRequestAuthenticator.
> authenticate(BearerTokenRequestAuthenticator.java:82)
> at org.keycloak.adapters.RequestAuthenticator.authenticate(Requ
> estAuthenticator.java:68)
> at org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthM
> ech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)
> at org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authe
> nticate(ServletKeycloakAuthMech.java:92)
> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
> transition(SecurityContextImpl.java:245)
> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
> transition(SecurityContextImpl.java:263)
> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
> access$100(SecurityContextImpl.java:231)
> at io.undertow.security.impl.SecurityContextImpl.attemptAuthent
> ication(SecurityContextImpl.java:125)
> at io.undertow.security.impl.SecurityContextImpl.authTransition
> (SecurityContextImpl.java:99)
> at io.undertow.security.impl.SecurityContextImpl.authenticate(S
> ecurityContextImpl.java:92)
> at io.undertow.servlet.handlers.security.ServletAuthenticationC
> allHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
> at io.undertow.server.handlers.DisableCacheHandler.handleReques
> t(DisableCacheHandler.java:33)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
> redicateHandler.java:43)
> at io.undertow.security.handlers.AuthenticationConstraintHandle
> r.handleRequest(AuthenticationConstraintHandler.java:53)
> at io.undertow.security.handlers.AbstractConfidentialityHandler
> .handleRequest(AbstractConfidentialityHandler.java:46)
> at io.undertow.servlet.handlers.security.ServletConfidentiality
> ConstraintHandler.handleRequest(ServletConfident
> ialityConstraintHandler.java:64)
> at io.undertow.servlet.handlers.security.ServletSecurityConstra
> intHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
> at io.undertow.security.handlers.AuthenticationMechanismsHandle
> r.handleRequest(AuthenticationMechanismsHandler.java:60)
> at io.undertow.servlet.handlers.security.CachedAuthenticatedSes
> sionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> at io.undertow.security.handlers.NotificationReceiverHandler.ha
> ndleRequest(NotificationReceiverHandler.java:50)
> at io.undertow.security.handlers.AbstractSecurityContextAssocia
> tionHandler.handleRequest(AbstractSecurityContextAssociation
> Handler.java:43)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
> redicateHandler.java:43)
> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHa
> ndler.handleRequest(JACCContextIdHandler.java:61)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
> redicateHandler.java:43)
> at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.
> handleRequest(ServletPreAuthActionsHandler.java:69)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
> redicateHandler.java:43)
> at io.undertow.servlet.handlers.ServletInitialHandler.handleFir
> stRequest(ServletInitialHandler.java:292)
> at io.undertow.servlet.handlers.ServletInitialHandler.access$10
> 0(ServletInitialHandler.java:81)
> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(Se
> rvletInitialHandler.java:138)
> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(Se
> rvletInitialHandler.java:135)
> at io.undertow.servlet.core.ServletRequestContextThreadSetupAct
> ion$1.call(ServletRequestContextThreadSetupAction.java:48)
> at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.
> call(ContextClassLoaderSetupAction.java:43)
> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.
> call(LegacyThreadSetupActionWrapper.java:44)
> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.
> call(LegacyThreadSetupActionWrapper.java:44)
> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.
> call(LegacyThreadSetupActionWrapper.java:44)
> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.
> call(LegacyThreadSetupActionWrapper.java:44)
> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.
> call(LegacyThreadSetupActionWrapper.java:44)
> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.
> call(LegacyThreadSetupActionWrapper.java:44)
> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchR
> equest(ServletInitialHandler.java:272)
> at io.undertow.servlet.handlers.ServletInitialHandler.access$00
> 0(ServletInitialHandler.java:81)
> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleR
> equest(ServletInitialHandler.java:104)
> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchan
> ge.java:805)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
> Executor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
> lExecutor.java:617)
> at java.lang.Thread.run(Thread.java:748)
> Caused by: java.net.ConnectException: Connection refused (Connection
> refused)
> at java.net.PlainSocketImpl.socketConnect(Native Method)
> at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSock
> etImpl.java:350)
> at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPl
> ainSocketImpl.java:206)
> at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocket
> Impl.java:188)
> at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
> at java.net.Socket.connect(Socket.java:589)
> at org.apache.http.conn.scheme.PlainSocketFactory.connectSocket
> (PlainSocketFactory.java:117)
> at org.apache.http.impl.conn.DefaultClientConnectionOperator.
> openConnection(DefaultClientConnectionOperator.java:177)
> at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoo
> lEntry.java:144)
> at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(Abs
> tractPooledConnAdapter.java:131)
> at org.apache.http.impl.client.DefaultRequestDirector.tryConnec
> t(DefaultRequestDirector.java:611)
> at org.apache.http.impl.client.DefaultRequestDirector.execute(D
> efaultRequestDirector.java:446)
> at org.apache.http.impl.client.AbstractHttpClient.doExecute(Abs
> tractHttpClient.java:882)
> at org.apache.http.impl.client.CloseableHttpClient.execute(Clos
> eableHttpClient.java:82)
> at org.apache.http.impl.client.CloseableHttpClient.execute(Clos
> eableHttpClient.java:107)
> at org.apache.http.impl.client.CloseableHttpClient.execute(Clos
> eableHttpClient.java:55)
> at org.keycloak.adapters.HttpAdapterUtils.sendJsonHttpRequest(H
> ttpAdapterUtils.java:37)
> ... 52 more
> 2017-07-25T13:56:29.452564496Z
> 13:56:29,454 ERROR [org.keycloak.adapters.rotation.AdapterRSATokenVerifier]
> (default task-12) Didn't find publicKey for kid:
> RHESicBPoNCwhBnBLEk_8X4ufj5WyuTo20zbzOo4HfQ
> 13:56:29,454 ERROR [org.keycloak.adapters.BearerTokenRequestAuthenticator]
> (default task-12) Failed to verify token: org.keycloak.common.VerificationException:
> Didn't find publicKey for specified kid
> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.getPu
> blicKey(AdapterRSATokenVerifier.java:47)
> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verif
> yToken(AdapterRSATokenVerifier.java:55)
> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verif
> yToken(AdapterRSATokenVerifier.java:37)
> at org.keycloak.adapters.BearerTokenRequestAuthenticator.
> authenticateToken(BearerTokenRequestAuthenticator.java:87)
> at org.keycloak.adapters.BearerTokenRequestAuthenticator.
> authenticate(BearerTokenRequestAuthenticator.java:82)
> at org.keycloak.adapters.RequestAuthenticator.authenticate(Requ
> estAuthenticator.java:68)
> at org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthM
> ech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)
> at org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authe
> nticate(ServletKeycloakAuthMech.java:92)
> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
> transition(SecurityContextImpl.java:245)
> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
> transition(SecurityContextImpl.java:263)
> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
> access$100(SecurityContextImpl.java:231)
> at io.undertow.security.impl.SecurityContextImpl.attemptAuthent
> ication(SecurityContextImpl.java:125)
> at io.undertow.security.impl.SecurityContextImpl.authTransition
> (SecurityContextImpl.java:99)
> at io.undertow.security.impl.SecurityContextImpl.authenticate(S
> ecurityContextImpl.java:92)
> at io.undertow.servlet.handlers.security.ServletAuthenticationC
> allHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
> at io.undertow.server.handlers.DisableCacheHandler.handleReques
> t(DisableCacheHandler.java:33)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
> redicateHandler.java:43)
> at io.undertow.security.handlers.AuthenticationConstraintHandle
> r.handleRequest(AuthenticationConstraintHandler.java:53)
> at io.undertow.security.handlers.AbstractConfidentialityHandler
> .handleRequest(AbstractConfidentialityHandler.java:46)
> at io.undertow.servlet.handlers.security.ServletConfidentiality
> ConstraintHandler.handleRequest(ServletConfident
> ialityConstraintHandler.java:64)
> at io.undertow.servlet.handlers.security.ServletSecurityConstra
> intHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
> at io.undertow.security.handlers.AuthenticationMechanismsHandle
> r.handleRequest(AuthenticationMechanismsHandler.java:60)
> at io.undertow.servlet.handlers.security.CachedAuthenticatedSes
> sionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> at io.undertow.security.handlers.NotificationReceiverHandler.ha
> ndleRequest(NotificationReceiverHandler.java:50)
> at io.undertow.security.handlers.AbstractSecurityContextAssocia
> tionHandler.handleRequest(AbstractSecurityContextAssociation
> Handler.java:43)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
> redicateHandler.java:43)
> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHa
> ndler.handleRequest(JACCContextIdHandler.java:61)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
> redicateHandler.java:43)
> at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.
> handleRequest(ServletPreAuthActionsHandler.java:69)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
> redicateHandler.java:43)
> at io.undertow.servlet.handlers.ServletInitialHandler.handleFir
> stRequest(ServletInitialHandler.java:292)
> at io.undertow.servlet.handlers.ServletInitialHandler.access$10
> 0(ServletInitialHandler.java:81)
> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(Se
> rvletInitialHandler.java:138)
> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(Se
> rvletInitialHandler.java:135)
> at io.undertow.servlet.core.ServletRequestContextThreadSetupAct
> ion$1.call(ServletRequestContextThreadSetupAction.java:48)
> at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.
> call(ContextClassLoaderSetupAction.java:43)
> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.
> call(LegacyThreadSetupActionWrapper.java:44)
> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.
> call(LegacyThreadSetupActionWrapper.java:44)
> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.
> call(LegacyThreadSetupActionWrapper.java:44)
> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.
> call(LegacyThreadSetupActionWrapper.java:44)
> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.
> call(LegacyThreadSetupActionWrapper.java:44)
> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.
> call(LegacyThreadSetupActionWrapper.java:44)
> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchR
> equest(ServletInitialHandler.java:272)
> at io.undertow.servlet.handlers.ServletInitialHandler.access$00
> 0(ServletInitialHandler.java:81)
> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleR
> equest(ServletInitialHandler.java:104)
> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchan
> ge.java:805)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
> Executor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
> lExecutor.java:617)
> at java.lang.Thread.run(Thread.java:748)
>
> Is there a way to enhance the log level at the client ( i mean keycloak
> adapter ) , to see if it is a http connection issue or something else ??
>
> Thanks,
> Rajesh
>
> On Tue, Jul 25, 2017 at 7:36 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com>
> wrote:
>
>> Here is the response from curl ---
>>
>> $ curl -v http://192.168.99.100:8080/OlpUIFwk2-1.0-SNAPSHOT/services/s
>> ec/rest/us
>> erservice/users -H "Authorization: Bearer $KEY"
>> * Trying 192.168.99.100...
>> * Connected to 192.168.99.100 (192.168.99.100) port 8080 (#0)
>> > GET /OlpUIFwk2-1.0-SNAPSHOT/services/sec/rest/userservice/users
>> HTTP/1.1
>> > Host: 192.168.99.100:8080
>> > User-Agent: curl/7.50.1
>> > Accept: */*
>> > Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOi
>> AiSldUIiwia2lkIiA6ICJSSEV
>> TaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXeXVUbzIwemJ6T280SGZRIn0.eyJ
>> qdGkiOiJkNmY2MmM5YS1
>> hNjAwLTQ4ZmQtYmI3Ny0wMTI1NDQ0YmIzNWMiLCJleHAiOjE1MDA5OTAyNDg
>> sIm5iZiI6MCwiaWF0Ijo
>> xNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzAwMDE
>> vYXV0aC9yZWFsbXMvYmt
>> vZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzdWIiOiIwYTA5MTQ0OC0wNjAyLTQ
>> 2YmMtOWU4MS05MjE1Zjg
>> zYjVjOTgiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJia29mYy13ZWIiLCJhdXR
>> oX3RpbWUiOjAsInNlc3N
>> pb25fc3RhdGUiOiIzMjMxZjQ2Zi0yMjliLTQyZDMtYTQxOS0wODlhMjEzOTZ
>> lNjciLCJhY3IiOiIxIiw
>> iY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2MC03ZTkyLTQ1ZDQtYjdmNy0xNWF
>> kYTY2NmE4Y2EiLCJhbGx
>> vd2VkLW9yaWdpbnMiOlsiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjgwODAvIl0
>> sInJlYWxtX2FjY2VzcyI
>> 6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiIsInVzZXIiXX0sInJlc29
>> 1cmNlX2FjY2VzcyI6eyJ
>> yZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzIjpbInZpZXctcmVhbG0iLCJ2aWV
>> 3LWlkZW50aXR5LXByb3Z
>> pZGVycyIsIm1hbmFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF
>> 0aW9uIiwicmVhbG0tYWR
>> taW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlldy1hdXR
>> ob3JpemF0aW9uIiwibWF
>> uYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsbSIsInZpZXctZXZlbnRzIiwidml
>> ldy11c2VycyIsInZpZXc
>> tY2xpZW50cyIsIm1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWV
>> udHMiXX0sImFjY291bnQ
>> iOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1
>> saW5rcyIsInZpZXctcHJ
>> vZmlsZSJdfX0sIm5hbWUiOiIiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzdXB
>> lcmFkbWluIiwiZW1haWw
>> iOiJ0cmlsaWEudGVjaEBnbWFpbC5jb20ifQ.JCGcaQ-8yYhoOT_DfHvNa5Hv
>> G3x5WBI3ZcC4WEcBA3NU
>> L-mQdUhU1aEK9G5VulcRbMeYp9f_rFnFip-N9g3JwPGhR6ozgwdXlI09JAjM
>> 6zLk7cy0UKig5ghHX1-g
>> Xb5EHChzhmGI_xtV77t9dcKBjW4V3f7eFwDmCMyWj8bqyoFMDTIp_Gz67Wt1
>> iUXAaCZ5fIdXs3epdG82
>> NhJrjQsIKiYGzUg9JY2Dkvg_tHGHESN85KsW2TNj8Jd0CuS-cF0rOqx82poh
>> W6RQMAZmGyMVofsxH_uR
>> rEbvpmI_ofkAUF6qCuLDD7idZC_j1ARXH-EOWxHgnSEDXc6SF2aAegmCpw
>> >
>> < HTTP/1.1 401 Unauthorized
>> < Expires: 0
>> < Cache-Control: no-cache, no-store, must-revalidate
>> < X-Powered-By: Undertow/1
>> < Server: WildFly/10
>> < Pragma: no-cache
>> < Date: Tue, 25 Jul 2017 14:04:31 GMT
>> < Connection: keep-alive
>> < WWW-Authenticate: Bearer realm="bkofc",
error="invalid_token",
>> error_description="Didn't find publicKey for specified kid"
>> < Content-Type: text/html;charset=UTF-8
>> < Content-Length: 71
>> <
>> * Connection #0 to host 192.168.99.100 left intact
>>
<html><head><title>Error</title></head><body>Unauthorized</body></html>$
>> $
>>
>> Thanks,
>> Rajesh
>>
>> On Tue, Jul 25, 2017 at 7:30 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com>
>> wrote:
>>
>>> Sure. I was using postman to invoke the service. This is the command
>>> used by postman --
>>>
>>> ------------------------------------------------------------
>>> ------------
>>>
>>> GET /OlpUIFwk2-1.0-SNAPSHOT/services/sec/rest/userservice/users
>>> HTTP/1.1
>>> Host: 192.168.99.100:8080
>>> Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>> iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>> XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiJkNmY2MmM5YS1hNjAwLTQ4ZmQtY
>>> mI3Ny0wMTI1NDQ0YmIzNWMiLCJleHAiOjE1MDA5OTAyNDgsIm5iZiI6MCwia
>>> WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>> zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>> WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>> XAiOiJCZWFyZXIiLCJhenAiOiJia29mYy13ZWIiLCJhdXRoX3RpbWUiOjAsI
>>> nNlc3Npb25fc3RhdGUiOiIzMjMxZjQ2Zi0yMjliLTQyZDMtYTQxOS0wODlhM
>>> jEzOTZlNjciLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2M
>>> C03ZTkyLTQ1ZDQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJhbGxvd2VkLW9yaWdpb
>>> nMiOlsiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjgwODAvIl0sInJlYWxtX2FjY
>>> 2VzcyI6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiIsInVzZXIiXX0sI
>>> nJlc291cmNlX2FjY2VzcyI6eyJyZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzI
>>> jpbInZpZXctcmVhbG0iLCJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycyIsIm1hb
>>> mFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwicmVhb
>>> G0tYWRtaW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlld
>>> y1hdXRob3JpemF0aW9uIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsb
>>> SIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsI
>>> m1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiXX0sImFjY
>>> 291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb
>>> 3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiIiLCJwcmVmZ
>>> XJyZWRfdXNlcm5hbWUiOiJzdXBlcmFkbWluIiwiZW1haWwiOiJ0cmlsaWEud
>>> GVjaEBnbWFpbC5jb20ifQ.JCGcaQ-8yYhoOT_DfHvNa5HvG3x5WBI3ZcC4WE
>>> cBA3NUL-mQdUhU1aEK9G5VulcRbMeYp9f_rFnFip-N9g3JwPGhR6ozgwdXlI
>>> 09JAjM6zLk7cy0UKig5ghHX1-gXb5EHChzhmGI_xtV77t9dcKBjW4V3
>>> f7eFwDmCMyWj8bqyoFMDTIp_Gz67Wt1iUXAaCZ5fIdXs3epdG82NhJ
>>> rjQsIKiYGzUg9JY2Dkvg_tHGHESN85KsW2TNj8Jd0CuS-cF0rOq
>>> x82pohW6RQMAZmGyMVofsxH_uRrEbvpmI_ofkAUF6qCuLDD7idZC_j1ARXH-
>>> EOWxHgnSEDXc6SF2aAegmCpw
>>> Cache-Control: no-cache
>>> Postman-Token: d378eefe-82c8-9c3d-0140-ef56c62f9b97
>>>
>>>
>>> ------------------------------------------------------------
>>> ---------------
>>>
>>> The "userservice" is my own service for other attributes of users.
I
>>> also made sure that the service executes without the security.
>>>
>>> Thanks,
>>> Rajesh
>>>
>>>
>>> On Tue, Jul 25, 2017 at 7:24 PM, Sebastien Blanc <sblanc(a)redhat.com>
>>> wrote:
>>>
>>>> Okay, to have the complete picture could paste the command you issue
>>>> to call your REST service ?
>>>>
>>>>
>>>> On Tue, Jul 25, 2017 at 3:50 PM, Rajesh Ghosh
<ghosh.rajesh(a)gmail.com>
>>>> wrote:
>>>>
>>>>> Sebastien,
>>>>>
>>>>> Here is a token response -
>>>>>
>>>>> {
>>>>> "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>>>> iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>>>> XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiJkNmY2MmM5YS1hNjAwLTQ4ZmQtY
>>>>> mI3Ny0wMTI1NDQ0YmIzNWMiLCJleHAiOjE1MDA5OTAyNDgsIm5iZiI6MCwia
>>>>> WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>>>> zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>>>> WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>>>> XAiOiJCZWFyZXIiLCJhenAiOiJia29mYy13ZWIiLCJhdXRoX3RpbWUiOjAsI
>>>>> nNlc3Npb25fc3RhdGUiOiIzMjMxZjQ2Zi0yMjliLTQyZDMtYTQxOS0wODlhM
>>>>> jEzOTZlNjciLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2M
>>>>> C03ZTkyLTQ1ZDQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJhbGxvd2VkLW9yaWdpb
>>>>> nMiOlsiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjgwODAvIl0sInJlYWxtX2FjY
>>>>> 2VzcyI6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiIsInVzZXIiXX0sI
>>>>> nJlc291cmNlX2FjY2VzcyI6eyJyZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzI
>>>>> jpbInZpZXctcmVhbG0iLCJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycyIsIm1hb
>>>>> mFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwicmVhb
>>>>> G0tYWRtaW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlld
>>>>> y1hdXRob3JpemF0aW9uIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsb
>>>>> SIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsI
>>>>> m1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiXX0sImFjY
>>>>> 291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb
>>>>> 3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiIiLCJwcmVmZ
>>>>> XJyZWRfdXNlcm5hbWUiOiJzdXBlcmFkbWluIiwiZW1haWwiOiJ0cmlsaWEud
>>>>> GVjaEBnbWFpbC5jb20ifQ.JCGcaQ-8yYhoOT_DfHvNa5HvG3x5WBI3ZcC4WE
>>>>> cBA3NUL-mQdUhU1aEK9G5VulcRbMeYp9f_rFnFip-N9g3JwPGhR6ozgwdXlI
>>>>> 09JAjM6zLk7cy0UKig5ghHX1-gXb5EHChzhmGI_xtV77t9dcKBjW4V3f7eFw
>>>>> DmCMyWj8bqyoFMDTIp_Gz67Wt1iUXAaCZ5fIdXs3epdG82NhJrjQsIKiYGzU
>>>>> g9JY2Dkvg_tHGHESN85KsW2TNj8Jd0CuS-cF0rOqx82pohW6RQMAZmGyMVof
>>>>>
sxH_uRrEbvpmI_ofkAUF6qCuLDD7idZC_j1ARXH-EOWxHgnSEDXc6SF2aAegmCpw",
>>>>> "expires_in": 300,
>>>>> "refresh_expires_in": 1800,
>>>>> "refresh_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>>>> iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>>>> XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiIyYzE4ZjkxYi0yMDljLTQwY2ItY
>>>>> TE5OS02NGIwZTEyYjRkOGIiLCJleHAiOjE1MDA5OTE3NDgsIm5iZiI6MCwia
>>>>> WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>>>> zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>>>> WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>>>> XAiOiJSZWZyZXNoIiwiYXpwIjoiYmtvZmMtd2ViIiwiYXV0aF90aW1lIjowL
>>>>> CJzZXNzaW9uX3N0YXRlIjoiMzIzMWY0NmYtMjI5Yi00MmQzLWE0MTktMDg5Y
>>>>> TIxMzk2ZTY3IiwiY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2MC03ZTkyLTQ1Z
>>>>> DQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiO
>>>>> lsidW1hX2F1dGhvcml6YXRpb24iLCJ1c2VyIl19LCJyZXNvdXJjZV9hY2Nlc
>>>>> 3MiOnsicmVhbG0tbWFuYWdlbWVudCI6eyJyb2xlcyI6WyJ2aWV3LXJlYWxtI
>>>>> iwidmlldy1pZGVudGl0eS1wcm92aWRlcnMiLCJtYW5hZ2UtaWRlbnRpdHktc
>>>>> HJvdmlkZXJzIiwiaW1wZXJzb25hdGlvbiIsInJlYWxtLWFkbWluIiwiY3JlY
>>>>> XRlLWNsaWVudCIsIm1hbmFnZS11c2VycyIsInZpZXctYXV0aG9yaXphdGlvb
>>>>> iIsIm1hbmFnZS1ldmVudHMiLCJtYW5hZ2UtcmVhbG0iLCJ2aWV3LWV2ZW50c
>>>>> yIsInZpZXctdXNlcnMiLCJ2aWV3LWNsaWVudHMiLCJtYW5hZ2UtYXV0aG9ya
>>>>> XphdGlvbiIsIm1hbmFnZS1jbGllbnRzIl19LCJhY2NvdW50Ijp7InJvbGVzI
>>>>> jpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2a
>>>>> WV3LXByb2ZpbGUiXX19fQ.Uz0rqNlj09T_SdnfZK9ZxBcJ5EIEwwHCN5VwKI
>>>>> hIF6Ua32fDlf1UvZSoZTmr5jiHeiwpp4JALWGTXsda4p-PlzMvwmMN5Qp46-
>>>>> EXGJQkqH4NNqZ1W_1mRGySYokQCSkmdvAZPFGrqxpeb1seuKgaaiXXMsrvai
>>>>> ucFCa8H599Ox6QRE3MkoLmm8w7_08kPG1_JjXIviHtwoWgsb0zCcMPyHRdCv
>>>>> _rs6FIoTQiCRZ2joaXSvIsmVAkchgZbeB-_RSWzlk3_oaOCQw7OWZJRqnAdG
>>>>>
gDnL5jCCRLTVFnPo9TqKrt88h3fKkVuNuI8Y06sZ1If8wgSWRDRLUf0X8sampLww",
>>>>> "token_type": "bearer",
>>>>> "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>>>> iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>>>> XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiI2ZDJkNWMxNS01YmE3LTRhNTgtO
>>>>> TJkNC0wNGU0NTkyMjNkNGYiLCJleHAiOjE1MDA5OTAyNDgsIm5iZiI6MCwia
>>>>> WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>>>> zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>>>> WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>>>> XAiOiJJRCIsImF6cCI6ImJrb2ZjLXdlYiIsImF1dGhfdGltZSI6MCwic2Vzc
>>>>> 2lvbl9zdGF0ZSI6IjMyMzFmNDZmLTIyOWItNDJkMy1hNDE5LTA4OWEyMTM5N
>>>>> mU2NyIsImFjciI6IjEiLCJuYW1lIjoiIiwicHJlZmVycmVkX3VzZXJuYW1lI
>>>>> joic3VwZXJhZG1pbiIsImVtYWlsIjoidHJpbGlhLnRlY2hAZ21haWwuY29tI
>>>>> n0.eFVxG7MImPS4yCEiLOzhvZ5M_XjRWuHJlt_T4r3djak7sH_XOXUmHAuih
>>>>> xXrm7HLv8DU3OzHpN3FinOWufOdTCv9Ywww0DRq4ha1M7dodqMuv1H5d3XVB
>>>>> n_kuHK68zWRI3t9WI4ZNeaEU0whLSnBqcbJ54dQrBloUPS4bpYG-BqfSNYs6
>>>>> bG8cyJHQ4_FRpAi3X9qWOCwaPrZ5Z_vQfNbYcgIfON_puN8QfRxihg90KQYO
>>>>> p4lJpU5JqeaVmYp9eOYTb5iQzOuLWDXenyIBmvT_K84HZKh8t5eWsqH01st-
>>>>> Ls7uJcNAUM9PXRM7JswCjhouuQGBM6dn5iICoL00acuxg",
>>>>> "not-before-policy": 0,
>>>>> "session_state":
"3231f46f-229b-42d3-a419-089a21396e67"
>>>>> }
>>>>>
>>>>>
>>>>> I checked it in jwt.io . The kid is same as the
"rsa-generated" one,
>>>>> shown in the screen shot I shared yesterday. Although jwt complained
as
>>>>> "Invalid Signature" .
>>>>>
>>>>>
>>>>> Thomas, the connectivity should not be an issue as I am able to get
>>>>> the access token from my app wildfly server using curl. So keycloak
is
>>>>> reachable from my wildfly server. Anything specific you did to
resolve your
>>>>> issue ?
>>>>>
>>>>> Regards,
>>>>> Rajesh
>>>>>
>>>>> On Tue, Jul 25, 2017 at 11:12 AM, Sebastien Blanc
<sblanc(a)redhat.com>
>>>>> wrote:
>>>>>
>>>>>> This looks all correct. Could you try paste your access token or
>>>>>> even check it your self on jwt.io to see if the kid is present ?
>>>>>>
>>>>>>
>>>>>> On Mon, Jul 24, 2017 at 6:47 PM, Rajesh Ghosh <
>>>>>> ghosh.rajesh(a)gmail.com> wrote:
>>>>>>
>>>>>>> Sebastien,
>>>>>>>
>>>>>>> I am attaching a pdf containing the screen shots. Few more
points
>>>>>>> I wanted to mention.
>>>>>>>
>>>>>>> i) I didn't install the public client --
"bkofc-web" in the
>>>>>>> wildfly container which hosts my REST services. I did it for
"bkofc-svc"
>>>>>>> client which is bearer only. I hope that is the correct
approach.
>>>>>>> ii) Both keycloak and my application are running on docker
>>>>>>> containers locally in my laptop.
>>>>>>>
>>>>>>> Let me know if you need anything else to analyze.
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Rajesh
>>>>>>>
>>>>>>>
>>>>>>> On Mon, Jul 24, 2017 at 9:13 PM, Sebastien Blanc
<sblanc(a)redhat.com
>>>>>>> > wrote:
>>>>>>>
>>>>>>>> yes please
>>>>>>>>
>>>>>>>> On Mon, Jul 24, 2017 at 4:54 PM, Rajesh Ghosh <
>>>>>>>> ghosh.rajesh(a)gmail.com> wrote:
>>>>>>>>
>>>>>>>>> Yes definitely. I did replace it with the actual war
name. Let me
>>>>>>>>> know if you would like me to paste screen shots of
realm configurations,
>>>>>>>>> client configurations.
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>> Rajesh
>>>>>>>>>
>>>>>>>>> On Mon, Jul 24, 2017 at 8:12 PM, Sebastien Blanc
<
>>>>>>>>> sblanc(a)redhat.com> wrote:
>>>>>>>>>
>>>>>>>>>> Ok and for :
>>>>>>>>>> <secure-deployment name="my war
file.war">
>>>>>>>>>>
>>>>>>>>>> Did you replace that with the actual name of your
war file ?
>>>>>>>>>>
>>>>>>>>>> On Mon, Jul 24, 2017 at 4:35 PM, Rajesh Ghosh
<
>>>>>>>>>> ghosh.rajesh(a)gmail.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> Hello Sebastien,
>>>>>>>>>>>
>>>>>>>>>>> I am using 3.1.0.Final build.
>>>>>>>>>>>
>>>>>>>>>>> Thanks,
>>>>>>>>>>> Rajesh
>>>>>>>>>>>
>>>>>>>>>>> On Mon, Jul 24, 2017 at 7:56 PM, Sebastien
Blanc <
>>>>>>>>>>> sblanc(a)redhat.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Which version of Keycloak are you using
?
>>>>>>>>>>>>
>>>>>>>>>>>> On Mon, Jul 24, 2017 at 3:15 PM, Rajesh
Ghosh <
>>>>>>>>>>>> ghosh.rajesh(a)gmail.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>
>>>>>>>>>>>>> I am trying to secure my REST
services using the method
>>>>>>>>>>>>> described in the
>>>>>>>>>>>>> document --
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
http://blog.keycloak.org/2015/10/getting-started-with-keyclo
>>>>>>>>>>>>> ak-securing.html
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> I am securing my war using JBoss
subsystem , instead of
>>>>>>>>>>>>> per-war option. The
>>>>>>>>>>>>> relevant sections from my
standalone.xml are posted below.
>>>>>>>>>>>>>
>>>>>>>>>>>>> <extensions>
>>>>>>>>>>>>> ......
>>>>>>>>>>>>> <extension
module="org.keycloak.keycloak-
>>>>>>>>>>>>> adapter-subsystem"/>
>>>>>>>>>>>>> </extensions>
>>>>>>>>>>>>>
>>>>>>>>>>>>> <security-domains>
>>>>>>>>>>>>> .....
>>>>>>>>>>>>> <security-domain
name="keycloak">
>>>>>>>>>>>>>
<authentication>
>>>>>>>>>>>>>
<login-module
>>>>>>>>>>>>>
code="org.keycloak.adapters.jboss.KeycloakLoginModule"
>>>>>>>>>>>>> flag="required"/>
>>>>>>>>>>>>>
</authentication>
>>>>>>>>>>>>>
</security-domain>
>>>>>>>>>>>>>
</security-domains>
>>>>>>>>>>>>>
>>>>>>>>>>>>> <subsystem
xmlns="urn:jboss:domain:keycloak:1.1">
>>>>>>>>>>>>> <secure-deployment
name="my war file.war">
>>>>>>>>>>>>>
<realm>bkofc</realm>
>>>>>>>>>>>>>
<resource>bkofc-svc</resource>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
<use-resource-role-mappings>true</use-resource-role-mappings>
>>>>>>>>>>>>>
<bearer-only>true</bearer-only>
>>>>>>>>>>>>>
<auth-server-url>http://192.16
>>>>>>>>>>>>> 8.99.100/30001/auth
>>>>>>>>>>>>> </auth-server-url>
>>>>>>>>>>>>>
<ssl-required>none</ssl-required>
>>>>>>>>>>>>> <credential
>>>>>>>>>>>>>
name="secret">9bcc6d9f-9c72-4b58-b297-79f0f207d9e1</credenti
>>>>>>>>>>>>> al>
>>>>>>>>>>>>>
</secure-deployment>
>>>>>>>>>>>>> </subsystem>
>>>>>>>>>>>>>
>>>>>>>>>>>>> I am able to obtain the access
token.
>>>>>>>>>>>>>
>>>>>>>>>>>>> curl -i curl --data
>>>>>>>>>>>>>
"grant_type=password&client_id=bkofc-web&username=user&passw
>>>>>>>>>>>>> ord=password"
>>>>>>>>>>>>>
http://192.168.99.100:30001/auth/realms/bkofc/protocol/openi
>>>>>>>>>>>>> d-connect/token
>>>>>>>>>>>>>
>>>>>>>>>>>>> Note:- I have created 2 clients -- i)
bkofc-svc which is
>>>>>>>>>>>>> bearer only, for
>>>>>>>>>>>>> my REST services ii) bkofc-web , a
public client to simulate
>>>>>>>>>>>>> UI login
>>>>>>>>>>>>>
>>>>>>>>>>>>> However when I try to use the access
token to invoke a
>>>>>>>>>>>>> service, I am
>>>>>>>>>>>>> getting the error -
>>>>>>>>>>>>>
>>>>>>>>>>>>> Status: 401
>>>>>>>>>>>>>
>>>>>>>>>>>>> WWW-Authenticate Bearer
realm="bkofc", error="invalid_token",
>>>>>>>>>>>>> error_description="Didn't
find publicKey for specified kid"
>>>>>>>>>>>>>
>>>>>>>>>>>>> Please let me know if I am missing
something here. I have
>>>>>>>>>>>>> been breaking my
>>>>>>>>>>>>> head last few days without any luck !
I have also tried
>>>>>>>>>>>>> rotating the realm
>>>>>>>>>>>>> keys.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Thanks,
>>>>>>>>>>>>> Rajesh
>>>>>>>>>>>>>
_______________________________________________
>>>>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>>>>> keycloak-user(a)lists.jboss.org
>>>>>>>>>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
9:18 a.m.
OMG ! That was stupid ! Let me rectify that and try again.
Thanks so much for pointing out.
Regards,
Rajesh
On Tue, Jul 25, 2017 at 7:47 PM, Sebastien Blanc <sblanc(a)redhat.com> wrote:
Oh I think I found it :
<auth-server-url>http://192.168.99.100/30001/auth
</auth-server-url>
You have a typo there , shouldn't it be http://192.168.99.100:30001/auth
<http://192.168.99.100:30001/auth/realms/bkofc/protocol/openid-connect/tok...
, notice the ":" instead of "/"
On Tue, Jul 25, 2017 at 4:14 PM, Sebastien Blanc <sblanc(a)redhat.com>
wrote:
> Oh you were faster than me on this one ;) , well you can change the log
> level of you app in the standalone.xml
>
> On Tue, Jul 25, 2017 at 4:12 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com>
> wrote:
>
>> Hello Sebastien,
>>
>> I was looking at the logs of my app wildfly server , as suggested by
>> another user Thomas . Here is a relevant exception stack which I see.
>>
>> 13:56:29,450 ERROR [org.keycloak.adapters.rotation.JWKPublicKeyLocator]
>> (default task-12) Error when sending request to retrieve realm keys:
>> org.keycloak.adapters.HttpClientAdapterException: IO error
>> at org.keycloak.adapters.HttpAdapterUtils.sendJsonHttpRequest(H
>> ttpAdapterUtils.java:58)
>> at org.keycloak.adapters.rotation.JWKPublicKeyLocator.sendReque
>> st(JWKPublicKeyLocator.java:99)
>> at org.keycloak.adapters.rotation.JWKPublicKeyLocator.getPublic
>> Key(JWKPublicKeyLocator.java:63)
>> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.getPu
>> blicKey(AdapterRSATokenVerifier.java:44)
>> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verif
>> yToken(AdapterRSATokenVerifier.java:55)
>> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verif
>> yToken(AdapterRSATokenVerifier.java:37)
>> at org.keycloak.adapters.BearerTokenRequestAuthenticator.authen
>> ticateToken(BearerTokenRequestAuthenticator.java:87)
>> at org.keycloak.adapters.BearerTokenRequestAuthenticator.authen
>> ticate(BearerTokenRequestAuthenticator.java:82)
>> at org.keycloak.adapters.RequestAuthenticator.authenticate(Requ
>> estAuthenticator.java:68)
>> at org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthM
>> ech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)
>> at org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authe
>> nticate(ServletKeycloakAuthMech.java:92)
>> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
>> transition(SecurityContextImpl.java:245)
>> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
>> transition(SecurityContextImpl.java:263)
>> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
>> access$100(SecurityContextImpl.java:231)
>> at io.undertow.security.impl.SecurityContextImpl.attemptAuthent
>> ication(SecurityContextImpl.java:125)
>> at io.undertow.security.impl.SecurityContextImpl.authTransition
>> (SecurityContextImpl.java:99)
>> at io.undertow.security.impl.SecurityContextImpl.authenticate(S
>> ecurityContextImpl.java:92)
>> at io.undertow.servlet.handlers.security.ServletAuthenticationC
>> allHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
>> at io.undertow.server.handlers.DisableCacheHandler.handleReques
>> t(DisableCacheHandler.java:33)
>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>> redicateHandler.java:43)
>> at io.undertow.security.handlers.AuthenticationConstraintHandle
>> r.handleRequest(AuthenticationConstraintHandler.java:53)
>> at io.undertow.security.handlers.AbstractConfidentialityHandler
>> .handleRequest(AbstractConfidentialityHandler.java:46)
>> at io.undertow.servlet.handlers.security.ServletConfidentiality
>> ConstraintHandler.handleRequest(ServletConfidentialityConstr
>> aintHandler.java:64)
>> at io.undertow.servlet.handlers.security.ServletSecurityConstra
>> intHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
>> at io.undertow.security.handlers.AuthenticationMechanismsHandle
>> r.handleRequest(AuthenticationMechanismsHandler.java:60)
>> at io.undertow.servlet.handlers.security.CachedAuthenticatedSes
>> sionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>> at io.undertow.security.handlers.NotificationReceiverHandler.ha
>> ndleRequest(NotificationReceiverHandler.java:50)
>> at io.undertow.security.handlers.AbstractSecurityContextAssocia
>> tionHandler.handleRequest(AbstractSecurityContextAssociation
>> Handler.java:43)
>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>> redicateHandler.java:43)
>> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHa
>> ndler.handleRequest(JACCContextIdHandler.java:61)
>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>> redicateHandler.java:43)
>> at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.
>> handleRequest(ServletPreAuthActionsHandler.java:69)
>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>> redicateHandler.java:43)
>> at io.undertow.servlet.handlers.ServletInitialHandler.handleFir
>> stRequest(ServletInitialHandler.java:292)
>> at io.undertow.servlet.handlers.ServletInitialHandler.access$10
>> 0(ServletInitialHandler.java:81)
>> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(Se
>> rvletInitialHandler.java:138)
>> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(Se
>> rvletInitialHandler.java:135)
>> at io.undertow.servlet.core.ServletRequestContextThreadSetupAct
>> ion$1.call(ServletRequestContextThreadSetupAction.java:48)
>> at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.cal
>> l(ContextClassLoaderSetupAction.java:43)
>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>> l(LegacyThreadSetupActionWrapper.java:44)
>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>> l(LegacyThreadSetupActionWrapper.java:44)
>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>> l(LegacyThreadSetupActionWrapper.java:44)
>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>> l(LegacyThreadSetupActionWrapper.java:44)
>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>> l(LegacyThreadSetupActionWrapper.java:44)
>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>> l(LegacyThreadSetupActionWrapper.java:44)
>> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchR
>> equest(ServletInitialHandler.java:272)
>> at io.undertow.servlet.handlers.ServletInitialHandler.access$00
>> 0(ServletInitialHandler.java:81)
>> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleR
>> equest(ServletInitialHandler.java:104)
>> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchan
>> ge.java:805)
>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>> Executor.java:1142)
>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>> lExecutor.java:617)
>> at java.lang.Thread.run(Thread.java:748)
>> Caused by: java.net.ConnectException: Connection refused (Connection
>> refused)
>> at java.net.PlainSocketImpl.socketConnect(Native Method)
>> at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSock
>> etImpl.java:350)
>> at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPl
>> ainSocketImpl.java:206)
>> at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocket
>> Impl.java:188)
>> at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
>> at java.net.Socket.connect(Socket.java:589)
>> at org.apache.http.conn.scheme.PlainSocketFactory.connectSocket
>> (PlainSocketFactory.java:117)
>> at org.apache.http.impl.conn.DefaultClientConnectionOperator.op
>> enConnection(DefaultClientConnectionOperator.java:177)
>> at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoo
>> lEntry.java:144)
>> at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(Abs
>> tractPooledConnAdapter.java:131)
>> at org.apache.http.impl.client.DefaultRequestDirector.tryConnec
>> t(DefaultRequestDirector.java:611)
>> at org.apache.http.impl.client.DefaultRequestDirector.execute(D
>> efaultRequestDirector.java:446)
>> at org.apache.http.impl.client.AbstractHttpClient.doExecute(Abs
>> tractHttpClient.java:882)
>> at org.apache.http.impl.client.CloseableHttpClient.execute(Clos
>> eableHttpClient.java:82)
>> at org.apache.http.impl.client.CloseableHttpClient.execute(Clos
>> eableHttpClient.java:107)
>> at org.apache.http.impl.client.CloseableHttpClient.execute(Clos
>> eableHttpClient.java:55)
>> at org.keycloak.adapters.HttpAdapterUtils.sendJsonHttpRequest(H
>> ttpAdapterUtils.java:37)
>> ... 52 more
>> 2017-07-25T13:56:29.452564496Z
>> 13:56:29,454 ERROR [org.keycloak.adapters.rotation.AdapterRSATokenVerifier]
>> (default task-12) Didn't find publicKey for kid:
>> RHESicBPoNCwhBnBLEk_8X4ufj5WyuTo20zbzOo4HfQ
>> 13:56:29,454 ERROR [org.keycloak.adapters.BearerTokenRequestAuthenticator]
>> (default task-12) Failed to verify token:
org.keycloak.common.VerificationException:
>> Didn't find publicKey for specified kid
>> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.getPu
>> blicKey(AdapterRSATokenVerifier.java:47)
>> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verif
>> yToken(AdapterRSATokenVerifier.java:55)
>> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verif
>> yToken(AdapterRSATokenVerifier.java:37)
>> at org.keycloak.adapters.BearerTokenRequestAuthenticator.authen
>> ticateToken(BearerTokenRequestAuthenticator.java:87)
>> at org.keycloak.adapters.BearerTokenRequestAuthenticator.authen
>> ticate(BearerTokenRequestAuthenticator.java:82)
>> at org.keycloak.adapters.RequestAuthenticator.authenticate(Requ
>> estAuthenticator.java:68)
>> at org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthM
>> ech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)
>> at org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authe
>> nticate(ServletKeycloakAuthMech.java:92)
>> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
>> transition(SecurityContextImpl.java:245)
>> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
>> transition(SecurityContextImpl.java:263)
>> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
>> access$100(SecurityContextImpl.java:231)
>> at io.undertow.security.impl.SecurityContextImpl.attemptAuthent
>> ication(SecurityContextImpl.java:125)
>> at io.undertow.security.impl.SecurityContextImpl.authTransition
>> (SecurityContextImpl.java:99)
>> at io.undertow.security.impl.SecurityContextImpl.authenticate(S
>> ecurityContextImpl.java:92)
>> at io.undertow.servlet.handlers.security.ServletAuthenticationC
>> allHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
>> at io.undertow.server.handlers.DisableCacheHandler.handleReques
>> t(DisableCacheHandler.java:33)
>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>> redicateHandler.java:43)
>> at io.undertow.security.handlers.AuthenticationConstraintHandle
>> r.handleRequest(AuthenticationConstraintHandler.java:53)
>> at io.undertow.security.handlers.AbstractConfidentialityHandler
>> .handleRequest(AbstractConfidentialityHandler.java:46)
>> at io.undertow.servlet.handlers.security.ServletConfidentiality
>> ConstraintHandler.handleRequest(ServletConfidentialityConstr
>> aintHandler.java:64)
>> at io.undertow.servlet.handlers.security.ServletSecurityConstra
>> intHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
>> at io.undertow.security.handlers.AuthenticationMechanismsHandle
>> r.handleRequest(AuthenticationMechanismsHandler.java:60)
>> at io.undertow.servlet.handlers.security.CachedAuthenticatedSes
>> sionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>> at io.undertow.security.handlers.NotificationReceiverHandler.ha
>> ndleRequest(NotificationReceiverHandler.java:50)
>> at io.undertow.security.handlers.AbstractSecurityContextAssocia
>> tionHandler.handleRequest(AbstractSecurityContextAssociation
>> Handler.java:43)
>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>> redicateHandler.java:43)
>> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHa
>> ndler.handleRequest(JACCContextIdHandler.java:61)
>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>> redicateHandler.java:43)
>> at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.
>> handleRequest(ServletPreAuthActionsHandler.java:69)
>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>> redicateHandler.java:43)
>> at io.undertow.servlet.handlers.ServletInitialHandler.handleFir
>> stRequest(ServletInitialHandler.java:292)
>> at io.undertow.servlet.handlers.ServletInitialHandler.access$10
>> 0(ServletInitialHandler.java:81)
>> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(Se
>> rvletInitialHandler.java:138)
>> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(Se
>> rvletInitialHandler.java:135)
>> at io.undertow.servlet.core.ServletRequestContextThreadSetupAct
>> ion$1.call(ServletRequestContextThreadSetupAction.java:48)
>> at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.cal
>> l(ContextClassLoaderSetupAction.java:43)
>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>> l(LegacyThreadSetupActionWrapper.java:44)
>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>> l(LegacyThreadSetupActionWrapper.java:44)
>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>> l(LegacyThreadSetupActionWrapper.java:44)
>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>> l(LegacyThreadSetupActionWrapper.java:44)
>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>> l(LegacyThreadSetupActionWrapper.java:44)
>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>> l(LegacyThreadSetupActionWrapper.java:44)
>> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchR
>> equest(ServletInitialHandler.java:272)
>> at io.undertow.servlet.handlers.ServletInitialHandler.access$00
>> 0(ServletInitialHandler.java:81)
>> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleR
>> equest(ServletInitialHandler.java:104)
>> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchan
>> ge.java:805)
>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>> Executor.java:1142)
>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>> lExecutor.java:617)
>> at java.lang.Thread.run(Thread.java:748)
>>
>> Is there a way to enhance the log level at the client ( i mean keycloak
>> adapter ) , to see if it is a http connection issue or something else ??
>>
>> Thanks,
>> Rajesh
>>
>> On Tue, Jul 25, 2017 at 7:36 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com>
>> wrote:
>>
>>> Here is the response from curl ---
>>>
>>> $ curl -v http://192.168.99.100:8080/OlpUIFwk2-1.0-SNAPSHOT/services/s
>>> ec/rest/us
>>> erservice/users -H "Authorization: Bearer $KEY"
>>> * Trying 192.168.99.100...
>>> * Connected to 192.168.99.100 (192.168.99.100) port 8080 (#0)
>>> > GET /OlpUIFwk2-1.0-SNAPSHOT/services/sec/rest/userservice/users
>>> HTTP/1.1
>>> > Host: 192.168.99.100:8080
>>> > User-Agent: curl/7.50.1
>>> > Accept: */*
>>> > Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOi
>>> AiSldUIiwia2lkIiA6ICJSSEV
>>> TaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXeXVUbzIwemJ6T280SGZRIn0.eyJ
>>> qdGkiOiJkNmY2MmM5YS1
>>> hNjAwLTQ4ZmQtYmI3Ny0wMTI1NDQ0YmIzNWMiLCJleHAiOjE1MDA5OTAyNDg
>>> sIm5iZiI6MCwiaWF0Ijo
>>> xNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzAwMDE
>>> vYXV0aC9yZWFsbXMvYmt
>>> vZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzdWIiOiIwYTA5MTQ0OC0wNjAyLTQ
>>> 2YmMtOWU4MS05MjE1Zjg
>>> zYjVjOTgiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJia29mYy13ZWIiLCJhdXR
>>> oX3RpbWUiOjAsInNlc3N
>>> pb25fc3RhdGUiOiIzMjMxZjQ2Zi0yMjliLTQyZDMtYTQxOS0wODlhMjEzOTZ
>>> lNjciLCJhY3IiOiIxIiw
>>> iY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2MC03ZTkyLTQ1ZDQtYjdmNy0xNWF
>>> kYTY2NmE4Y2EiLCJhbGx
>>> vd2VkLW9yaWdpbnMiOlsiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjgwODAvIl0
>>> sInJlYWxtX2FjY2VzcyI
>>> 6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiIsInVzZXIiXX0sInJlc29
>>> 1cmNlX2FjY2VzcyI6eyJ
>>> yZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzIjpbInZpZXctcmVhbG0iLCJ2aWV
>>> 3LWlkZW50aXR5LXByb3Z
>>> pZGVycyIsIm1hbmFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF
>>> 0aW9uIiwicmVhbG0tYWR
>>> taW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlldy1hdXR
>>> ob3JpemF0aW9uIiwibWF
>>> uYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsbSIsInZpZXctZXZlbnRzIiwidml
>>> ldy11c2VycyIsInZpZXc
>>> tY2xpZW50cyIsIm1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWV
>>> udHMiXX0sImFjY291bnQ
>>> iOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1
>>> saW5rcyIsInZpZXctcHJ
>>> vZmlsZSJdfX0sIm5hbWUiOiIiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzdXB
>>> lcmFkbWluIiwiZW1haWw
>>> iOiJ0cmlsaWEudGVjaEBnbWFpbC5jb20ifQ.JCGcaQ-8yYhoOT_DfHvNa5Hv
>>> G3x5WBI3ZcC4WEcBA3NU
>>> L-mQdUhU1aEK9G5VulcRbMeYp9f_rFnFip-N9g3JwPGhR6ozgwdXlI09JAjM
>>> 6zLk7cy0UKig5ghHX1-g
>>> Xb5EHChzhmGI_xtV77t9dcKBjW4V3f7eFwDmCMyWj8bqyoFMDTIp_Gz67Wt1
>>> iUXAaCZ5fIdXs3epdG82
>>> NhJrjQsIKiYGzUg9JY2Dkvg_tHGHESN85KsW2TNj8Jd0CuS-cF0rOqx82poh
>>> W6RQMAZmGyMVofsxH_uR
>>> rEbvpmI_ofkAUF6qCuLDD7idZC_j1ARXH-EOWxHgnSEDXc6SF2aAegmCpw
>>> >
>>> < HTTP/1.1 401 Unauthorized
>>> < Expires: 0
>>> < Cache-Control: no-cache, no-store, must-revalidate
>>> < X-Powered-By: Undertow/1
>>> < Server: WildFly/10
>>> < Pragma: no-cache
>>> < Date: Tue, 25 Jul 2017 14:04:31 GMT
>>> < Connection: keep-alive
>>> < WWW-Authenticate: Bearer realm="bkofc",
error="invalid_token",
>>> error_description="Didn't find publicKey for specified kid"
>>> < Content-Type: text/html;charset=UTF-8
>>> < Content-Length: 71
>>> <
>>> * Connection #0 to host 192.168.99.100 left intact
>>>
<html><head><title>Error</title></head><body>Unauthorized</b
>>> ody></html>$
>>> $
>>>
>>> Thanks,
>>> Rajesh
>>>
>>> On Tue, Jul 25, 2017 at 7:30 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com>
>>> wrote:
>>>
>>>> Sure. I was using postman to invoke the service. This is the command
>>>> used by postman --
>>>>
>>>> ------------------------------------------------------------
>>>> ------------
>>>>
>>>> GET /OlpUIFwk2-1.0-SNAPSHOT/services/sec/rest/userservice/users
>>>> HTTP/1.1
>>>> Host: 192.168.99.100:8080
>>>> Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>>> iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>>> XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiJkNmY2MmM5YS1hNjAwLTQ4ZmQtY
>>>> mI3Ny0wMTI1NDQ0YmIzNWMiLCJleHAiOjE1MDA5OTAyNDgsIm5iZiI6MCwia
>>>> WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>>> zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>>> WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>>> XAiOiJCZWFyZXIiLCJhenAiOiJia29mYy13ZWIiLCJhdXRoX3RpbWUiOjAsI
>>>> nNlc3Npb25fc3RhdGUiOiIzMjMxZjQ2Zi0yMjliLTQyZDMtYTQxOS0wODlhM
>>>> jEzOTZlNjciLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2M
>>>> C03ZTkyLTQ1ZDQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJhbGxvd2VkLW9yaWdpb
>>>> nMiOlsiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjgwODAvIl0sInJlYWxtX2FjY
>>>> 2VzcyI6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiIsInVzZXIiXX0sI
>>>> nJlc291cmNlX2FjY2VzcyI6eyJyZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzI
>>>> jpbInZpZXctcmVhbG0iLCJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycyIsIm1hb
>>>> mFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwicmVhb
>>>> G0tYWRtaW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlld
>>>> y1hdXRob3JpemF0aW9uIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsb
>>>> SIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsI
>>>> m1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiXX0sImFjY
>>>> 291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb
>>>> 3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiIiLCJwcmVmZ
>>>> XJyZWRfdXNlcm5hbWUiOiJzdXBlcmFkbWluIiwiZW1haWwiOiJ0cmlsaWEud
>>>> GVjaEBnbWFpbC5jb20ifQ.JCGcaQ-8yYhoOT_DfHvNa5HvG3x5WBI3ZcC4WE
>>>> cBA3NUL-mQdUhU1aEK9G5VulcRbMeYp9f_rFnFip-N9g3JwPGhR6ozgwdXlI
>>>> 09JAjM6zLk7cy0UKig5ghHX1-gXb5EHChzhmGI_xtV77t9dcKBjW4V3f7eFw
>>>> DmCMyWj8bqyoFMDTIp_Gz67Wt1iUXAaCZ5fIdXs3epdG82NhJrjQsIKiYGzU
>>>> g9JY2Dkvg_tHGHESN85KsW2TNj8Jd0CuS-cF0rOqx82pohW6RQMAZmGyMVof
>>>> sxH_uRrEbvpmI_ofkAUF6qCuLDD7idZC_j1ARXH-EOWxHgnSEDXc6SF2aAegmCpw
>>>> Cache-Control: no-cache
>>>> Postman-Token: d378eefe-82c8-9c3d-0140-ef56c62f9b97
>>>>
>>>>
>>>> ------------------------------------------------------------
>>>> ---------------
>>>>
>>>> The "userservice" is my own service for other attributes of
users. I
>>>> also made sure that the service executes without the security.
>>>>
>>>> Thanks,
>>>> Rajesh
>>>>
>>>>
>>>> On Tue, Jul 25, 2017 at 7:24 PM, Sebastien Blanc
<sblanc(a)redhat.com>
>>>> wrote:
>>>>
>>>>> Okay, to have the complete picture could paste the command you issue
>>>>> to call your REST service ?
>>>>>
>>>>>
>>>>> On Tue, Jul 25, 2017 at 3:50 PM, Rajesh Ghosh
<ghosh.rajesh(a)gmail.com
>>>>> > wrote:
>>>>>
>>>>>> Sebastien,
>>>>>>
>>>>>> Here is a token response -
>>>>>>
>>>>>> {
>>>>>> "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>>>>> iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>>>>> XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiJkNmY2MmM5YS1hNjAwLTQ4ZmQtY
>>>>>> mI3Ny0wMTI1NDQ0YmIzNWMiLCJleHAiOjE1MDA5OTAyNDgsIm5iZiI6MCwia
>>>>>> WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>>>>> zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>>>>> WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>>>>> XAiOiJCZWFyZXIiLCJhenAiOiJia29mYy13ZWIiLCJhdXRoX3RpbWUiOjAsI
>>>>>> nNlc3Npb25fc3RhdGUiOiIzMjMxZjQ2Zi0yMjliLTQyZDMtYTQxOS0wODlhM
>>>>>> jEzOTZlNjciLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2M
>>>>>> C03ZTkyLTQ1ZDQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJhbGxvd2VkLW9yaWdpb
>>>>>> nMiOlsiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjgwODAvIl0sInJlYWxtX2FjY
>>>>>> 2VzcyI6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiIsInVzZXIiXX0sI
>>>>>> nJlc291cmNlX2FjY2VzcyI6eyJyZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzI
>>>>>> jpbInZpZXctcmVhbG0iLCJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycyIsIm1hb
>>>>>> mFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwicmVhb
>>>>>> G0tYWRtaW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlld
>>>>>> y1hdXRob3JpemF0aW9uIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsb
>>>>>> SIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsI
>>>>>> m1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiXX0sImFjY
>>>>>> 291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb
>>>>>> 3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiIiLCJwcmVmZ
>>>>>> XJyZWRfdXNlcm5hbWUiOiJzdXBlcmFkbWluIiwiZW1haWwiOiJ0cmlsaWEud
>>>>>> GVjaEBnbWFpbC5jb20ifQ.JCGcaQ-8yYhoOT_DfHvNa5HvG3x5WBI3ZcC4WE
>>>>>> cBA3NUL-mQdUhU1aEK9G5VulcRbMeYp9f_rFnFip-N9g3JwPGhR6ozgwdXlI
>>>>>> 09JAjM6zLk7cy0UKig5ghHX1-gXb5EHChzhmGI_xtV77t9dcKBjW4V3f7eFw
>>>>>> DmCMyWj8bqyoFMDTIp_Gz67Wt1iUXAaCZ5fIdXs3epdG82NhJrjQsIKiYGzU
>>>>>> g9JY2Dkvg_tHGHESN85KsW2TNj8Jd0CuS-cF0rOqx82pohW6RQMAZmGyMVof
>>>>>>
sxH_uRrEbvpmI_ofkAUF6qCuLDD7idZC_j1ARXH-EOWxHgnSEDXc6SF2aAegmCpw",
>>>>>> "expires_in": 300,
>>>>>> "refresh_expires_in": 1800,
>>>>>> "refresh_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>>>>> iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>>>>> XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiIyYzE4ZjkxYi0yMDljLTQwY2ItY
>>>>>> TE5OS02NGIwZTEyYjRkOGIiLCJleHAiOjE1MDA5OTE3NDgsIm5iZiI6MCwia
>>>>>> WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>>>>> zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>>>>> WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>>>>> XAiOiJSZWZyZXNoIiwiYXpwIjoiYmtvZmMtd2ViIiwiYXV0aF90aW1lIjowL
>>>>>> CJzZXNzaW9uX3N0YXRlIjoiMzIzMWY0NmYtMjI5Yi00MmQzLWE0MTktMDg5Y
>>>>>> TIxMzk2ZTY3IiwiY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2MC03ZTkyLTQ1Z
>>>>>> DQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiO
>>>>>> lsidW1hX2F1dGhvcml6YXRpb24iLCJ1c2VyIl19LCJyZXNvdXJjZV9hY2Nlc
>>>>>> 3MiOnsicmVhbG0tbWFuYWdlbWVudCI6eyJyb2xlcyI6WyJ2aWV3LXJlYWxtI
>>>>>> iwidmlldy1pZGVudGl0eS1wcm92aWRlcnMiLCJtYW5hZ2UtaWRlbnRpdHktc
>>>>>> HJvdmlkZXJzIiwiaW1wZXJzb25hdGlvbiIsInJlYWxtLWFkbWluIiwiY3JlY
>>>>>> XRlLWNsaWVudCIsIm1hbmFnZS11c2VycyIsInZpZXctYXV0aG9yaXphdGlvb
>>>>>> iIsIm1hbmFnZS1ldmVudHMiLCJtYW5hZ2UtcmVhbG0iLCJ2aWV3LWV2ZW50c
>>>>>> yIsInZpZXctdXNlcnMiLCJ2aWV3LWNsaWVudHMiLCJtYW5hZ2UtYXV0aG9ya
>>>>>> XphdGlvbiIsIm1hbmFnZS1jbGllbnRzIl19LCJhY2NvdW50Ijp7InJvbGVzI
>>>>>> jpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2a
>>>>>> WV3LXByb2ZpbGUiXX19fQ.Uz0rqNlj09T_SdnfZK9ZxBcJ5EIEwwHCN5VwKI
>>>>>> hIF6Ua32fDlf1UvZSoZTmr5jiHeiwpp4JALWGTXsda4p-PlzMvwmMN5Qp46-
>>>>>> EXGJQkqH4NNqZ1W_1mRGySYokQCSkmdvAZPFGrqxpeb1seuKgaaiXXMsrvai
>>>>>> ucFCa8H599Ox6QRE3MkoLmm8w7_08kPG1_JjXIviHtwoWgsb0zCcMPyHRdCv
>>>>>> _rs6FIoTQiCRZ2joaXSvIsmVAkchgZbeB-_RSWzlk3_oaOCQw7OWZJRqnAdG
>>>>>>
gDnL5jCCRLTVFnPo9TqKrt88h3fKkVuNuI8Y06sZ1If8wgSWRDRLUf0X8sampLww",
>>>>>> "token_type": "bearer",
>>>>>> "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>>>>> iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>>>>> XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiI2ZDJkNWMxNS01YmE3LTRhNTgtO
>>>>>> TJkNC0wNGU0NTkyMjNkNGYiLCJleHAiOjE1MDA5OTAyNDgsIm5iZiI6MCwia
>>>>>> WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>>>>> zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>>>>> WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>>>>> XAiOiJJRCIsImF6cCI6ImJrb2ZjLXdlYiIsImF1dGhfdGltZSI6MCwic2Vzc
>>>>>> 2lvbl9zdGF0ZSI6IjMyMzFmNDZmLTIyOWItNDJkMy1hNDE5LTA4OWEyMTM5N
>>>>>> mU2NyIsImFjciI6IjEiLCJuYW1lIjoiIiwicHJlZmVycmVkX3VzZXJuYW1lI
>>>>>> joic3VwZXJhZG1pbiIsImVtYWlsIjoidHJpbGlhLnRlY2hAZ21haWwuY29tI
>>>>>> n0.eFVxG7MImPS4yCEiLOzhvZ5M_XjRWuHJlt_T4r3djak7sH_XOXUmHAuih
>>>>>> xXrm7HLv8DU3OzHpN3FinOWufOdTCv9Ywww0DRq4ha1M7dodqMuv1H5d3XVB
>>>>>> n_kuHK68zWRI3t9WI4ZNeaEU0whLSnBqcbJ54dQrBloUPS4bpYG-BqfSNYs6
>>>>>> bG8cyJHQ4_FRpAi3X9qWOCwaPrZ5Z_vQfNbYcgIfON_puN8QfRxihg90KQYO
>>>>>> p4lJpU5JqeaVmYp9eOYTb5iQzOuLWDXenyIBmvT_K84HZKh8t5eWsqH01st-
>>>>>> Ls7uJcNAUM9PXRM7JswCjhouuQGBM6dn5iICoL00acuxg",
>>>>>> "not-before-policy": 0,
>>>>>> "session_state":
"3231f46f-229b-42d3-a419-089a21396e67"
>>>>>> }
>>>>>>
>>>>>>
>>>>>> I checked it in jwt.io . The kid is same as the
"rsa-generated"
>>>>>> one, shown in the screen shot I shared yesterday. Although jwt
complained
>>>>>> as "Invalid Signature" .
>>>>>>
>>>>>>
>>>>>> Thomas, the connectivity should not be an issue as I am able to
get
>>>>>> the access token from my app wildfly server using curl. So
keycloak is
>>>>>> reachable from my wildfly server. Anything specific you did to
resolve your
>>>>>> issue ?
>>>>>>
>>>>>> Regards,
>>>>>> Rajesh
>>>>>>
>>>>>> On Tue, Jul 25, 2017 at 11:12 AM, Sebastien Blanc
<sblanc(a)redhat.com
>>>>>> > wrote:
>>>>>>
>>>>>>> This looks all correct. Could you try paste your access token
or
>>>>>>> even check it your self on jwt.io to see if the kid is
present ?
>>>>>>>
>>>>>>>
>>>>>>> On Mon, Jul 24, 2017 at 6:47 PM, Rajesh Ghosh <
>>>>>>> ghosh.rajesh(a)gmail.com> wrote:
>>>>>>>
>>>>>>>> Sebastien,
>>>>>>>>
>>>>>>>> I am attaching a pdf containing the screen shots. Few
more points
>>>>>>>> I wanted to mention.
>>>>>>>>
>>>>>>>> i) I didn't install the public client --
"bkofc-web" in the
>>>>>>>> wildfly container which hosts my REST services. I did it
for "bkofc-svc"
>>>>>>>> client which is bearer only. I hope that is the correct
approach.
>>>>>>>> ii) Both keycloak and my application are running on
docker
>>>>>>>> containers locally in my laptop.
>>>>>>>>
>>>>>>>> Let me know if you need anything else to analyze.
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Rajesh
>>>>>>>>
>>>>>>>>
>>>>>>>> On Mon, Jul 24, 2017 at 9:13 PM, Sebastien Blanc <
>>>>>>>> sblanc(a)redhat.com> wrote:
>>>>>>>>
>>>>>>>>> yes please
>>>>>>>>>
>>>>>>>>> On Mon, Jul 24, 2017 at 4:54 PM, Rajesh Ghosh <
>>>>>>>>> ghosh.rajesh(a)gmail.com> wrote:
>>>>>>>>>
>>>>>>>>>> Yes definitely. I did replace it with the actual
war name. Let
>>>>>>>>>> me know if you would like me to paste screen
shots of realm configurations,
>>>>>>>>>> client configurations.
>>>>>>>>>>
>>>>>>>>>> Thanks,
>>>>>>>>>> Rajesh
>>>>>>>>>>
>>>>>>>>>> On Mon, Jul 24, 2017 at 8:12 PM, Sebastien Blanc
<
>>>>>>>>>> sblanc(a)redhat.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> Ok and for :
>>>>>>>>>>> <secure-deployment name="my war
file.war">
>>>>>>>>>>>
>>>>>>>>>>> Did you replace that with the actual name of
your war file ?
>>>>>>>>>>>
>>>>>>>>>>> On Mon, Jul 24, 2017 at 4:35 PM, Rajesh Ghosh
<
>>>>>>>>>>> ghosh.rajesh(a)gmail.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Hello Sebastien,
>>>>>>>>>>>>
>>>>>>>>>>>> I am using 3.1.0.Final build.
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks,
>>>>>>>>>>>> Rajesh
>>>>>>>>>>>>
>>>>>>>>>>>> On Mon, Jul 24, 2017 at 7:56 PM,
Sebastien Blanc <
>>>>>>>>>>>> sblanc(a)redhat.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> Which version of Keycloak are you
using ?
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Mon, Jul 24, 2017 at 3:15 PM,
Rajesh Ghosh <
>>>>>>>>>>>>> ghosh.rajesh(a)gmail.com> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I am trying to secure my REST
services using the method
>>>>>>>>>>>>>> described in the
>>>>>>>>>>>>>> document --
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
http://blog.keycloak.org/2015/10/getting-started-with-keyclo
>>>>>>>>>>>>>> ak-securing.html
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I am securing my war using JBoss
subsystem , instead of
>>>>>>>>>>>>>> per-war option. The
>>>>>>>>>>>>>> relevant sections from my
standalone.xml are posted below.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> <extensions>
>>>>>>>>>>>>>> ......
>>>>>>>>>>>>>> <extension
module="org.keycloak.keycloak-
>>>>>>>>>>>>>> adapter-subsystem"/>
>>>>>>>>>>>>>> </extensions>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
<security-domains>
>>>>>>>>>>>>>> .....
>>>>>>>>>>>>>>
<security-domain name="keycloak">
>>>>>>>>>>>>>>
<authentication>
>>>>>>>>>>>>>>
<login-module
>>>>>>>>>>>>>>
code="org.keycloak.adapters.jboss.KeycloakLoginModule"
>>>>>>>>>>>>>> flag="required"/>
>>>>>>>>>>>>>>
</authentication>
>>>>>>>>>>>>>>
</security-domain>
>>>>>>>>>>>>>>
</security-domains>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> <subsystem
xmlns="urn:jboss:domain:keycloak:1.1">
>>>>>>>>>>>>>> <secure-deployment
name="my war file.war">
>>>>>>>>>>>>>>
<realm>bkofc</realm>
>>>>>>>>>>>>>>
<resource>bkofc-svc</resource>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
<use-resource-role-mappings>true</use-resource-role-mappings
>>>>>>>>>>>>>> >
>>>>>>>>>>>>>>
<bearer-only>true</bearer-only>
>>>>>>>>>>>>>>
<auth-server-url>http://192.16
>>>>>>>>>>>>>> 8.99.100/30001/auth
>>>>>>>>>>>>>> </auth-server-url>
>>>>>>>>>>>>>>
<ssl-required>none</ssl-required>
>>>>>>>>>>>>>> <credential
>>>>>>>>>>>>>>
name="secret">9bcc6d9f-9c72-4b58-b297-79f0f207d9e1</credenti
>>>>>>>>>>>>>> al>
>>>>>>>>>>>>>>
</secure-deployment>
>>>>>>>>>>>>>> </subsystem>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I am able to obtain the access
token.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> curl -i curl --data
>>>>>>>>>>>>>>
"grant_type=password&client_id=bkofc-web&username=user&passw
>>>>>>>>>>>>>> ord=password"
>>>>>>>>>>>>>>
http://192.168.99.100:30001/auth/realms/bkofc/protocol/openi
>>>>>>>>>>>>>> d-connect/token
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Note:- I have created 2 clients
-- i) bkofc-svc which is
>>>>>>>>>>>>>> bearer only, for
>>>>>>>>>>>>>> my REST services ii) bkofc-web ,
a public client to
>>>>>>>>>>>>>> simulate UI login
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> However when I try to use the
access token to invoke a
>>>>>>>>>>>>>> service, I am
>>>>>>>>>>>>>> getting the error -
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Status: 401
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> WWW-Authenticate Bearer
realm="bkofc", error="invalid_token",
>>>>>>>>>>>>>>
error_description="Didn't find publicKey for specified kid"
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Please let me know if I am
missing something here. I have
>>>>>>>>>>>>>> been breaking my
>>>>>>>>>>>>>> head last few days without any
luck ! I have also tried
>>>>>>>>>>>>>> rotating the realm
>>>>>>>>>>>>>> keys.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Thanks,
>>>>>>>>>>>>>> Rajesh
>>>>>>>>>>>>>>
_______________________________________________
>>>>>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>>>>>> keycloak-user(a)lists.jboss.org
>>>>>>>>>>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
10:09 a.m.
Sebastien,
I could get past the 401 error after rectifying the url issue. However I am
hitting 403 - Unauthorized exception now and there is no exception in log.
Still investigating. But thanks for your support on the original issue.
@Thomas Recloux , thank you for the tips as well.
Regards,
Rajesh
On Tue, Jul 25, 2017 at 7:48 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com>
wrote:
OMG ! That was stupid ! Let me rectify that and try again.
Thanks so much for pointing out.
Regards,
Rajesh
On Tue, Jul 25, 2017 at 7:47 PM, Sebastien Blanc <sblanc(a)redhat.com>
wrote:
> Oh I think I found it : <auth-server-url>http://192.168.99.100/30001/auth
> </auth-server-url>
> You have a typo there , shouldn't it be http://192.168.99.100:30001/auth
> <http://192.168.99.100:30001/auth/realms/bkofc/protocol/openid-connect/tok...
> , notice the ":" instead of "/"
>
> On Tue, Jul 25, 2017 at 4:14 PM, Sebastien Blanc <sblanc(a)redhat.com>
> wrote:
>
>> Oh you were faster than me on this one ;) , well you can change the log
>> level of you app in the standalone.xml
>>
>> On Tue, Jul 25, 2017 at 4:12 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com>
>> wrote:
>>
>>> Hello Sebastien,
>>>
>>> I was looking at the logs of my app wildfly server , as suggested by
>>> another user Thomas . Here is a relevant exception stack which I see.
>>>
>>> 13:56:29,450 ERROR [org.keycloak.adapters.rotation.JWKPublicKeyLocator]
>>> (default task-12) Error when sending request to retrieve realm keys:
>>> org.keycloak.adapters.HttpClientAdapterException: IO error
>>> at org.keycloak.adapters.HttpAdapterUtils.sendJsonHttpRequest(H
>>> ttpAdapterUtils.java:58)
>>> at org.keycloak.adapters.rotation.JWKPublicKeyLocator.sendReque
>>> st(JWKPublicKeyLocator.java:99)
>>> at org.keycloak.adapters.rotation.JWKPublicKeyLocator.getPublic
>>> Key(JWKPublicKeyLocator.java:63)
>>> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.getPu
>>> blicKey(AdapterRSATokenVerifier.java:44)
>>> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verif
>>> yToken(AdapterRSATokenVerifier.java:55)
>>> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verif
>>> yToken(AdapterRSATokenVerifier.java:37)
>>> at org.keycloak.adapters.BearerTokenRequestAuthenticator.authen
>>> ticateToken(BearerTokenRequestAuthenticator.java:87)
>>> at org.keycloak.adapters.BearerTokenRequestAuthenticator.authen
>>> ticate(BearerTokenRequestAuthenticator.java:82)
>>> at org.keycloak.adapters.RequestAuthenticator.authenticate(Requ
>>> estAuthenticator.java:68)
>>> at org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthM
>>> ech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)
>>> at org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authe
>>> nticate(ServletKeycloakAuthMech.java:92)
>>> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
>>> transition(SecurityContextImpl.java:245)
>>> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
>>> transition(SecurityContextImpl.java:263)
>>> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
>>> access$100(SecurityContextImpl.java:231)
>>> at io.undertow.security.impl.SecurityContextImpl.attemptAuthent
>>> ication(SecurityContextImpl.java:125)
>>> at io.undertow.security.impl.SecurityContextImpl.authTransition
>>> (SecurityContextImpl.java:99)
>>> at io.undertow.security.impl.SecurityContextImpl.authenticate(S
>>> ecurityContextImpl.java:92)
>>> at io.undertow.servlet.handlers.security.ServletAuthenticationC
>>> allHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
>>> at io.undertow.server.handlers.DisableCacheHandler.handleReques
>>> t(DisableCacheHandler.java:33)
>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>> redicateHandler.java:43)
>>> at io.undertow.security.handlers.AuthenticationConstraintHandle
>>> r.handleRequest(AuthenticationConstraintHandler.java:53)
>>> at io.undertow.security.handlers.AbstractConfidentialityHandler
>>> .handleRequest(AbstractConfidentialityHandler.java:46)
>>> at io.undertow.servlet.handlers.security.ServletConfidentiality
>>> ConstraintHandler.handleRequest(ServletConfidentialityConstr
>>> aintHandler.java:64)
>>> at io.undertow.servlet.handlers.security.ServletSecurityConstra
>>> intHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
>>> at io.undertow.security.handlers.AuthenticationMechanismsHandle
>>> r.handleRequest(AuthenticationMechanismsHandler.java:60)
>>> at io.undertow.servlet.handlers.security.CachedAuthenticatedSes
>>> sionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>> at io.undertow.security.handlers.NotificationReceiverHandler.ha
>>> ndleRequest(NotificationReceiverHandler.java:50)
>>> at io.undertow.security.handlers.AbstractSecurityContextAssocia
>>> tionHandler.handleRequest(AbstractSecurityContextAssociation
>>> Handler.java:43)
>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>> redicateHandler.java:43)
>>> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHa
>>> ndler.handleRequest(JACCContextIdHandler.java:61)
>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>> redicateHandler.java:43)
>>> at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.
>>> handleRequest(ServletPreAuthActionsHandler.java:69)
>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>> redicateHandler.java:43)
>>> at io.undertow.servlet.handlers.ServletInitialHandler.handleFir
>>> stRequest(ServletInitialHandler.java:292)
>>> at io.undertow.servlet.handlers.ServletInitialHandler.access$10
>>> 0(ServletInitialHandler.java:81)
>>> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(Se
>>> rvletInitialHandler.java:138)
>>> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(Se
>>> rvletInitialHandler.java:135)
>>> at io.undertow.servlet.core.ServletRequestContextThreadSetupAct
>>> ion$1.call(ServletRequestContextThreadSetupAction.java:48)
>>> at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.cal
>>> l(ContextClassLoaderSetupAction.java:43)
>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>> l(LegacyThreadSetupActionWrapper.java:44)
>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>> l(LegacyThreadSetupActionWrapper.java:44)
>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>> l(LegacyThreadSetupActionWrapper.java:44)
>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>> l(LegacyThreadSetupActionWrapper.java:44)
>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>> l(LegacyThreadSetupActionWrapper.java:44)
>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>> l(LegacyThreadSetupActionWrapper.java:44)
>>> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchR
>>> equest(ServletInitialHandler.java:272)
>>> at io.undertow.servlet.handlers.ServletInitialHandler.access$00
>>> 0(ServletInitialHandler.java:81)
>>> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleR
>>> equest(ServletInitialHandler.java:104)
>>> at io.undertow.server.Connectors.executeRootHandler(Connectors.
>>> java:202)
>>> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchan
>>> ge.java:805)
>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>>> Executor.java:1142)
>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>>> lExecutor.java:617)
>>> at java.lang.Thread.run(Thread.java:748)
>>> Caused by: java.net.ConnectException: Connection refused (Connection
>>> refused)
>>> at java.net.PlainSocketImpl.socketConnect(Native Method)
>>> at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSock
>>> etImpl.java:350)
>>> at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPl
>>> ainSocketImpl.java:206)
>>> at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocket
>>> Impl.java:188)
>>> at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
>>> at java.net.Socket.connect(Socket.java:589)
>>> at org.apache.http.conn.scheme.PlainSocketFactory.connectSocket
>>> (PlainSocketFactory.java:117)
>>> at org.apache.http.impl.conn.DefaultClientConnectionOperator.op
>>> enConnection(DefaultClientConnectionOperator.java:177)
>>> at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoo
>>> lEntry.java:144)
>>> at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(Abs
>>> tractPooledConnAdapter.java:131)
>>> at org.apache.http.impl.client.DefaultRequestDirector.tryConnec
>>> t(DefaultRequestDirector.java:611)
>>> at org.apache.http.impl.client.DefaultRequestDirector.execute(D
>>> efaultRequestDirector.java:446)
>>> at org.apache.http.impl.client.AbstractHttpClient.doExecute(Abs
>>> tractHttpClient.java:882)
>>> at org.apache.http.impl.client.CloseableHttpClient.execute(Clos
>>> eableHttpClient.java:82)
>>> at org.apache.http.impl.client.CloseableHttpClient.execute(Clos
>>> eableHttpClient.java:107)
>>> at org.apache.http.impl.client.CloseableHttpClient.execute(Clos
>>> eableHttpClient.java:55)
>>> at org.keycloak.adapters.HttpAdapterUtils.sendJsonHttpRequest(H
>>> ttpAdapterUtils.java:37)
>>> ... 52 more
>>> 2017-07-25T13:56:29.452564496Z
>>> 13:56:29,454 ERROR [org.keycloak.adapters.rotation.AdapterRSATokenVerifier]
>>> (default task-12) Didn't find publicKey for kid:
>>> RHESicBPoNCwhBnBLEk_8X4ufj5WyuTo20zbzOo4HfQ
>>> 13:56:29,454 ERROR [org.keycloak.adapters.BearerTokenRequestAuthenticator]
>>> (default task-12) Failed to verify token:
org.keycloak.common.VerificationException:
>>> Didn't find publicKey for specified kid
>>> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.getPu
>>> blicKey(AdapterRSATokenVerifier.java:47)
>>> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verif
>>> yToken(AdapterRSATokenVerifier.java:55)
>>> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verif
>>> yToken(AdapterRSATokenVerifier.java:37)
>>> at org.keycloak.adapters.BearerTokenRequestAuthenticator.authen
>>> ticateToken(BearerTokenRequestAuthenticator.java:87)
>>> at org.keycloak.adapters.BearerTokenRequestAuthenticator.authen
>>> ticate(BearerTokenRequestAuthenticator.java:82)
>>> at org.keycloak.adapters.RequestAuthenticator.authenticate(Requ
>>> estAuthenticator.java:68)
>>> at org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthM
>>> ech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)
>>> at org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authe
>>> nticate(ServletKeycloakAuthMech.java:92)
>>> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
>>> transition(SecurityContextImpl.java:245)
>>> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
>>> transition(SecurityContextImpl.java:263)
>>> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
>>> access$100(SecurityContextImpl.java:231)
>>> at io.undertow.security.impl.SecurityContextImpl.attemptAuthent
>>> ication(SecurityContextImpl.java:125)
>>> at io.undertow.security.impl.SecurityContextImpl.authTransition
>>> (SecurityContextImpl.java:99)
>>> at io.undertow.security.impl.SecurityContextImpl.authenticate(S
>>> ecurityContextImpl.java:92)
>>> at io.undertow.servlet.handlers.security.ServletAuthenticationC
>>> allHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
>>> at io.undertow.server.handlers.DisableCacheHandler.handleReques
>>> t(DisableCacheHandler.java:33)
>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>> redicateHandler.java:43)
>>> at io.undertow.security.handlers.AuthenticationConstraintHandle
>>> r.handleRequest(AuthenticationConstraintHandler.java:53)
>>> at io.undertow.security.handlers.AbstractConfidentialityHandler
>>> .handleRequest(AbstractConfidentialityHandler.java:46)
>>> at io.undertow.servlet.handlers.security.ServletConfidentiality
>>> ConstraintHandler.handleRequest(ServletConfidentialityConstr
>>> aintHandler.java:64)
>>> at io.undertow.servlet.handlers.security.ServletSecurityConstra
>>> intHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
>>> at io.undertow.security.handlers.AuthenticationMechanismsHandle
>>> r.handleRequest(AuthenticationMechanismsHandler.java:60)
>>> at io.undertow.servlet.handlers.security.CachedAuthenticatedSes
>>> sionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>> at io.undertow.security.handlers.NotificationReceiverHandler.ha
>>> ndleRequest(NotificationReceiverHandler.java:50)
>>> at io.undertow.security.handlers.AbstractSecurityContextAssocia
>>> tionHandler.handleRequest(AbstractSecurityContextAssociation
>>> Handler.java:43)
>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>> redicateHandler.java:43)
>>> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHa
>>> ndler.handleRequest(JACCContextIdHandler.java:61)
>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>> redicateHandler.java:43)
>>> at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.
>>> handleRequest(ServletPreAuthActionsHandler.java:69)
>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>> redicateHandler.java:43)
>>> at io.undertow.servlet.handlers.ServletInitialHandler.handleFir
>>> stRequest(ServletInitialHandler.java:292)
>>> at io.undertow.servlet.handlers.ServletInitialHandler.access$10
>>> 0(ServletInitialHandler.java:81)
>>> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(Se
>>> rvletInitialHandler.java:138)
>>> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(Se
>>> rvletInitialHandler.java:135)
>>> at io.undertow.servlet.core.ServletRequestContextThreadSetupAct
>>> ion$1.call(ServletRequestContextThreadSetupAction.java:48)
>>> at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.cal
>>> l(ContextClassLoaderSetupAction.java:43)
>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>> l(LegacyThreadSetupActionWrapper.java:44)
>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>> l(LegacyThreadSetupActionWrapper.java:44)
>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>> l(LegacyThreadSetupActionWrapper.java:44)
>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>> l(LegacyThreadSetupActionWrapper.java:44)
>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>> l(LegacyThreadSetupActionWrapper.java:44)
>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>> l(LegacyThreadSetupActionWrapper.java:44)
>>> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchR
>>> equest(ServletInitialHandler.java:272)
>>> at io.undertow.servlet.handlers.ServletInitialHandler.access$00
>>> 0(ServletInitialHandler.java:81)
>>> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleR
>>> equest(ServletInitialHandler.java:104)
>>> at io.undertow.server.Connectors.executeRootHandler(Connectors.
>>> java:202)
>>> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchan
>>> ge.java:805)
>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>>> Executor.java:1142)
>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>>> lExecutor.java:617)
>>> at java.lang.Thread.run(Thread.java:748)
>>>
>>> Is there a way to enhance the log level at the client ( i mean keycloak
>>> adapter ) , to see if it is a http connection issue or something else ??
>>>
>>> Thanks,
>>> Rajesh
>>>
>>> On Tue, Jul 25, 2017 at 7:36 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com>
>>> wrote:
>>>
>>>> Here is the response from curl ---
>>>>
>>>> $ curl -v http://192.168.99.100:8080/OlpUIFwk2-1.0-SNAPSHOT/services/s
>>>> ec/rest/us
>>>> erservice/users -H "Authorization: Bearer $KEY"
>>>> * Trying 192.168.99.100...
>>>> * Connected to 192.168.99.100 (192.168.99.100) port 8080 (#0)
>>>> > GET /OlpUIFwk2-1.0-SNAPSHOT/services/sec/rest/userservice/users
>>>> HTTP/1.1
>>>> > Host: 192.168.99.100:8080
>>>> > User-Agent: curl/7.50.1
>>>> > Accept: */*
>>>> > Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOi
>>>> AiSldUIiwia2lkIiA6ICJSSEV
>>>> TaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXeXVUbzIwemJ6T280SGZRIn0.eyJ
>>>> qdGkiOiJkNmY2MmM5YS1
>>>> hNjAwLTQ4ZmQtYmI3Ny0wMTI1NDQ0YmIzNWMiLCJleHAiOjE1MDA5OTAyNDg
>>>> sIm5iZiI6MCwiaWF0Ijo
>>>> xNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzAwMDE
>>>> vYXV0aC9yZWFsbXMvYmt
>>>> vZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzdWIiOiIwYTA5MTQ0OC0wNjAyLTQ
>>>> 2YmMtOWU4MS05MjE1Zjg
>>>> zYjVjOTgiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJia29mYy13ZWIiLCJhdXR
>>>> oX3RpbWUiOjAsInNlc3N
>>>> pb25fc3RhdGUiOiIzMjMxZjQ2Zi0yMjliLTQyZDMtYTQxOS0wODlhMjEzOTZ
>>>> lNjciLCJhY3IiOiIxIiw
>>>> iY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2MC03ZTkyLTQ1ZDQtYjdmNy0xNWF
>>>> kYTY2NmE4Y2EiLCJhbGx
>>>> vd2VkLW9yaWdpbnMiOlsiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjgwODAvIl0
>>>> sInJlYWxtX2FjY2VzcyI
>>>> 6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiIsInVzZXIiXX0sInJlc29
>>>> 1cmNlX2FjY2VzcyI6eyJ
>>>> yZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzIjpbInZpZXctcmVhbG0iLCJ2aWV
>>>> 3LWlkZW50aXR5LXByb3Z
>>>> pZGVycyIsIm1hbmFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF
>>>> 0aW9uIiwicmVhbG0tYWR
>>>> taW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlldy1hdXR
>>>> ob3JpemF0aW9uIiwibWF
>>>> uYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsbSIsInZpZXctZXZlbnRzIiwidml
>>>> ldy11c2VycyIsInZpZXc
>>>> tY2xpZW50cyIsIm1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWV
>>>> udHMiXX0sImFjY291bnQ
>>>> iOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1
>>>> saW5rcyIsInZpZXctcHJ
>>>> vZmlsZSJdfX0sIm5hbWUiOiIiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzdXB
>>>> lcmFkbWluIiwiZW1haWw
>>>> iOiJ0cmlsaWEudGVjaEBnbWFpbC5jb20ifQ.JCGcaQ-8yYhoOT_DfHvNa5Hv
>>>> G3x5WBI3ZcC4WEcBA3NU
>>>> L-mQdUhU1aEK9G5VulcRbMeYp9f_rFnFip-N9g3JwPGhR6ozgwdXlI09JAjM
>>>> 6zLk7cy0UKig5ghHX1-g
>>>> Xb5EHChzhmGI_xtV77t9dcKBjW4V3f7eFwDmCMyWj8bqyoFMDTIp_Gz67Wt1
>>>> iUXAaCZ5fIdXs3epdG82
>>>> NhJrjQsIKiYGzUg9JY2Dkvg_tHGHESN85KsW2TNj8Jd0CuS-cF0rOqx82poh
>>>> W6RQMAZmGyMVofsxH_uR
>>>> rEbvpmI_ofkAUF6qCuLDD7idZC_j1ARXH-EOWxHgnSEDXc6SF2aAegmCpw
>>>> >
>>>> < HTTP/1.1 401 Unauthorized
>>>> < Expires: 0
>>>> < Cache-Control: no-cache, no-store, must-revalidate
>>>> < X-Powered-By: Undertow/1
>>>> < Server: WildFly/10
>>>> < Pragma: no-cache
>>>> < Date: Tue, 25 Jul 2017 14:04:31 GMT
>>>> < Connection: keep-alive
>>>> < WWW-Authenticate: Bearer realm="bkofc",
error="invalid_token",
>>>> error_description="Didn't find publicKey for specified
kid"
>>>> < Content-Type: text/html;charset=UTF-8
>>>> < Content-Length: 71
>>>> <
>>>> * Connection #0 to host 192.168.99.100 left intact
>>>>
<html><head><title>Error</title></head><body>Unauthorized</b
>>>> ody></html>$
>>>> $
>>>>
>>>> Thanks,
>>>> Rajesh
>>>>
>>>> On Tue, Jul 25, 2017 at 7:30 PM, Rajesh Ghosh
<ghosh.rajesh(a)gmail.com>
>>>> wrote:
>>>>
>>>>> Sure. I was using postman to invoke the service. This is the command
>>>>> used by postman --
>>>>>
>>>>> ------------------------------------------------------------
>>>>> ------------
>>>>>
>>>>> GET /OlpUIFwk2-1.0-SNAPSHOT/services/sec/rest/userservice/users
>>>>> HTTP/1.1
>>>>> Host: 192.168.99.100:8080
>>>>> Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>>>> iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>>>> XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiJkNmY2MmM5YS1hNjAwLTQ4ZmQtY
>>>>> mI3Ny0wMTI1NDQ0YmIzNWMiLCJleHAiOjE1MDA5OTAyNDgsIm5iZiI6MCwia
>>>>> WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>>>> zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>>>> WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>>>> XAiOiJCZWFyZXIiLCJhenAiOiJia29mYy13ZWIiLCJhdXRoX3RpbWUiOjAsI
>>>>> nNlc3Npb25fc3RhdGUiOiIzMjMxZjQ2Zi0yMjliLTQyZDMtYTQxOS0wODlhM
>>>>> jEzOTZlNjciLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2M
>>>>> C03ZTkyLTQ1ZDQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJhbGxvd2VkLW9yaWdpb
>>>>> nMiOlsiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjgwODAvIl0sInJlYWxtX2FjY
>>>>> 2VzcyI6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiIsInVzZXIiXX0sI
>>>>> nJlc291cmNlX2FjY2VzcyI6eyJyZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzI
>>>>> jpbInZpZXctcmVhbG0iLCJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycyIsIm1hb
>>>>> mFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwicmVhb
>>>>> G0tYWRtaW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlld
>>>>> y1hdXRob3JpemF0aW9uIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsb
>>>>> SIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsI
>>>>> m1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiXX0sImFjY
>>>>> 291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb
>>>>> 3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiIiLCJwcmVmZ
>>>>> XJyZWRfdXNlcm5hbWUiOiJzdXBlcmFkbWluIiwiZW1haWwiOiJ0cmlsaWEud
>>>>> GVjaEBnbWFpbC5jb20ifQ.JCGcaQ-8yYhoOT_DfHvNa5HvG3x5WBI3ZcC4WE
>>>>> cBA3NUL-mQdUhU1aEK9G5VulcRbMeYp9f_rFnFip-N9g3JwPGhR6ozgwdXlI
>>>>> 09JAjM6zLk7cy0UKig5ghHX1-gXb5EHChzhmGI_xtV77t9dcKBjW4V3f7eFw
>>>>> DmCMyWj8bqyoFMDTIp_Gz67Wt1iUXAaCZ5fIdXs3epdG82NhJrjQsIKiYGzU
>>>>> g9JY2Dkvg_tHGHESN85KsW2TNj8Jd0CuS-cF0rOqx82pohW6RQMAZmGyMVof
>>>>> sxH_uRrEbvpmI_ofkAUF6qCuLDD7idZC_j1ARXH-EOWxHgnSEDXc6SF2aAegmCpw
>>>>> Cache-Control: no-cache
>>>>> Postman-Token: d378eefe-82c8-9c3d-0140-ef56c62f9b97
>>>>>
>>>>>
>>>>> ------------------------------------------------------------
>>>>> ---------------
>>>>>
>>>>> The "userservice" is my own service for other attributes of
users. I
>>>>> also made sure that the service executes without the security.
>>>>>
>>>>> Thanks,
>>>>> Rajesh
>>>>>
>>>>>
>>>>> On Tue, Jul 25, 2017 at 7:24 PM, Sebastien Blanc
<sblanc(a)redhat.com>
>>>>> wrote:
>>>>>
>>>>>> Okay, to have the complete picture could paste the command you
issue
>>>>>> to call your REST service ?
>>>>>>
>>>>>>
>>>>>> On Tue, Jul 25, 2017 at 3:50 PM, Rajesh Ghosh <
>>>>>> ghosh.rajesh(a)gmail.com> wrote:
>>>>>>
>>>>>>> Sebastien,
>>>>>>>
>>>>>>> Here is a token response -
>>>>>>>
>>>>>>> {
>>>>>>> "access_token":
"eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>>>>>> iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>>>>>> XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiJkNmY2MmM5YS1hNjAwLTQ4ZmQtY
>>>>>>> mI3Ny0wMTI1NDQ0YmIzNWMiLCJleHAiOjE1MDA5OTAyNDgsIm5iZiI6MCwia
>>>>>>> WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>>>>>> zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>>>>>> WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>>>>>> XAiOiJCZWFyZXIiLCJhenAiOiJia29mYy13ZWIiLCJhdXRoX3RpbWUiOjAsI
>>>>>>> nNlc3Npb25fc3RhdGUiOiIzMjMxZjQ2Zi0yMjliLTQyZDMtYTQxOS0wODlhM
>>>>>>> jEzOTZlNjciLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2M
>>>>>>> C03ZTkyLTQ1ZDQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJhbGxvd2VkLW9yaWdpb
>>>>>>> nMiOlsiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjgwODAvIl0sInJlYWxtX2FjY
>>>>>>> 2VzcyI6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiIsInVzZXIiXX0sI
>>>>>>> nJlc291cmNlX2FjY2VzcyI6eyJyZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzI
>>>>>>> jpbInZpZXctcmVhbG0iLCJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycyIsIm1hb
>>>>>>> mFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwicmVhb
>>>>>>> G0tYWRtaW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlld
>>>>>>> y1hdXRob3JpemF0aW9uIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsb
>>>>>>> SIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsI
>>>>>>> m1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiXX0sImFjY
>>>>>>> 291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb
>>>>>>> 3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiIiLCJwcmVmZ
>>>>>>> XJyZWRfdXNlcm5hbWUiOiJzdXBlcmFkbWluIiwiZW1haWwiOiJ0cmlsaWEud
>>>>>>> GVjaEBnbWFpbC5jb20ifQ.JCGcaQ-8yYhoOT_DfHvNa5HvG3x5WBI3ZcC4WE
>>>>>>> cBA3NUL-mQdUhU1aEK9G5VulcRbMeYp9f_rFnFip-N9g3JwPGhR6ozgwdXlI
>>>>>>> 09JAjM6zLk7cy0UKig5ghHX1-gXb5EHChzhmGI_xtV77t9dcKBjW4V3f7eFw
>>>>>>> DmCMyWj8bqyoFMDTIp_Gz67Wt1iUXAaCZ5fIdXs3epdG82NhJrjQsIKiYGzU
>>>>>>> g9JY2Dkvg_tHGHESN85KsW2TNj8Jd0CuS-cF0rOqx82pohW6RQMAZmGyMVof
>>>>>>>
sxH_uRrEbvpmI_ofkAUF6qCuLDD7idZC_j1ARXH-EOWxHgnSEDXc6SF2aAegmCpw",
>>>>>>> "expires_in": 300,
>>>>>>> "refresh_expires_in": 1800,
>>>>>>> "refresh_token":
"eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>>>>>> iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>>>>>> XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiIyYzE4ZjkxYi0yMDljLTQwY2ItY
>>>>>>> TE5OS02NGIwZTEyYjRkOGIiLCJleHAiOjE1MDA5OTE3NDgsIm5iZiI6MCwia
>>>>>>> WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>>>>>> zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>>>>>> WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>>>>>> XAiOiJSZWZyZXNoIiwiYXpwIjoiYmtvZmMtd2ViIiwiYXV0aF90aW1lIjowL
>>>>>>> CJzZXNzaW9uX3N0YXRlIjoiMzIzMWY0NmYtMjI5Yi00MmQzLWE0MTktMDg5Y
>>>>>>> TIxMzk2ZTY3IiwiY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2MC03ZTkyLTQ1Z
>>>>>>> DQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiO
>>>>>>> lsidW1hX2F1dGhvcml6YXRpb24iLCJ1c2VyIl19LCJyZXNvdXJjZV9hY2Nlc
>>>>>>> 3MiOnsicmVhbG0tbWFuYWdlbWVudCI6eyJyb2xlcyI6WyJ2aWV3LXJlYWxtI
>>>>>>> iwidmlldy1pZGVudGl0eS1wcm92aWRlcnMiLCJtYW5hZ2UtaWRlbnRpdHktc
>>>>>>> HJvdmlkZXJzIiwiaW1wZXJzb25hdGlvbiIsInJlYWxtLWFkbWluIiwiY3JlY
>>>>>>> XRlLWNsaWVudCIsIm1hbmFnZS11c2VycyIsInZpZXctYXV0aG9yaXphdGlvb
>>>>>>> iIsIm1hbmFnZS1ldmVudHMiLCJtYW5hZ2UtcmVhbG0iLCJ2aWV3LWV2ZW50c
>>>>>>> yIsInZpZXctdXNlcnMiLCJ2aWV3LWNsaWVudHMiLCJtYW5hZ2UtYXV0aG9ya
>>>>>>> XphdGlvbiIsIm1hbmFnZS1jbGllbnRzIl19LCJhY2NvdW50Ijp7InJvbGVzI
>>>>>>> jpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2a
>>>>>>> WV3LXByb2ZpbGUiXX19fQ.Uz0rqNlj09T_SdnfZK9ZxBcJ5EIEwwHCN5VwKI
>>>>>>> hIF6Ua32fDlf1UvZSoZTmr5jiHeiwpp4JALWGTXsda4p-PlzMvwmMN5Qp46-
>>>>>>> EXGJQkqH4NNqZ1W_1mRGySYokQCSkmdvAZPFGrqxpeb1seuKgaaiXXMsrvai
>>>>>>> ucFCa8H599Ox6QRE3MkoLmm8w7_08kPG1_JjXIviHtwoWgsb0zCcMPyHRdCv
>>>>>>> _rs6FIoTQiCRZ2joaXSvIsmVAkchgZbeB-_RSWzlk3_oaOCQw7OWZJRqnAdG
>>>>>>>
gDnL5jCCRLTVFnPo9TqKrt88h3fKkVuNuI8Y06sZ1If8wgSWRDRLUf0X8sampLww",
>>>>>>> "token_type": "bearer",
>>>>>>> "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>>>>>> iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>>>>>> XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiI2ZDJkNWMxNS01YmE3LTRhNTgtO
>>>>>>> TJkNC0wNGU0NTkyMjNkNGYiLCJleHAiOjE1MDA5OTAyNDgsIm5iZiI6MCwia
>>>>>>> WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>>>>>> zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>>>>>> WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>>>>>> XAiOiJJRCIsImF6cCI6ImJrb2ZjLXdlYiIsImF1dGhfdGltZSI6MCwic2Vzc
>>>>>>> 2lvbl9zdGF0ZSI6IjMyMzFmNDZmLTIyOWItNDJkMy1hNDE5LTA4OWEyMTM5N
>>>>>>> mU2NyIsImFjciI6IjEiLCJuYW1lIjoiIiwicHJlZmVycmVkX3VzZXJuYW1lI
>>>>>>> joic3VwZXJhZG1pbiIsImVtYWlsIjoidHJpbGlhLnRlY2hAZ21haWwuY29tI
>>>>>>> n0.eFVxG7MImPS4yCEiLOzhvZ5M_XjRWuHJlt_T4r3djak7sH_XOXUmHAuih
>>>>>>> xXrm7HLv8DU3OzHpN3FinOWufOdTCv9Ywww0DRq4ha1M7dodqMuv1H5d3XVB
>>>>>>> n_kuHK68zWRI3t9WI4ZNeaEU0whLSnBqcbJ54dQrBloUPS4bpYG-BqfSNYs6
>>>>>>> bG8cyJHQ4_FRpAi3X9qWOCwaPrZ5Z_vQfNbYcgIfON_puN8QfRxihg90KQYO
>>>>>>> p4lJpU5JqeaVmYp9eOYTb5iQzOuLWDXenyIBmvT_K84HZKh8t5eWsqH01st-
>>>>>>> Ls7uJcNAUM9PXRM7JswCjhouuQGBM6dn5iICoL00acuxg",
>>>>>>> "not-before-policy": 0,
>>>>>>> "session_state":
"3231f46f-229b-42d3-a419-089a21396e67"
>>>>>>> }
>>>>>>>
>>>>>>>
>>>>>>> I checked it in jwt.io . The kid is same as the
"rsa-generated"
>>>>>>> one, shown in the screen shot I shared yesterday. Although
jwt complained
>>>>>>> as "Invalid Signature" .
>>>>>>>
>>>>>>>
>>>>>>> Thomas, the connectivity should not be an issue as I am able
to get
>>>>>>> the access token from my app wildfly server using curl. So
keycloak is
>>>>>>> reachable from my wildfly server. Anything specific you did
to resolve your
>>>>>>> issue ?
>>>>>>>
>>>>>>> Regards,
>>>>>>> Rajesh
>>>>>>>
>>>>>>> On Tue, Jul 25, 2017 at 11:12 AM, Sebastien Blanc <
>>>>>>> sblanc(a)redhat.com> wrote:
>>>>>>>
>>>>>>>> This looks all correct. Could you try paste your access
token or
>>>>>>>> even check it your self on jwt.io to see if the kid is
present ?
>>>>>>>>
>>>>>>>>
>>>>>>>> On Mon, Jul 24, 2017 at 6:47 PM, Rajesh Ghosh <
>>>>>>>> ghosh.rajesh(a)gmail.com> wrote:
>>>>>>>>
>>>>>>>>> Sebastien,
>>>>>>>>>
>>>>>>>>> I am attaching a pdf containing the screen shots.
Few more
>>>>>>>>> points I wanted to mention.
>>>>>>>>>
>>>>>>>>> i) I didn't install the public client --
"bkofc-web" in the
>>>>>>>>> wildfly container which hosts my REST services. I did
it for "bkofc-svc"
>>>>>>>>> client which is bearer only. I hope that is the
correct approach.
>>>>>>>>> ii) Both keycloak and my application are running on
docker
>>>>>>>>> containers locally in my laptop.
>>>>>>>>>
>>>>>>>>> Let me know if you need anything else to analyze.
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>> Rajesh
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Mon, Jul 24, 2017 at 9:13 PM, Sebastien Blanc
<
>>>>>>>>> sblanc(a)redhat.com> wrote:
>>>>>>>>>
>>>>>>>>>> yes please
>>>>>>>>>>
>>>>>>>>>> On Mon, Jul 24, 2017 at 4:54 PM, Rajesh Ghosh
<
>>>>>>>>>> ghosh.rajesh(a)gmail.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> Yes definitely. I did replace it with the
actual war name. Let
>>>>>>>>>>> me know if you would like me to paste screen
shots of realm configurations,
>>>>>>>>>>> client configurations.
>>>>>>>>>>>
>>>>>>>>>>> Thanks,
>>>>>>>>>>> Rajesh
>>>>>>>>>>>
>>>>>>>>>>> On Mon, Jul 24, 2017 at 8:12 PM, Sebastien
Blanc <
>>>>>>>>>>> sblanc(a)redhat.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Ok and for :
>>>>>>>>>>>> <secure-deployment name="my war
file.war">
>>>>>>>>>>>>
>>>>>>>>>>>> Did you replace that with the actual name
of your war file ?
>>>>>>>>>>>>
>>>>>>>>>>>> On Mon, Jul 24, 2017 at 4:35 PM, Rajesh
Ghosh <
>>>>>>>>>>>> ghosh.rajesh(a)gmail.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> Hello Sebastien,
>>>>>>>>>>>>>
>>>>>>>>>>>>> I am using 3.1.0.Final build.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Thanks,
>>>>>>>>>>>>> Rajesh
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Mon, Jul 24, 2017 at 7:56 PM,
Sebastien Blanc <
>>>>>>>>>>>>> sblanc(a)redhat.com> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Which version of Keycloak are you
using ?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Mon, Jul 24, 2017 at 3:15 PM,
Rajesh Ghosh <
>>>>>>>>>>>>>> ghosh.rajesh(a)gmail.com>
wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I am trying to secure my REST
services using the method
>>>>>>>>>>>>>>> described in the
>>>>>>>>>>>>>>> document --
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
http://blog.keycloak.org/2015/
>>>>>>>>>>>>>>>
10/getting-started-with-keycloak-securing.html
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I am securing my war using
JBoss subsystem , instead of
>>>>>>>>>>>>>>> per-war option. The
>>>>>>>>>>>>>>> relevant sections from my
standalone.xml are posted below.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> <extensions>
>>>>>>>>>>>>>>> ......
>>>>>>>>>>>>>>> <extension
module="org.keycloak.keycloak-
>>>>>>>>>>>>>>> adapter-subsystem"/>
>>>>>>>>>>>>>>> </extensions>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
<security-domains>
>>>>>>>>>>>>>>> .....
>>>>>>>>>>>>>>>
<security-domain name="keycloak">
>>>>>>>>>>>>>>>
<authentication>
>>>>>>>>>>>>>>>
<login-module
>>>>>>>>>>>>>>>
code="org.keycloak.adapters.jboss.KeycloakLoginModule"
>>>>>>>>>>>>>>>
flag="required"/>
>>>>>>>>>>>>>>>
</authentication>
>>>>>>>>>>>>>>>
</security-domain>
>>>>>>>>>>>>>>>
</security-domains>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> <subsystem
xmlns="urn:jboss:domain:keycloak:1.1">
>>>>>>>>>>>>>>>
<secure-deployment name="my war file.war">
>>>>>>>>>>>>>>>
<realm>bkofc</realm>
>>>>>>>>>>>>>>>
<resource>bkofc-svc</resource>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
<use-resource-role-mappings>tr
>>>>>>>>>>>>>>>
ue</use-resource-role-mappings>
>>>>>>>>>>>>>>>
<bearer-only>true</bearer-only>
>>>>>>>>>>>>>>>
<auth-server-url>http://192.16
>>>>>>>>>>>>>>> 8.99.100/30001/auth
>>>>>>>>>>>>>>> </auth-server-url>
>>>>>>>>>>>>>>>
<ssl-required>none</ssl-required>
>>>>>>>>>>>>>>>
<credential
>>>>>>>>>>>>>>>
name="secret">9bcc6d9f-9c72-4b
>>>>>>>>>>>>>>>
58-b297-79f0f207d9e1</credential>
>>>>>>>>>>>>>>>
</secure-deployment>
>>>>>>>>>>>>>>> </subsystem>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I am able to obtain the
access token.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> curl -i curl --data
>>>>>>>>>>>>>>>
"grant_type=password&client_id
>>>>>>>>>>>>>>>
=bkofc-web&username=user&password=password"
>>>>>>>>>>>>>>>
http://192.168.99.100:30001/au
>>>>>>>>>>>>>>>
th/realms/bkofc/protocol/openid-connect/token
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Note:- I have created 2
clients -- i) bkofc-svc which is
>>>>>>>>>>>>>>> bearer only, for
>>>>>>>>>>>>>>> my REST services ii)
bkofc-web , a public client to
>>>>>>>>>>>>>>> simulate UI login
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> However when I try to use the
access token to invoke a
>>>>>>>>>>>>>>> service, I am
>>>>>>>>>>>>>>> getting the error -
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Status: 401
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> WWW-Authenticate Bearer
realm="bkofc",
>>>>>>>>>>>>>>>
error="invalid_token",
>>>>>>>>>>>>>>>
error_description="Didn't find publicKey for specified kid"
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Please let me know if I am
missing something here. I have
>>>>>>>>>>>>>>> been breaking my
>>>>>>>>>>>>>>> head last few days without
any luck ! I have also tried
>>>>>>>>>>>>>>> rotating the realm
>>>>>>>>>>>>>>> keys.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Thanks,
>>>>>>>>>>>>>>> Rajesh
>>>>>>>>>>>>>>>
_______________________________________________
>>>>>>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>>>>>>>
keycloak-user(a)lists.jboss.org
>>>>>>>>>>>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
10:15 a.m.
403, you have probably something not setup correctly with your user's role.
On Tue, Jul 25, 2017 at 5:09 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com>
wrote:
Sebastien,
I could get past the 401 error after rectifying the url issue. However I
am hitting 403 - Unauthorized exception now and there is no exception in
log. Still investigating. But thanks for your support on the original
issue.
@Thomas Recloux , thank you for the tips as well.
Regards,
Rajesh
On Tue, Jul 25, 2017 at 7:48 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com>
wrote:
> OMG ! That was stupid ! Let me rectify that and try again.
>
> Thanks so much for pointing out.
>
> Regards,
> Rajesh
>
> On Tue, Jul 25, 2017 at 7:47 PM, Sebastien Blanc <sblanc(a)redhat.com>
> wrote:
>
>> Oh I think I found it : <auth-server-url>http://192.16
>> 8.99.100/30001/auth
>> </auth-server-url>
>> You have a typo there , shouldn't it be http://192.168.99.100:30001/auth
>>
<http://192.168.99.100:30001/auth/realms/bkofc/protocol/openid-connect/tok...
>> , notice the ":" instead of "/"
>>
>> On Tue, Jul 25, 2017 at 4:14 PM, Sebastien Blanc <sblanc(a)redhat.com>
>> wrote:
>>
>>> Oh you were faster than me on this one ;) , well you can change the log
>>> level of you app in the standalone.xml
>>>
>>> On Tue, Jul 25, 2017 at 4:12 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com>
>>> wrote:
>>>
>>>> Hello Sebastien,
>>>>
>>>> I was looking at the logs of my app wildfly server , as suggested by
>>>> another user Thomas . Here is a relevant exception stack which I see.
>>>>
>>>> 13:56:29,450 ERROR [org.keycloak.adapters.rotation.JWKPublicKeyLocator]
>>>> (default task-12) Error when sending request to retrieve realm keys:
>>>> org.keycloak.adapters.HttpClientAdapterException: IO error
>>>> at org.keycloak.adapters.HttpAdapterUtils.sendJsonHttpRequest(H
>>>> ttpAdapterUtils.java:58)
>>>> at org.keycloak.adapters.rotation.JWKPublicKeyLocator.sendReque
>>>> st(JWKPublicKeyLocator.java:99)
>>>> at org.keycloak.adapters.rotation.JWKPublicKeyLocator.getPublic
>>>> Key(JWKPublicKeyLocator.java:63)
>>>> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.getPu
>>>> blicKey(AdapterRSATokenVerifier.java:44)
>>>> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verif
>>>> yToken(AdapterRSATokenVerifier.java:55)
>>>> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verif
>>>> yToken(AdapterRSATokenVerifier.java:37)
>>>> at org.keycloak.adapters.BearerTokenRequestAuthenticator.authen
>>>> ticateToken(BearerTokenRequestAuthenticator.java:87)
>>>> at org.keycloak.adapters.BearerTokenRequestAuthenticator.authen
>>>> ticate(BearerTokenRequestAuthenticator.java:82)
>>>> at org.keycloak.adapters.RequestAuthenticator.authenticate(Requ
>>>> estAuthenticator.java:68)
>>>> at org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthM
>>>> ech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)
>>>> at org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authe
>>>> nticate(ServletKeycloakAuthMech.java:92)
>>>> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
>>>> transition(SecurityContextImpl.java:245)
>>>> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
>>>> transition(SecurityContextImpl.java:263)
>>>> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
>>>> access$100(SecurityContextImpl.java:231)
>>>> at io.undertow.security.impl.SecurityContextImpl.attemptAuthent
>>>> ication(SecurityContextImpl.java:125)
>>>> at io.undertow.security.impl.SecurityContextImpl.authTransition
>>>> (SecurityContextImpl.java:99)
>>>> at io.undertow.security.impl.SecurityContextImpl.authenticate(S
>>>> ecurityContextImpl.java:92)
>>>> at io.undertow.servlet.handlers.security.ServletAuthenticationC
>>>> allHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
>>>> at io.undertow.server.handlers.DisableCacheHandler.handleReques
>>>> t(DisableCacheHandler.java:33)
>>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>>> redicateHandler.java:43)
>>>> at io.undertow.security.handlers.AuthenticationConstraintHandle
>>>> r.handleRequest(AuthenticationConstraintHandler.java:53)
>>>> at io.undertow.security.handlers.AbstractConfidentialityHandler
>>>> .handleRequest(AbstractConfidentialityHandler.java:46)
>>>> at io.undertow.servlet.handlers.security.ServletConfidentiality
>>>> ConstraintHandler.handleRequest(ServletConfidentialityConstr
>>>> aintHandler.java:64)
>>>> at io.undertow.servlet.handlers.security.ServletSecurityConstra
>>>> intHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
>>>> at io.undertow.security.handlers.AuthenticationMechanismsHandle
>>>> r.handleRequest(AuthenticationMechanismsHandler.java:60)
>>>> at io.undertow.servlet.handlers.security.CachedAuthenticatedSes
>>>> sionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>>> at io.undertow.security.handlers.NotificationReceiverHandler.ha
>>>> ndleRequest(NotificationReceiverHandler.java:50)
>>>> at io.undertow.security.handlers.AbstractSecurityContextAssocia
>>>> tionHandler.handleRequest(AbstractSecurityContextAssociation
>>>> Handler.java:43)
>>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>>> redicateHandler.java:43)
>>>> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHa
>>>> ndler.handleRequest(JACCContextIdHandler.java:61)
>>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>>> redicateHandler.java:43)
>>>> at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.
>>>> handleRequest(ServletPreAuthActionsHandler.java:69)
>>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>>> redicateHandler.java:43)
>>>> at io.undertow.servlet.handlers.ServletInitialHandler.handleFir
>>>> stRequest(ServletInitialHandler.java:292)
>>>> at io.undertow.servlet.handlers.ServletInitialHandler.access$10
>>>> 0(ServletInitialHandler.java:81)
>>>> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(Se
>>>> rvletInitialHandler.java:138)
>>>> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(Se
>>>> rvletInitialHandler.java:135)
>>>> at io.undertow.servlet.core.ServletRequestContextThreadSetupAct
>>>> ion$1.call(ServletRequestContextThreadSetupAction.java:48)
>>>> at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.cal
>>>> l(ContextClassLoaderSetupAction.java:43)
>>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>>> l(LegacyThreadSetupActionWrapper.java:44)
>>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>>> l(LegacyThreadSetupActionWrapper.java:44)
>>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>>> l(LegacyThreadSetupActionWrapper.java:44)
>>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>>> l(LegacyThreadSetupActionWrapper.java:44)
>>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>>> l(LegacyThreadSetupActionWrapper.java:44)
>>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>>> l(LegacyThreadSetupActionWrapper.java:44)
>>>> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchR
>>>> equest(ServletInitialHandler.java:272)
>>>> at io.undertow.servlet.handlers.ServletInitialHandler.access$00
>>>> 0(ServletInitialHandler.java:81)
>>>> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleR
>>>> equest(ServletInitialHandler.java:104)
>>>> at io.undertow.server.Connectors.executeRootHandler(Connectors.
>>>> java:202)
>>>> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchan
>>>> ge.java:805)
>>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>>>> Executor.java:1142)
>>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>>>> lExecutor.java:617)
>>>> at java.lang.Thread.run(Thread.java:748)
>>>> Caused by: java.net.ConnectException: Connection refused (Connection
>>>> refused)
>>>> at java.net.PlainSocketImpl.socketConnect(Native Method)
>>>> at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSock
>>>> etImpl.java:350)
>>>> at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPl
>>>> ainSocketImpl.java:206)
>>>> at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocket
>>>> Impl.java:188)
>>>> at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
>>>> at java.net.Socket.connect(Socket.java:589)
>>>> at org.apache.http.conn.scheme.PlainSocketFactory.connectSocket
>>>> (PlainSocketFactory.java:117)
>>>> at org.apache.http.impl.conn.DefaultClientConnectionOperator.op
>>>> enConnection(DefaultClientConnectionOperator.java:177)
>>>> at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoo
>>>> lEntry.java:144)
>>>> at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(Abs
>>>> tractPooledConnAdapter.java:131)
>>>> at org.apache.http.impl.client.DefaultRequestDirector.tryConnec
>>>> t(DefaultRequestDirector.java:611)
>>>> at org.apache.http.impl.client.DefaultRequestDirector.execute(D
>>>> efaultRequestDirector.java:446)
>>>> at org.apache.http.impl.client.AbstractHttpClient.doExecute(Abs
>>>> tractHttpClient.java:882)
>>>> at org.apache.http.impl.client.CloseableHttpClient.execute(Clos
>>>> eableHttpClient.java:82)
>>>> at org.apache.http.impl.client.CloseableHttpClient.execute(Clos
>>>> eableHttpClient.java:107)
>>>> at org.apache.http.impl.client.CloseableHttpClient.execute(Clos
>>>> eableHttpClient.java:55)
>>>> at org.keycloak.adapters.HttpAdapterUtils.sendJsonHttpRequest(H
>>>> ttpAdapterUtils.java:37)
>>>> ... 52 more
>>>> 2017-07-25T13:56:29.452564496Z
>>>> 13:56:29,454 ERROR
[org.keycloak.adapters.rotation.AdapterRSATokenVerifier]
>>>> (default task-12) Didn't find publicKey for kid:
>>>> RHESicBPoNCwhBnBLEk_8X4ufj5WyuTo20zbzOo4HfQ
>>>> 13:56:29,454 ERROR
[org.keycloak.adapters.BearerTokenRequestAuthenticator]
>>>> (default task-12) Failed to verify token:
org.keycloak.common.VerificationException:
>>>> Didn't find publicKey for specified kid
>>>> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.getPu
>>>> blicKey(AdapterRSATokenVerifier.java:47)
>>>> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verif
>>>> yToken(AdapterRSATokenVerifier.java:55)
>>>> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verif
>>>> yToken(AdapterRSATokenVerifier.java:37)
>>>> at org.keycloak.adapters.BearerTokenRequestAuthenticator.authen
>>>> ticateToken(BearerTokenRequestAuthenticator.java:87)
>>>> at org.keycloak.adapters.BearerTokenRequestAuthenticator.authen
>>>> ticate(BearerTokenRequestAuthenticator.java:82)
>>>> at org.keycloak.adapters.RequestAuthenticator.authenticate(Requ
>>>> estAuthenticator.java:68)
>>>> at org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthM
>>>> ech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)
>>>> at org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authe
>>>> nticate(ServletKeycloakAuthMech.java:92)
>>>> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
>>>> transition(SecurityContextImpl.java:245)
>>>> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
>>>> transition(SecurityContextImpl.java:263)
>>>> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
>>>> access$100(SecurityContextImpl.java:231)
>>>> at io.undertow.security.impl.SecurityContextImpl.attemptAuthent
>>>> ication(SecurityContextImpl.java:125)
>>>> at io.undertow.security.impl.SecurityContextImpl.authTransition
>>>> (SecurityContextImpl.java:99)
>>>> at io.undertow.security.impl.SecurityContextImpl.authenticate(S
>>>> ecurityContextImpl.java:92)
>>>> at io.undertow.servlet.handlers.security.ServletAuthenticationC
>>>> allHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
>>>> at io.undertow.server.handlers.DisableCacheHandler.handleReques
>>>> t(DisableCacheHandler.java:33)
>>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>>> redicateHandler.java:43)
>>>> at io.undertow.security.handlers.AuthenticationConstraintHandle
>>>> r.handleRequest(AuthenticationConstraintHandler.java:53)
>>>> at io.undertow.security.handlers.AbstractConfidentialityHandler
>>>> .handleRequest(AbstractConfidentialityHandler.java:46)
>>>> at io.undertow.servlet.handlers.security.ServletConfidentiality
>>>> ConstraintHandler.handleRequest(ServletConfidentialityConstr
>>>> aintHandler.java:64)
>>>> at io.undertow.servlet.handlers.security.ServletSecurityConstra
>>>> intHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
>>>> at io.undertow.security.handlers.AuthenticationMechanismsHandle
>>>> r.handleRequest(AuthenticationMechanismsHandler.java:60)
>>>> at io.undertow.servlet.handlers.security.CachedAuthenticatedSes
>>>> sionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>>> at io.undertow.security.handlers.NotificationReceiverHandler.ha
>>>> ndleRequest(NotificationReceiverHandler.java:50)
>>>> at io.undertow.security.handlers.AbstractSecurityContextAssocia
>>>> tionHandler.handleRequest(AbstractSecurityContextAssociation
>>>> Handler.java:43)
>>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>>> redicateHandler.java:43)
>>>> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHa
>>>> ndler.handleRequest(JACCContextIdHandler.java:61)
>>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>>> redicateHandler.java:43)
>>>> at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.
>>>> handleRequest(ServletPreAuthActionsHandler.java:69)
>>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>>> redicateHandler.java:43)
>>>> at io.undertow.servlet.handlers.ServletInitialHandler.handleFir
>>>> stRequest(ServletInitialHandler.java:292)
>>>> at io.undertow.servlet.handlers.ServletInitialHandler.access$10
>>>> 0(ServletInitialHandler.java:81)
>>>> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(Se
>>>> rvletInitialHandler.java:138)
>>>> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(Se
>>>> rvletInitialHandler.java:135)
>>>> at io.undertow.servlet.core.ServletRequestContextThreadSetupAct
>>>> ion$1.call(ServletRequestContextThreadSetupAction.java:48)
>>>> at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.cal
>>>> l(ContextClassLoaderSetupAction.java:43)
>>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>>> l(LegacyThreadSetupActionWrapper.java:44)
>>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>>> l(LegacyThreadSetupActionWrapper.java:44)
>>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>>> l(LegacyThreadSetupActionWrapper.java:44)
>>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>>> l(LegacyThreadSetupActionWrapper.java:44)
>>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>>> l(LegacyThreadSetupActionWrapper.java:44)
>>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>>> l(LegacyThreadSetupActionWrapper.java:44)
>>>> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchR
>>>> equest(ServletInitialHandler.java:272)
>>>> at io.undertow.servlet.handlers.ServletInitialHandler.access$00
>>>> 0(ServletInitialHandler.java:81)
>>>> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleR
>>>> equest(ServletInitialHandler.java:104)
>>>> at io.undertow.server.Connectors.executeRootHandler(Connectors.
>>>> java:202)
>>>> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchan
>>>> ge.java:805)
>>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>>>> Executor.java:1142)
>>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>>>> lExecutor.java:617)
>>>> at java.lang.Thread.run(Thread.java:748)
>>>>
>>>> Is there a way to enhance the log level at the client ( i mean
>>>> keycloak adapter ) , to see if it is a http connection issue or
something
>>>> else ??
>>>>
>>>> Thanks,
>>>> Rajesh
>>>>
>>>> On Tue, Jul 25, 2017 at 7:36 PM, Rajesh Ghosh
<ghosh.rajesh(a)gmail.com>
>>>> wrote:
>>>>
>>>>> Here is the response from curl ---
>>>>>
>>>>> $ curl -v http://192.168.99.100:8080/Olp
>>>>> UIFwk2-1.0-SNAPSHOT/services/sec/rest/us
>>>>> erservice/users -H "Authorization: Bearer $KEY"
>>>>> * Trying 192.168.99.100...
>>>>> * Connected to 192.168.99.100 (192.168.99.100) port 8080 (#0)
>>>>> > GET /OlpUIFwk2-1.0-SNAPSHOT/services/sec/rest/userservice/users
>>>>> HTTP/1.1
>>>>> > Host: 192.168.99.100:8080
>>>>> > User-Agent: curl/7.50.1
>>>>> > Accept: */*
>>>>> > Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOi
>>>>> AiSldUIiwia2lkIiA6ICJSSEV
>>>>> TaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXeXVUbzIwemJ6T280SGZRIn0.eyJ
>>>>> qdGkiOiJkNmY2MmM5YS1
>>>>> hNjAwLTQ4ZmQtYmI3Ny0wMTI1NDQ0YmIzNWMiLCJleHAiOjE1MDA5OTAyNDg
>>>>> sIm5iZiI6MCwiaWF0Ijo
>>>>> xNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzAwMDE
>>>>> vYXV0aC9yZWFsbXMvYmt
>>>>> vZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzdWIiOiIwYTA5MTQ0OC0wNjAyLTQ
>>>>> 2YmMtOWU4MS05MjE1Zjg
>>>>> zYjVjOTgiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJia29mYy13ZWIiLCJhdXR
>>>>> oX3RpbWUiOjAsInNlc3N
>>>>> pb25fc3RhdGUiOiIzMjMxZjQ2Zi0yMjliLTQyZDMtYTQxOS0wODlhMjEzOTZ
>>>>> lNjciLCJhY3IiOiIxIiw
>>>>> iY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2MC03ZTkyLTQ1ZDQtYjdmNy0xNWF
>>>>> kYTY2NmE4Y2EiLCJhbGx
>>>>> vd2VkLW9yaWdpbnMiOlsiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjgwODAvIl0
>>>>> sInJlYWxtX2FjY2VzcyI
>>>>> 6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiIsInVzZXIiXX0sInJlc29
>>>>> 1cmNlX2FjY2VzcyI6eyJ
>>>>> yZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzIjpbInZpZXctcmVhbG0iLCJ2aWV
>>>>> 3LWlkZW50aXR5LXByb3Z
>>>>> pZGVycyIsIm1hbmFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF
>>>>> 0aW9uIiwicmVhbG0tYWR
>>>>> taW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlldy1hdXR
>>>>> ob3JpemF0aW9uIiwibWF
>>>>> uYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsbSIsInZpZXctZXZlbnRzIiwidml
>>>>> ldy11c2VycyIsInZpZXc
>>>>> tY2xpZW50cyIsIm1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWV
>>>>> udHMiXX0sImFjY291bnQ
>>>>> iOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1
>>>>> saW5rcyIsInZpZXctcHJ
>>>>> vZmlsZSJdfX0sIm5hbWUiOiIiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzdXB
>>>>> lcmFkbWluIiwiZW1haWw
>>>>> iOiJ0cmlsaWEudGVjaEBnbWFpbC5jb20ifQ.JCGcaQ-8yYhoOT_DfHvNa5Hv
>>>>> G3x5WBI3ZcC4WEcBA3NU
>>>>> L-mQdUhU1aEK9G5VulcRbMeYp9f_rFnFip-N9g3JwPGhR6ozgwdXlI09JAjM
>>>>> 6zLk7cy0UKig5ghHX1-g
>>>>> Xb5EHChzhmGI_xtV77t9dcKBjW4V3f7eFwDmCMyWj8bqyoFMDTIp_Gz67Wt1
>>>>> iUXAaCZ5fIdXs3epdG82
>>>>> NhJrjQsIKiYGzUg9JY2Dkvg_tHGHESN85KsW2TNj8Jd0CuS-cF0rOqx82poh
>>>>> W6RQMAZmGyMVofsxH_uR
>>>>> rEbvpmI_ofkAUF6qCuLDD7idZC_j1ARXH-EOWxHgnSEDXc6SF2aAegmCpw
>>>>> >
>>>>> < HTTP/1.1 401 Unauthorized
>>>>> < Expires: 0
>>>>> < Cache-Control: no-cache, no-store, must-revalidate
>>>>> < X-Powered-By: Undertow/1
>>>>> < Server: WildFly/10
>>>>> < Pragma: no-cache
>>>>> < Date: Tue, 25 Jul 2017 14:04:31 GMT
>>>>> < Connection: keep-alive
>>>>> < WWW-Authenticate: Bearer realm="bkofc",
error="invalid_token",
>>>>> error_description="Didn't find publicKey for specified
kid"
>>>>> < Content-Type: text/html;charset=UTF-8
>>>>> < Content-Length: 71
>>>>> <
>>>>> * Connection #0 to host 192.168.99.100 left intact
>>>>>
<html><head><title>Error</title></head><body>Unauthorized</b
>>>>> ody></html>$
>>>>> $
>>>>>
>>>>> Thanks,
>>>>> Rajesh
>>>>>
>>>>> On Tue, Jul 25, 2017 at 7:30 PM, Rajesh Ghosh
<ghosh.rajesh(a)gmail.com
>>>>> > wrote:
>>>>>
>>>>>> Sure. I was using postman to invoke the service. This is the
command
>>>>>> used by postman --
>>>>>>
>>>>>> ------------------------------------------------------------
>>>>>> ------------
>>>>>>
>>>>>> GET /OlpUIFwk2-1.0-SNAPSHOT/services/sec/rest/userservice/users
>>>>>> HTTP/1.1
>>>>>> Host: 192.168.99.100:8080
>>>>>> Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>>>>> iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>>>>> XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiJkNmY2MmM5YS1hNjAwLTQ4ZmQtY
>>>>>> mI3Ny0wMTI1NDQ0YmIzNWMiLCJleHAiOjE1MDA5OTAyNDgsIm5iZiI6MCwia
>>>>>> WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>>>>> zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>>>>> WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>>>>> XAiOiJCZWFyZXIiLCJhenAiOiJia29mYy13ZWIiLCJhdXRoX3RpbWUiOjAsI
>>>>>> nNlc3Npb25fc3RhdGUiOiIzMjMxZjQ2Zi0yMjliLTQyZDMtYTQxOS0wODlhM
>>>>>> jEzOTZlNjciLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2M
>>>>>> C03ZTkyLTQ1ZDQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJhbGxvd2VkLW9yaWdpb
>>>>>> nMiOlsiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjgwODAvIl0sInJlYWxtX2FjY
>>>>>> 2VzcyI6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiIsInVzZXIiXX0sI
>>>>>> nJlc291cmNlX2FjY2VzcyI6eyJyZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzI
>>>>>> jpbInZpZXctcmVhbG0iLCJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycyIsIm1hb
>>>>>> mFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwicmVhb
>>>>>> G0tYWRtaW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlld
>>>>>> y1hdXRob3JpemF0aW9uIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsb
>>>>>> SIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsI
>>>>>> m1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiXX0sImFjY
>>>>>> 291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb
>>>>>> 3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiIiLCJwcmVmZ
>>>>>> XJyZWRfdXNlcm5hbWUiOiJzdXBlcmFkbWluIiwiZW1haWwiOiJ0cmlsaWEud
>>>>>> GVjaEBnbWFpbC5jb20ifQ.JCGcaQ-8yYhoOT_DfHvNa5HvG3x5WBI3ZcC4WE
>>>>>> cBA3NUL-mQdUhU1aEK9G5VulcRbMeYp9f_rFnFip-N9g3JwPGhR6ozgwdXlI
>>>>>> 09JAjM6zLk7cy0UKig5ghHX1-gXb5EHChzhmGI_xtV77t9dcKBjW4V3f7eFw
>>>>>> DmCMyWj8bqyoFMDTIp_Gz67Wt1iUXAaCZ5fIdXs3epdG82NhJrjQsIKiYGzU
>>>>>> g9JY2Dkvg_tHGHESN85KsW2TNj8Jd0CuS-cF0rOqx82pohW6RQMAZmGyMVof
>>>>>> sxH_uRrEbvpmI_ofkAUF6qCuLDD7idZC_j1ARXH-EOWxHgnSEDXc6SF2aAegmCpw
>>>>>> Cache-Control: no-cache
>>>>>> Postman-Token: d378eefe-82c8-9c3d-0140-ef56c62f9b97
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------
>>>>>> ---------------
>>>>>>
>>>>>> The "userservice" is my own service for other
attributes of users. I
>>>>>> also made sure that the service executes without the security.
>>>>>>
>>>>>> Thanks,
>>>>>> Rajesh
>>>>>>
>>>>>>
>>>>>> On Tue, Jul 25, 2017 at 7:24 PM, Sebastien Blanc
<sblanc(a)redhat.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Okay, to have the complete picture could paste the command
you
>>>>>>> issue to call your REST service ?
>>>>>>>
>>>>>>>
>>>>>>> On Tue, Jul 25, 2017 at 3:50 PM, Rajesh Ghosh <
>>>>>>> ghosh.rajesh(a)gmail.com> wrote:
>>>>>>>
>>>>>>>> Sebastien,
>>>>>>>>
>>>>>>>> Here is a token response -
>>>>>>>>
>>>>>>>> {
>>>>>>>> "access_token":
"eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>>>>>>>
iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>>>>>>>
XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiJkNmY2MmM5YS1hNjAwLTQ4ZmQtY
>>>>>>>>
mI3Ny0wMTI1NDQ0YmIzNWMiLCJleHAiOjE1MDA5OTAyNDgsIm5iZiI6MCwia
>>>>>>>>
WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>>>>>>>
zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>>>>>>>
WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>>>>>>>
XAiOiJCZWFyZXIiLCJhenAiOiJia29mYy13ZWIiLCJhdXRoX3RpbWUiOjAsI
>>>>>>>>
nNlc3Npb25fc3RhdGUiOiIzMjMxZjQ2Zi0yMjliLTQyZDMtYTQxOS0wODlhM
>>>>>>>>
jEzOTZlNjciLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2M
>>>>>>>>
C03ZTkyLTQ1ZDQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJhbGxvd2VkLW9yaWdpb
>>>>>>>>
nMiOlsiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjgwODAvIl0sInJlYWxtX2FjY
>>>>>>>>
2VzcyI6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiIsInVzZXIiXX0sI
>>>>>>>>
nJlc291cmNlX2FjY2VzcyI6eyJyZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzI
>>>>>>>>
jpbInZpZXctcmVhbG0iLCJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycyIsIm1hb
>>>>>>>>
mFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwicmVhb
>>>>>>>>
G0tYWRtaW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlld
>>>>>>>>
y1hdXRob3JpemF0aW9uIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsb
>>>>>>>>
SIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsI
>>>>>>>>
m1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiXX0sImFjY
>>>>>>>>
291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb
>>>>>>>>
3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiIiLCJwcmVmZ
>>>>>>>>
XJyZWRfdXNlcm5hbWUiOiJzdXBlcmFkbWluIiwiZW1haWwiOiJ0cmlsaWEud
>>>>>>>>
GVjaEBnbWFpbC5jb20ifQ.JCGcaQ-8yYhoOT_DfHvNa5HvG3x5WBI3ZcC4WE
>>>>>>>>
cBA3NUL-mQdUhU1aEK9G5VulcRbMeYp9f_rFnFip-N9g3JwPGhR6ozgwdXlI
>>>>>>>>
09JAjM6zLk7cy0UKig5ghHX1-gXb5EHChzhmGI_xtV77t9dcKBjW4V3f7eFw
>>>>>>>>
DmCMyWj8bqyoFMDTIp_Gz67Wt1iUXAaCZ5fIdXs3epdG82NhJrjQsIKiYGzU
>>>>>>>>
g9JY2Dkvg_tHGHESN85KsW2TNj8Jd0CuS-cF0rOqx82pohW6RQMAZmGyMVof
>>>>>>>>
sxH_uRrEbvpmI_ofkAUF6qCuLDD7idZC_j1ARXH-EOWxHgnSEDXc6SF2aAegmCpw",
>>>>>>>> "expires_in": 300,
>>>>>>>> "refresh_expires_in": 1800,
>>>>>>>> "refresh_token":
"eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>>>>>>>
iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>>>>>>>
XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiIyYzE4ZjkxYi0yMDljLTQwY2ItY
>>>>>>>>
TE5OS02NGIwZTEyYjRkOGIiLCJleHAiOjE1MDA5OTE3NDgsIm5iZiI6MCwia
>>>>>>>>
WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>>>>>>>
zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>>>>>>>
WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>>>>>>>
XAiOiJSZWZyZXNoIiwiYXpwIjoiYmtvZmMtd2ViIiwiYXV0aF90aW1lIjowL
>>>>>>>>
CJzZXNzaW9uX3N0YXRlIjoiMzIzMWY0NmYtMjI5Yi00MmQzLWE0MTktMDg5Y
>>>>>>>>
TIxMzk2ZTY3IiwiY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2MC03ZTkyLTQ1Z
>>>>>>>>
DQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiO
>>>>>>>>
lsidW1hX2F1dGhvcml6YXRpb24iLCJ1c2VyIl19LCJyZXNvdXJjZV9hY2Nlc
>>>>>>>>
3MiOnsicmVhbG0tbWFuYWdlbWVudCI6eyJyb2xlcyI6WyJ2aWV3LXJlYWxtI
>>>>>>>>
iwidmlldy1pZGVudGl0eS1wcm92aWRlcnMiLCJtYW5hZ2UtaWRlbnRpdHktc
>>>>>>>>
HJvdmlkZXJzIiwiaW1wZXJzb25hdGlvbiIsInJlYWxtLWFkbWluIiwiY3JlY
>>>>>>>>
XRlLWNsaWVudCIsIm1hbmFnZS11c2VycyIsInZpZXctYXV0aG9yaXphdGlvb
>>>>>>>>
iIsIm1hbmFnZS1ldmVudHMiLCJtYW5hZ2UtcmVhbG0iLCJ2aWV3LWV2ZW50c
>>>>>>>>
yIsInZpZXctdXNlcnMiLCJ2aWV3LWNsaWVudHMiLCJtYW5hZ2UtYXV0aG9ya
>>>>>>>>
XphdGlvbiIsIm1hbmFnZS1jbGllbnRzIl19LCJhY2NvdW50Ijp7InJvbGVzI
>>>>>>>>
jpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2a
>>>>>>>>
WV3LXByb2ZpbGUiXX19fQ.Uz0rqNlj09T_SdnfZK9ZxBcJ5EIEwwHCN5VwKI
>>>>>>>>
hIF6Ua32fDlf1UvZSoZTmr5jiHeiwpp4JALWGTXsda4p-PlzMvwmMN5Qp46-
>>>>>>>>
EXGJQkqH4NNqZ1W_1mRGySYokQCSkmdvAZPFGrqxpeb1seuKgaaiXXMsrvai
>>>>>>>>
ucFCa8H599Ox6QRE3MkoLmm8w7_08kPG1_JjXIviHtwoWgsb0zCcMPyHRdCv
>>>>>>>>
_rs6FIoTQiCRZ2joaXSvIsmVAkchgZbeB-_RSWzlk3_oaOCQw7OWZJRqnAdG
>>>>>>>>
gDnL5jCCRLTVFnPo9TqKrt88h3fKkVuNuI8Y06sZ1If8wgSWRDRLUf0X8sampLww",
>>>>>>>> "token_type": "bearer",
>>>>>>>> "id_token":
"eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>>>>>>>
iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>>>>>>>
XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiI2ZDJkNWMxNS01YmE3LTRhNTgtO
>>>>>>>>
TJkNC0wNGU0NTkyMjNkNGYiLCJleHAiOjE1MDA5OTAyNDgsIm5iZiI6MCwia
>>>>>>>>
WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>>>>>>>
zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>>>>>>>
WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>>>>>>>
XAiOiJJRCIsImF6cCI6ImJrb2ZjLXdlYiIsImF1dGhfdGltZSI6MCwic2Vzc
>>>>>>>>
2lvbl9zdGF0ZSI6IjMyMzFmNDZmLTIyOWItNDJkMy1hNDE5LTA4OWEyMTM5N
>>>>>>>>
mU2NyIsImFjciI6IjEiLCJuYW1lIjoiIiwicHJlZmVycmVkX3VzZXJuYW1lI
>>>>>>>>
joic3VwZXJhZG1pbiIsImVtYWlsIjoidHJpbGlhLnRlY2hAZ21haWwuY29tI
>>>>>>>>
n0.eFVxG7MImPS4yCEiLOzhvZ5M_XjRWuHJlt_T4r3djak7sH_XOXUmHAuih
>>>>>>>>
xXrm7HLv8DU3OzHpN3FinOWufOdTCv9Ywww0DRq4ha1M7dodqMuv1H5d3XVB
>>>>>>>>
n_kuHK68zWRI3t9WI4ZNeaEU0whLSnBqcbJ54dQrBloUPS4bpYG-BqfSNYs6
>>>>>>>>
bG8cyJHQ4_FRpAi3X9qWOCwaPrZ5Z_vQfNbYcgIfON_puN8QfRxihg90KQYO
>>>>>>>>
p4lJpU5JqeaVmYp9eOYTb5iQzOuLWDXenyIBmvT_K84HZKh8t5eWsqH01st-
>>>>>>>> Ls7uJcNAUM9PXRM7JswCjhouuQGBM6dn5iICoL00acuxg",
>>>>>>>> "not-before-policy": 0,
>>>>>>>> "session_state":
"3231f46f-229b-42d3-a419-089a21396e67"
>>>>>>>> }
>>>>>>>>
>>>>>>>>
>>>>>>>> I checked it in jwt.io . The kid is same as the
"rsa-generated"
>>>>>>>> one, shown in the screen shot I shared yesterday.
Although jwt complained
>>>>>>>> as "Invalid Signature" .
>>>>>>>>
>>>>>>>>
>>>>>>>> Thomas, the connectivity should not be an issue as I am
able to
>>>>>>>> get the access token from my app wildfly server using
curl. So keycloak is
>>>>>>>> reachable from my wildfly server. Anything specific you
did to resolve your
>>>>>>>> issue ?
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Rajesh
>>>>>>>>
>>>>>>>> On Tue, Jul 25, 2017 at 11:12 AM, Sebastien Blanc <
>>>>>>>> sblanc(a)redhat.com> wrote:
>>>>>>>>
>>>>>>>>> This looks all correct. Could you try paste your
access token or
>>>>>>>>> even check it your self on jwt.io to see if the kid
is present ?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Mon, Jul 24, 2017 at 6:47 PM, Rajesh Ghosh <
>>>>>>>>> ghosh.rajesh(a)gmail.com> wrote:
>>>>>>>>>
>>>>>>>>>> Sebastien,
>>>>>>>>>>
>>>>>>>>>> I am attaching a pdf containing the screen shots.
Few more
>>>>>>>>>> points I wanted to mention.
>>>>>>>>>>
>>>>>>>>>> i) I didn't install the public client --
"bkofc-web" in the
>>>>>>>>>> wildfly container which hosts my REST services. I
did it for "bkofc-svc"
>>>>>>>>>> client which is bearer only. I hope that is the
correct approach.
>>>>>>>>>> ii) Both keycloak and my application are running
on docker
>>>>>>>>>> containers locally in my laptop.
>>>>>>>>>>
>>>>>>>>>> Let me know if you need anything else to
analyze.
>>>>>>>>>>
>>>>>>>>>> Thanks,
>>>>>>>>>> Rajesh
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Mon, Jul 24, 2017 at 9:13 PM, Sebastien Blanc
<
>>>>>>>>>> sblanc(a)redhat.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> yes please
>>>>>>>>>>>
>>>>>>>>>>> On Mon, Jul 24, 2017 at 4:54 PM, Rajesh Ghosh
<
>>>>>>>>>>> ghosh.rajesh(a)gmail.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Yes definitely. I did replace it with the
actual war name. Let
>>>>>>>>>>>> me know if you would like me to paste
screen shots of realm configurations,
>>>>>>>>>>>> client configurations.
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks,
>>>>>>>>>>>> Rajesh
>>>>>>>>>>>>
>>>>>>>>>>>> On Mon, Jul 24, 2017 at 8:12 PM,
Sebastien Blanc <
>>>>>>>>>>>> sblanc(a)redhat.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> Ok and for :
>>>>>>>>>>>>> <secure-deployment name="my
war file.war">
>>>>>>>>>>>>>
>>>>>>>>>>>>> Did you replace that with the actual
name of your war file ?
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Mon, Jul 24, 2017 at 4:35 PM,
Rajesh Ghosh <
>>>>>>>>>>>>> ghosh.rajesh(a)gmail.com> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hello Sebastien,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I am using 3.1.0.Final build.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Thanks,
>>>>>>>>>>>>>> Rajesh
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Mon, Jul 24, 2017 at 7:56 PM,
Sebastien Blanc <
>>>>>>>>>>>>>> sblanc(a)redhat.com> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Which version of Keycloak are
you using ?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Mon, Jul 24, 2017 at 3:15
PM, Rajesh Ghosh <
>>>>>>>>>>>>>>> ghosh.rajesh(a)gmail.com>
wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I am trying to secure my
REST services using the method
>>>>>>>>>>>>>>>> described in the
>>>>>>>>>>>>>>>> document --
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
http://blog.keycloak.org/2015/
>>>>>>>>>>>>>>>>
10/getting-started-with-keycloak-securing.html
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I am securing my war
using JBoss subsystem , instead of
>>>>>>>>>>>>>>>> per-war option. The
>>>>>>>>>>>>>>>> relevant sections from my
standalone.xml are posted below.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> <extensions>
>>>>>>>>>>>>>>>> ......
>>>>>>>>>>>>>>>> <extension
module="org.keycloak.keycloak-
>>>>>>>>>>>>>>>>
adapter-subsystem"/>
>>>>>>>>>>>>>>>> </extensions>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
<security-domains>
>>>>>>>>>>>>>>>> .....
>>>>>>>>>>>>>>>>
<security-domain name="keycloak">
>>>>>>>>>>>>>>>>
<authentication>
>>>>>>>>>>>>>>>>
<login-module
>>>>>>>>>>>>>>>>
code="org.keycloak.adapters.jboss.KeycloakLoginModule"
>>>>>>>>>>>>>>>>
flag="required"/>
>>>>>>>>>>>>>>>>
</authentication>
>>>>>>>>>>>>>>>>
</security-domain>
>>>>>>>>>>>>>>>>
</security-domains>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> <subsystem
xmlns="urn:jboss:domain:keycloak:1.1">
>>>>>>>>>>>>>>>>
<secure-deployment name="my war file.war">
>>>>>>>>>>>>>>>>
<realm>bkofc</realm>
>>>>>>>>>>>>>>>>
<resource>bkofc-svc</resource>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
<use-resource-role-mappings>tr
>>>>>>>>>>>>>>>>
ue</use-resource-role-mappings>
>>>>>>>>>>>>>>>>
<bearer-only>true</bearer-only>
>>>>>>>>>>>>>>>>
<auth-server-url>http://192.16
>>>>>>>>>>>>>>>> 8.99.100/30001/auth
>>>>>>>>>>>>>>>> </auth-server-url>
>>>>>>>>>>>>>>>>
<ssl-required>none</ssl-required>
>>>>>>>>>>>>>>>>
<credential
>>>>>>>>>>>>>>>>
name="secret">9bcc6d9f-9c72-4b
>>>>>>>>>>>>>>>>
58-b297-79f0f207d9e1</credential>
>>>>>>>>>>>>>>>>
</secure-deployment>
>>>>>>>>>>>>>>>>
</subsystem>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I am able to obtain the
access token.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> curl -i curl --data
>>>>>>>>>>>>>>>>
"grant_type=password&client_id
>>>>>>>>>>>>>>>>
=bkofc-web&username=user&password=password"
>>>>>>>>>>>>>>>>
http://192.168.99.100:30001/au
>>>>>>>>>>>>>>>>
th/realms/bkofc/protocol/openid-connect/token
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Note:- I have created 2
clients -- i) bkofc-svc which is
>>>>>>>>>>>>>>>> bearer only, for
>>>>>>>>>>>>>>>> my REST services ii)
bkofc-web , a public client to
>>>>>>>>>>>>>>>> simulate UI login
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> However when I try to use
the access token to invoke a
>>>>>>>>>>>>>>>> service, I am
>>>>>>>>>>>>>>>> getting the error -
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Status: 401
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> WWW-Authenticate Bearer
realm="bkofc",
>>>>>>>>>>>>>>>>
error="invalid_token",
>>>>>>>>>>>>>>>>
error_description="Didn't find publicKey for specified kid"
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Please let me know if I
am missing something here. I have
>>>>>>>>>>>>>>>> been breaking my
>>>>>>>>>>>>>>>> head last few days
without any luck ! I have also tried
>>>>>>>>>>>>>>>> rotating the realm
>>>>>>>>>>>>>>>> keys.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Thanks,
>>>>>>>>>>>>>>>> Rajesh
>>>>>>>>>>>>>>>>
_______________________________________________
>>>>>>>>>>>>>>>> keycloak-user mailing
list
>>>>>>>>>>>>>>>>
keycloak-user(a)lists.jboss.org
>>>>>>>>>>>>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
12:37 p.m.
Well, first I allowed all roles in my web.xml as in --
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
Even then I was hitting the issue. Then while I was going through the
client installation for wildfly subsystem, I read about the
use-resource-role-mapping --
<secure-deployment name="WAR MODULE NAME.war">
<realm>bkofc</realm>
<auth-server-url>http://192.168.99.100:30001/auth</auth-server-url>
<bearer-only>true</bearer-only>
<ssl-required>NONE</ssl-required>
<resource>bkofc-svc</resource>
<credential
name="secret">9bcc6d9f-9c72-4b58-b297-79f0f207d9e1</credential>
<use-resource-role-mappings>true</use-resource-role-mappings>
</secure-deployment>
It was set to true, as provided in keycloak console. When I turned it to
the default value "false" , everything started working. Do we know which
client configuration parameter , controls this element ? By default it
should have the default value "false", isn't it ??
Thanks for all your help into this.
Regards,
Rajesh
On Tue, Jul 25, 2017 at 8:45 PM, Sebastien Blanc <sblanc(a)redhat.com> wrote:
403, you have probably something not setup correctly with your
user's
role.
On Tue, Jul 25, 2017 at 5:09 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com>
wrote:
> Sebastien,
>
> I could get past the 401 error after rectifying the url issue. However I
> am hitting 403 - Unauthorized exception now and there is no exception in
> log. Still investigating. But thanks for your support on the original
> issue.
>
> @Thomas Recloux , thank you for the tips as well.
>
> Regards,
> Rajesh
>
> On Tue, Jul 25, 2017 at 7:48 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com>
> wrote:
>
>> OMG ! That was stupid ! Let me rectify that and try again.
>>
>> Thanks so much for pointing out.
>>
>> Regards,
>> Rajesh
>>
>> On Tue, Jul 25, 2017 at 7:47 PM, Sebastien Blanc <sblanc(a)redhat.com>
>> wrote:
>>
>>> Oh I think I found it : <auth-server-url>http://192.16
>>> 8.99.100/30001/auth
>>> </auth-server-url>
>>> You have a typo there , shouldn't it be http://192.168.99.100:30001/au
>>> th
>>>
<http://192.168.99.100:30001/auth/realms/bkofc/protocol/openid-connect/tok...
>>> , notice the ":" instead of "/"
>>>
>>> On Tue, Jul 25, 2017 at 4:14 PM, Sebastien Blanc <sblanc(a)redhat.com>
>>> wrote:
>>>
>>>> Oh you were faster than me on this one ;) , well you can change the
>>>> log level of you app in the standalone.xml
>>>>
>>>> On Tue, Jul 25, 2017 at 4:12 PM, Rajesh Ghosh
<ghosh.rajesh(a)gmail.com>
>>>> wrote:
>>>>
>>>>> Hello Sebastien,
>>>>>
>>>>> I was looking at the logs of my app wildfly server , as suggested
by
>>>>> another user Thomas . Here is a relevant exception stack which I
see.
>>>>>
>>>>> 13:56:29,450 ERROR
[org.keycloak.adapters.rotation.JWKPublicKeyLocator]
>>>>> (default task-12) Error when sending request to retrieve realm keys:
>>>>> org.keycloak.adapters.HttpClientAdapterException: IO error
>>>>> at org.keycloak.adapters.HttpAdapterUtils.sendJsonHttpRequest(H
>>>>> ttpAdapterUtils.java:58)
>>>>> at org.keycloak.adapters.rotation.JWKPublicKeyLocator.sendReque
>>>>> st(JWKPublicKeyLocator.java:99)
>>>>> at org.keycloak.adapters.rotation.JWKPublicKeyLocator.getPublic
>>>>> Key(JWKPublicKeyLocator.java:63)
>>>>> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.getPu
>>>>> blicKey(AdapterRSATokenVerifier.java:44)
>>>>> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verif
>>>>> yToken(AdapterRSATokenVerifier.java:55)
>>>>> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verif
>>>>> yToken(AdapterRSATokenVerifier.java:37)
>>>>> at org.keycloak.adapters.BearerTokenRequestAuthenticator.authen
>>>>> ticateToken(BearerTokenRequestAuthenticator.java:87)
>>>>> at org.keycloak.adapters.BearerTokenRequestAuthenticator.authen
>>>>> ticate(BearerTokenRequestAuthenticator.java:82)
>>>>> at org.keycloak.adapters.RequestAuthenticator.authenticate(Requ
>>>>> estAuthenticator.java:68)
>>>>> at org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthM
>>>>> ech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)
>>>>> at org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authe
>>>>> nticate(ServletKeycloakAuthMech.java:92)
>>>>> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
>>>>> transition(SecurityContextImpl.java:245)
>>>>> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
>>>>> transition(SecurityContextImpl.java:263)
>>>>> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
>>>>> access$100(SecurityContextImpl.java:231)
>>>>> at io.undertow.security.impl.SecurityContextImpl.attemptAuthent
>>>>> ication(SecurityContextImpl.java:125)
>>>>> at io.undertow.security.impl.SecurityContextImpl.authTransition
>>>>> (SecurityContextImpl.java:99)
>>>>> at io.undertow.security.impl.SecurityContextImpl.authenticate(S
>>>>> ecurityContextImpl.java:92)
>>>>> at io.undertow.servlet.handlers.security.ServletAuthenticationC
>>>>> allHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
>>>>> at io.undertow.server.handlers.DisableCacheHandler.handleReques
>>>>> t(DisableCacheHandler.java:33)
>>>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>>>> redicateHandler.java:43)
>>>>> at io.undertow.security.handlers.AuthenticationConstraintHandle
>>>>> r.handleRequest(AuthenticationConstraintHandler.java:53)
>>>>> at io.undertow.security.handlers.AbstractConfidentialityHandler
>>>>> .handleRequest(AbstractConfidentialityHandler.java:46)
>>>>> at io.undertow.servlet.handlers.security.ServletConfidentiality
>>>>> ConstraintHandler.handleRequest(ServletConfidentialityConstr
>>>>> aintHandler.java:64)
>>>>> at io.undertow.servlet.handlers.security.ServletSecurityConstra
>>>>> intHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
>>>>> at io.undertow.security.handlers.AuthenticationMechanismsHandle
>>>>> r.handleRequest(AuthenticationMechanismsHandler.java:60)
>>>>> at io.undertow.servlet.handlers.security.CachedAuthenticatedSes
>>>>> sionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>>>> at io.undertow.security.handlers.NotificationReceiverHandler.ha
>>>>> ndleRequest(NotificationReceiverHandler.java:50)
>>>>> at io.undertow.security.handlers.AbstractSecurityContextAssocia
>>>>> tionHandler.handleRequest(AbstractSecurityContextAssociation
>>>>> Handler.java:43)
>>>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>>>> redicateHandler.java:43)
>>>>> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHa
>>>>> ndler.handleRequest(JACCContextIdHandler.java:61)
>>>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>>>> redicateHandler.java:43)
>>>>> at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.
>>>>> handleRequest(ServletPreAuthActionsHandler.java:69)
>>>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>>>> redicateHandler.java:43)
>>>>> at io.undertow.servlet.handlers.ServletInitialHandler.handleFir
>>>>> stRequest(ServletInitialHandler.java:292)
>>>>> at io.undertow.servlet.handlers.ServletInitialHandler.access$10
>>>>> 0(ServletInitialHandler.java:81)
>>>>> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(Se
>>>>> rvletInitialHandler.java:138)
>>>>> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(Se
>>>>> rvletInitialHandler.java:135)
>>>>> at io.undertow.servlet.core.ServletRequestContextThreadSetupAct
>>>>> ion$1.call(ServletRequestContextThreadSetupAction.java:48)
>>>>> at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.cal
>>>>> l(ContextClassLoaderSetupAction.java:43)
>>>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>>>> l(LegacyThreadSetupActionWrapper.java:44)
>>>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>>>> l(LegacyThreadSetupActionWrapper.java:44)
>>>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>>>> l(LegacyThreadSetupActionWrapper.java:44)
>>>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>>>> l(LegacyThreadSetupActionWrapper.java:44)
>>>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>>>> l(LegacyThreadSetupActionWrapper.java:44)
>>>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>>>> l(LegacyThreadSetupActionWrapper.java:44)
>>>>> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchR
>>>>> equest(ServletInitialHandler.java:272)
>>>>> at io.undertow.servlet.handlers.ServletInitialHandler.access$00
>>>>> 0(ServletInitialHandler.java:81)
>>>>> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleR
>>>>> equest(ServletInitialHandler.java:104)
>>>>> at io.undertow.server.Connectors.executeRootHandler(Connectors.
>>>>> java:202)
>>>>> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchan
>>>>> ge.java:805)
>>>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>>>>> Executor.java:1142)
>>>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>>>>> lExecutor.java:617)
>>>>> at java.lang.Thread.run(Thread.java:748)
>>>>> Caused by: java.net.ConnectException: Connection refused (Connection
>>>>> refused)
>>>>> at java.net.PlainSocketImpl.socketConnect(Native Method)
>>>>> at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSock
>>>>> etImpl.java:350)
>>>>> at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPl
>>>>> ainSocketImpl.java:206)
>>>>> at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocket
>>>>> Impl.java:188)
>>>>> at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
>>>>> at java.net.Socket.connect(Socket.java:589)
>>>>> at org.apache.http.conn.scheme.PlainSocketFactory.connectSocket
>>>>> (PlainSocketFactory.java:117)
>>>>> at org.apache.http.impl.conn.DefaultClientConnectionOperator.op
>>>>> enConnection(DefaultClientConnectionOperator.java:177)
>>>>> at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoo
>>>>> lEntry.java:144)
>>>>> at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(Abs
>>>>> tractPooledConnAdapter.java:131)
>>>>> at org.apache.http.impl.client.DefaultRequestDirector.tryConnec
>>>>> t(DefaultRequestDirector.java:611)
>>>>> at org.apache.http.impl.client.DefaultRequestDirector.execute(D
>>>>> efaultRequestDirector.java:446)
>>>>> at org.apache.http.impl.client.AbstractHttpClient.doExecute(Abs
>>>>> tractHttpClient.java:882)
>>>>> at org.apache.http.impl.client.CloseableHttpClient.execute(Clos
>>>>> eableHttpClient.java:82)
>>>>> at org.apache.http.impl.client.CloseableHttpClient.execute(Clos
>>>>> eableHttpClient.java:107)
>>>>> at org.apache.http.impl.client.CloseableHttpClient.execute(Clos
>>>>> eableHttpClient.java:55)
>>>>> at org.keycloak.adapters.HttpAdapterUtils.sendJsonHttpRequest(H
>>>>> ttpAdapterUtils.java:37)
>>>>> ... 52 more
>>>>> 2017-07-25T13:56:29.452564496Z
>>>>> 13:56:29,454 ERROR
[org.keycloak.adapters.rotation.AdapterRSATokenVerifier]
>>>>> (default task-12) Didn't find publicKey for kid:
>>>>> RHESicBPoNCwhBnBLEk_8X4ufj5WyuTo20zbzOo4HfQ
>>>>> 13:56:29,454 ERROR
[org.keycloak.adapters.BearerTokenRequestAuthenticator]
>>>>> (default task-12) Failed to verify token:
org.keycloak.common.VerificationException:
>>>>> Didn't find publicKey for specified kid
>>>>> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.getPu
>>>>> blicKey(AdapterRSATokenVerifier.java:47)
>>>>> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verif
>>>>> yToken(AdapterRSATokenVerifier.java:55)
>>>>> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verif
>>>>> yToken(AdapterRSATokenVerifier.java:37)
>>>>> at org.keycloak.adapters.BearerTokenRequestAuthenticator.authen
>>>>> ticateToken(BearerTokenRequestAuthenticator.java:87)
>>>>> at org.keycloak.adapters.BearerTokenRequestAuthenticator.authen
>>>>> ticate(BearerTokenRequestAuthenticator.java:82)
>>>>> at org.keycloak.adapters.RequestAuthenticator.authenticate(Requ
>>>>> estAuthenticator.java:68)
>>>>> at org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthM
>>>>> ech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)
>>>>> at org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authe
>>>>> nticate(ServletKeycloakAuthMech.java:92)
>>>>> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
>>>>> transition(SecurityContextImpl.java:245)
>>>>> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
>>>>> transition(SecurityContextImpl.java:263)
>>>>> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
>>>>> access$100(SecurityContextImpl.java:231)
>>>>> at io.undertow.security.impl.SecurityContextImpl.attemptAuthent
>>>>> ication(SecurityContextImpl.java:125)
>>>>> at io.undertow.security.impl.SecurityContextImpl.authTransition
>>>>> (SecurityContextImpl.java:99)
>>>>> at io.undertow.security.impl.SecurityContextImpl.authenticate(S
>>>>> ecurityContextImpl.java:92)
>>>>> at io.undertow.servlet.handlers.security.ServletAuthenticationC
>>>>> allHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
>>>>> at io.undertow.server.handlers.DisableCacheHandler.handleReques
>>>>> t(DisableCacheHandler.java:33)
>>>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>>>> redicateHandler.java:43)
>>>>> at io.undertow.security.handlers.AuthenticationConstraintHandle
>>>>> r.handleRequest(AuthenticationConstraintHandler.java:53)
>>>>> at io.undertow.security.handlers.AbstractConfidentialityHandler
>>>>> .handleRequest(AbstractConfidentialityHandler.java:46)
>>>>> at io.undertow.servlet.handlers.security.ServletConfidentiality
>>>>> ConstraintHandler.handleRequest(ServletConfidentialityConstr
>>>>> aintHandler.java:64)
>>>>> at io.undertow.servlet.handlers.security.ServletSecurityConstra
>>>>> intHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
>>>>> at io.undertow.security.handlers.AuthenticationMechanismsHandle
>>>>> r.handleRequest(AuthenticationMechanismsHandler.java:60)
>>>>> at io.undertow.servlet.handlers.security.CachedAuthenticatedSes
>>>>> sionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>>>> at io.undertow.security.handlers.NotificationReceiverHandler.ha
>>>>> ndleRequest(NotificationReceiverHandler.java:50)
>>>>> at io.undertow.security.handlers.AbstractSecurityContextAssocia
>>>>> tionHandler.handleRequest(AbstractSecurityContextAssociation
>>>>> Handler.java:43)
>>>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>>>> redicateHandler.java:43)
>>>>> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHa
>>>>> ndler.handleRequest(JACCContextIdHandler.java:61)
>>>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>>>> redicateHandler.java:43)
>>>>> at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.
>>>>> handleRequest(ServletPreAuthActionsHandler.java:69)
>>>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>>>> redicateHandler.java:43)
>>>>> at io.undertow.servlet.handlers.ServletInitialHandler.handleFir
>>>>> stRequest(ServletInitialHandler.java:292)
>>>>> at io.undertow.servlet.handlers.ServletInitialHandler.access$10
>>>>> 0(ServletInitialHandler.java:81)
>>>>> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(Se
>>>>> rvletInitialHandler.java:138)
>>>>> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(Se
>>>>> rvletInitialHandler.java:135)
>>>>> at io.undertow.servlet.core.ServletRequestContextThreadSetupAct
>>>>> ion$1.call(ServletRequestContextThreadSetupAction.java:48)
>>>>> at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.cal
>>>>> l(ContextClassLoaderSetupAction.java:43)
>>>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>>>> l(LegacyThreadSetupActionWrapper.java:44)
>>>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>>>> l(LegacyThreadSetupActionWrapper.java:44)
>>>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>>>> l(LegacyThreadSetupActionWrapper.java:44)
>>>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>>>> l(LegacyThreadSetupActionWrapper.java:44)
>>>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>>>> l(LegacyThreadSetupActionWrapper.java:44)
>>>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>>>> l(LegacyThreadSetupActionWrapper.java:44)
>>>>> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchR
>>>>> equest(ServletInitialHandler.java:272)
>>>>> at io.undertow.servlet.handlers.ServletInitialHandler.access$00
>>>>> 0(ServletInitialHandler.java:81)
>>>>> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleR
>>>>> equest(ServletInitialHandler.java:104)
>>>>> at io.undertow.server.Connectors.executeRootHandler(Connectors.
>>>>> java:202)
>>>>> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchan
>>>>> ge.java:805)
>>>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>>>>> Executor.java:1142)
>>>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>>>>> lExecutor.java:617)
>>>>> at java.lang.Thread.run(Thread.java:748)
>>>>>
>>>>> Is there a way to enhance the log level at the client ( i mean
>>>>> keycloak adapter ) , to see if it is a http connection issue or
something
>>>>> else ??
>>>>>
>>>>> Thanks,
>>>>> Rajesh
>>>>>
>>>>> On Tue, Jul 25, 2017 at 7:36 PM, Rajesh Ghosh
<ghosh.rajesh(a)gmail.com
>>>>> > wrote:
>>>>>
>>>>>> Here is the response from curl ---
>>>>>>
>>>>>> $ curl -v http://192.168.99.100:8080/Olp
>>>>>> UIFwk2-1.0-SNAPSHOT/services/sec/rest/us
>>>>>> erservice/users -H "Authorization: Bearer $KEY"
>>>>>> * Trying 192.168.99.100...
>>>>>> * Connected to 192.168.99.100 (192.168.99.100) port 8080 (#0)
>>>>>> > GET
/OlpUIFwk2-1.0-SNAPSHOT/services/sec/rest/userservice/users
>>>>>> HTTP/1.1
>>>>>> > Host: 192.168.99.100:8080
>>>>>> > User-Agent: curl/7.50.1
>>>>>> > Accept: */*
>>>>>> > Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOi
>>>>>> AiSldUIiwia2lkIiA6ICJSSEV
>>>>>> TaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXeXVUbzIwemJ6T280SGZRIn0.eyJ
>>>>>> qdGkiOiJkNmY2MmM5YS1
>>>>>> hNjAwLTQ4ZmQtYmI3Ny0wMTI1NDQ0YmIzNWMiLCJleHAiOjE1MDA5OTAyNDg
>>>>>> sIm5iZiI6MCwiaWF0Ijo
>>>>>> xNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzAwMDE
>>>>>> vYXV0aC9yZWFsbXMvYmt
>>>>>> vZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzdWIiOiIwYTA5MTQ0OC0wNjAyLTQ
>>>>>> 2YmMtOWU4MS05MjE1Zjg
>>>>>> zYjVjOTgiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJia29mYy13ZWIiLCJhdXR
>>>>>> oX3RpbWUiOjAsInNlc3N
>>>>>> pb25fc3RhdGUiOiIzMjMxZjQ2Zi0yMjliLTQyZDMtYTQxOS0wODlhMjEzOTZ
>>>>>> lNjciLCJhY3IiOiIxIiw
>>>>>> iY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2MC03ZTkyLTQ1ZDQtYjdmNy0xNWF
>>>>>> kYTY2NmE4Y2EiLCJhbGx
>>>>>> vd2VkLW9yaWdpbnMiOlsiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjgwODAvIl0
>>>>>> sInJlYWxtX2FjY2VzcyI
>>>>>> 6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiIsInVzZXIiXX0sInJlc29
>>>>>> 1cmNlX2FjY2VzcyI6eyJ
>>>>>> yZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzIjpbInZpZXctcmVhbG0iLCJ2aWV
>>>>>> 3LWlkZW50aXR5LXByb3Z
>>>>>> pZGVycyIsIm1hbmFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF
>>>>>> 0aW9uIiwicmVhbG0tYWR
>>>>>> taW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlldy1hdXR
>>>>>> ob3JpemF0aW9uIiwibWF
>>>>>> uYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsbSIsInZpZXctZXZlbnRzIiwidml
>>>>>> ldy11c2VycyIsInZpZXc
>>>>>> tY2xpZW50cyIsIm1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWV
>>>>>> udHMiXX0sImFjY291bnQ
>>>>>> iOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1
>>>>>> saW5rcyIsInZpZXctcHJ
>>>>>> vZmlsZSJdfX0sIm5hbWUiOiIiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzdXB
>>>>>> lcmFkbWluIiwiZW1haWw
>>>>>> iOiJ0cmlsaWEudGVjaEBnbWFpbC5jb20ifQ.JCGcaQ-8yYhoOT_DfHvNa5Hv
>>>>>> G3x5WBI3ZcC4WEcBA3NU
>>>>>> L-mQdUhU1aEK9G5VulcRbMeYp9f_rFnFip-N9g3JwPGhR6ozgwdXlI09JAjM
>>>>>> 6zLk7cy0UKig5ghHX1-g
>>>>>> Xb5EHChzhmGI_xtV77t9dcKBjW4V3f7eFwDmCMyWj8bqyoFMDTIp_Gz67Wt1
>>>>>> iUXAaCZ5fIdXs3epdG82
>>>>>> NhJrjQsIKiYGzUg9JY2Dkvg_tHGHESN85KsW2TNj8Jd0CuS-cF0rOqx82poh
>>>>>> W6RQMAZmGyMVofsxH_uR
>>>>>> rEbvpmI_ofkAUF6qCuLDD7idZC_j1ARXH-EOWxHgnSEDXc6SF2aAegmCpw
>>>>>> >
>>>>>> < HTTP/1.1 401 Unauthorized
>>>>>> < Expires: 0
>>>>>> < Cache-Control: no-cache, no-store, must-revalidate
>>>>>> < X-Powered-By: Undertow/1
>>>>>> < Server: WildFly/10
>>>>>> < Pragma: no-cache
>>>>>> < Date: Tue, 25 Jul 2017 14:04:31 GMT
>>>>>> < Connection: keep-alive
>>>>>> < WWW-Authenticate: Bearer realm="bkofc",
error="invalid_token",
>>>>>> error_description="Didn't find publicKey for specified
kid"
>>>>>> < Content-Type: text/html;charset=UTF-8
>>>>>> < Content-Length: 71
>>>>>> <
>>>>>> * Connection #0 to host 192.168.99.100 left intact
>>>>>>
<html><head><title>Error</title></head><body>Unauthorized</b
>>>>>> ody></html>$
>>>>>> $
>>>>>>
>>>>>> Thanks,
>>>>>> Rajesh
>>>>>>
>>>>>> On Tue, Jul 25, 2017 at 7:30 PM, Rajesh Ghosh <
>>>>>> ghosh.rajesh(a)gmail.com> wrote:
>>>>>>
>>>>>>> Sure. I was using postman to invoke the service. This is the
>>>>>>> command used by postman --
>>>>>>>
>>>>>>> ------------------------------------------------------------
>>>>>>> ------------
>>>>>>>
>>>>>>> GET
/OlpUIFwk2-1.0-SNAPSHOT/services/sec/rest/userservice/users
>>>>>>> HTTP/1.1
>>>>>>> Host: 192.168.99.100:8080
>>>>>>> Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>>>>>> iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>>>>>> XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiJkNmY2MmM5YS1hNjAwLTQ4ZmQtY
>>>>>>> mI3Ny0wMTI1NDQ0YmIzNWMiLCJleHAiOjE1MDA5OTAyNDgsIm5iZiI6MCwia
>>>>>>> WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>>>>>> zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>>>>>> WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>>>>>> XAiOiJCZWFyZXIiLCJhenAiOiJia29mYy13ZWIiLCJhdXRoX3RpbWUiOjAsI
>>>>>>> nNlc3Npb25fc3RhdGUiOiIzMjMxZjQ2Zi0yMjliLTQyZDMtYTQxOS0wODlhM
>>>>>>> jEzOTZlNjciLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2M
>>>>>>> C03ZTkyLTQ1ZDQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJhbGxvd2VkLW9yaWdpb
>>>>>>> nMiOlsiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjgwODAvIl0sInJlYWxtX2FjY
>>>>>>> 2VzcyI6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiIsInVzZXIiXX0sI
>>>>>>> nJlc291cmNlX2FjY2VzcyI6eyJyZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzI
>>>>>>> jpbInZpZXctcmVhbG0iLCJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycyIsIm1hb
>>>>>>> mFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwicmVhb
>>>>>>> G0tYWRtaW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlld
>>>>>>> y1hdXRob3JpemF0aW9uIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsb
>>>>>>> SIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsI
>>>>>>> m1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiXX0sImFjY
>>>>>>> 291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb
>>>>>>> 3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiIiLCJwcmVmZ
>>>>>>> XJyZWRfdXNlcm5hbWUiOiJzdXBlcmFkbWluIiwiZW1haWwiOiJ0cmlsaWEud
>>>>>>> GVjaEBnbWFpbC5jb20ifQ.JCGcaQ-8yYhoOT_DfHvNa5HvG3x5WBI3ZcC4WE
>>>>>>> cBA3NUL-mQdUhU1aEK9G5VulcRbMeYp9f_rFnFip-N9g3JwPGhR6ozgwdXlI
>>>>>>> 09JAjM6zLk7cy0UKig5ghHX1-gXb5EHChzhmGI_xtV77t9dcKBjW4V3f7eFw
>>>>>>> DmCMyWj8bqyoFMDTIp_Gz67Wt1iUXAaCZ5fIdXs3epdG82NhJrjQsIKiYGzU
>>>>>>> g9JY2Dkvg_tHGHESN85KsW2TNj8Jd0CuS-cF0rOqx82pohW6RQMAZmGyMVof
>>>>>>>
sxH_uRrEbvpmI_ofkAUF6qCuLDD7idZC_j1ARXH-EOWxHgnSEDXc6SF2aAegmCpw
>>>>>>> Cache-Control: no-cache
>>>>>>> Postman-Token: d378eefe-82c8-9c3d-0140-ef56c62f9b97
>>>>>>>
>>>>>>>
>>>>>>> ------------------------------------------------------------
>>>>>>> ---------------
>>>>>>>
>>>>>>> The "userservice" is my own service for other
attributes of users.
>>>>>>> I also made sure that the service executes without the
security.
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Rajesh
>>>>>>>
>>>>>>>
>>>>>>> On Tue, Jul 25, 2017 at 7:24 PM, Sebastien Blanc
<sblanc(a)redhat.com
>>>>>>> > wrote:
>>>>>>>
>>>>>>>> Okay, to have the complete picture could paste the
command you
>>>>>>>> issue to call your REST service ?
>>>>>>>>
>>>>>>>>
>>>>>>>> On Tue, Jul 25, 2017 at 3:50 PM, Rajesh Ghosh <
>>>>>>>> ghosh.rajesh(a)gmail.com> wrote:
>>>>>>>>
>>>>>>>>> Sebastien,
>>>>>>>>>
>>>>>>>>> Here is a token response -
>>>>>>>>>
>>>>>>>>> {
>>>>>>>>> "access_token":
"eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>>>>>>>>
iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>>>>>>>>
XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiJkNmY2MmM5YS1hNjAwLTQ4ZmQtY
>>>>>>>>>
mI3Ny0wMTI1NDQ0YmIzNWMiLCJleHAiOjE1MDA5OTAyNDgsIm5iZiI6MCwia
>>>>>>>>>
WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>>>>>>>>
zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>>>>>>>>
WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>>>>>>>>
XAiOiJCZWFyZXIiLCJhenAiOiJia29mYy13ZWIiLCJhdXRoX3RpbWUiOjAsI
>>>>>>>>>
nNlc3Npb25fc3RhdGUiOiIzMjMxZjQ2Zi0yMjliLTQyZDMtYTQxOS0wODlhM
>>>>>>>>>
jEzOTZlNjciLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2M
>>>>>>>>>
C03ZTkyLTQ1ZDQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJhbGxvd2VkLW9yaWdpb
>>>>>>>>>
nMiOlsiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjgwODAvIl0sInJlYWxtX2FjY
>>>>>>>>>
2VzcyI6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiIsInVzZXIiXX0sI
>>>>>>>>>
nJlc291cmNlX2FjY2VzcyI6eyJyZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzI
>>>>>>>>>
jpbInZpZXctcmVhbG0iLCJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycyIsIm1hb
>>>>>>>>>
mFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwicmVhb
>>>>>>>>>
G0tYWRtaW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlld
>>>>>>>>>
y1hdXRob3JpemF0aW9uIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsb
>>>>>>>>>
SIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsI
>>>>>>>>>
m1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiXX0sImFjY
>>>>>>>>>
291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb
>>>>>>>>>
3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiIiLCJwcmVmZ
>>>>>>>>>
XJyZWRfdXNlcm5hbWUiOiJzdXBlcmFkbWluIiwiZW1haWwiOiJ0cmlsaWEud
>>>>>>>>>
GVjaEBnbWFpbC5jb20ifQ.JCGcaQ-8yYhoOT_DfHvNa5HvG3x5WBI3ZcC4WE
>>>>>>>>>
cBA3NUL-mQdUhU1aEK9G5VulcRbMeYp9f_rFnFip-N9g3JwPGhR6ozgwdXlI
>>>>>>>>>
09JAjM6zLk7cy0UKig5ghHX1-gXb5EHChzhmGI_xtV77t9dcKBjW4V3f7eFw
>>>>>>>>>
DmCMyWj8bqyoFMDTIp_Gz67Wt1iUXAaCZ5fIdXs3epdG82NhJrjQsIKiYGzU
>>>>>>>>>
g9JY2Dkvg_tHGHESN85KsW2TNj8Jd0CuS-cF0rOqx82pohW6RQMAZmGyMVof
>>>>>>>>>
sxH_uRrEbvpmI_ofkAUF6qCuLDD7idZC_j1ARXH-EOWxHgnSEDXc6SF2aAeg
>>>>>>>>> mCpw",
>>>>>>>>> "expires_in": 300,
>>>>>>>>> "refresh_expires_in": 1800,
>>>>>>>>> "refresh_token":
"eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>>>>>>>>
iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>>>>>>>>
XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiIyYzE4ZjkxYi0yMDljLTQwY2ItY
>>>>>>>>>
TE5OS02NGIwZTEyYjRkOGIiLCJleHAiOjE1MDA5OTE3NDgsIm5iZiI6MCwia
>>>>>>>>>
WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>>>>>>>>
zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>>>>>>>>
WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>>>>>>>>
XAiOiJSZWZyZXNoIiwiYXpwIjoiYmtvZmMtd2ViIiwiYXV0aF90aW1lIjowL
>>>>>>>>>
CJzZXNzaW9uX3N0YXRlIjoiMzIzMWY0NmYtMjI5Yi00MmQzLWE0MTktMDg5Y
>>>>>>>>>
TIxMzk2ZTY3IiwiY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2MC03ZTkyLTQ1Z
>>>>>>>>>
DQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiO
>>>>>>>>>
lsidW1hX2F1dGhvcml6YXRpb24iLCJ1c2VyIl19LCJyZXNvdXJjZV9hY2Nlc
>>>>>>>>>
3MiOnsicmVhbG0tbWFuYWdlbWVudCI6eyJyb2xlcyI6WyJ2aWV3LXJlYWxtI
>>>>>>>>>
iwidmlldy1pZGVudGl0eS1wcm92aWRlcnMiLCJtYW5hZ2UtaWRlbnRpdHktc
>>>>>>>>>
HJvdmlkZXJzIiwiaW1wZXJzb25hdGlvbiIsInJlYWxtLWFkbWluIiwiY3JlY
>>>>>>>>>
XRlLWNsaWVudCIsIm1hbmFnZS11c2VycyIsInZpZXctYXV0aG9yaXphdGlvb
>>>>>>>>>
iIsIm1hbmFnZS1ldmVudHMiLCJtYW5hZ2UtcmVhbG0iLCJ2aWV3LWV2ZW50c
>>>>>>>>>
yIsInZpZXctdXNlcnMiLCJ2aWV3LWNsaWVudHMiLCJtYW5hZ2UtYXV0aG9ya
>>>>>>>>>
XphdGlvbiIsIm1hbmFnZS1jbGllbnRzIl19LCJhY2NvdW50Ijp7InJvbGVzI
>>>>>>>>>
jpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2a
>>>>>>>>>
WV3LXByb2ZpbGUiXX19fQ.Uz0rqNlj09T_SdnfZK9ZxBcJ5EIEwwHCN5VwKI
>>>>>>>>>
hIF6Ua32fDlf1UvZSoZTmr5jiHeiwpp4JALWGTXsda4p-PlzMvwmMN5Qp46-
>>>>>>>>>
EXGJQkqH4NNqZ1W_1mRGySYokQCSkmdvAZPFGrqxpeb1seuKgaaiXXMsrvai
>>>>>>>>>
ucFCa8H599Ox6QRE3MkoLmm8w7_08kPG1_JjXIviHtwoWgsb0zCcMPyHRdCv
>>>>>>>>>
_rs6FIoTQiCRZ2joaXSvIsmVAkchgZbeB-_RSWzlk3_oaOCQw7OWZJRqnAdG
>>>>>>>>>
gDnL5jCCRLTVFnPo9TqKrt88h3fKkVuNuI8Y06sZ1If8wgSWRDRLUf0X8sam
>>>>>>>>> pLww",
>>>>>>>>> "token_type": "bearer",
>>>>>>>>> "id_token":
"eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>>>>>>>>
iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>>>>>>>>
XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiI2ZDJkNWMxNS01YmE3LTRhNTgtO
>>>>>>>>>
TJkNC0wNGU0NTkyMjNkNGYiLCJleHAiOjE1MDA5OTAyNDgsIm5iZiI6MCwia
>>>>>>>>>
WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>>>>>>>>
zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>>>>>>>>
WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>>>>>>>>
XAiOiJJRCIsImF6cCI6ImJrb2ZjLXdlYiIsImF1dGhfdGltZSI6MCwic2Vzc
>>>>>>>>>
2lvbl9zdGF0ZSI6IjMyMzFmNDZmLTIyOWItNDJkMy1hNDE5LTA4OWEyMTM5N
>>>>>>>>>
mU2NyIsImFjciI6IjEiLCJuYW1lIjoiIiwicHJlZmVycmVkX3VzZXJuYW1lI
>>>>>>>>>
joic3VwZXJhZG1pbiIsImVtYWlsIjoidHJpbGlhLnRlY2hAZ21haWwuY29tI
>>>>>>>>>
n0.eFVxG7MImPS4yCEiLOzhvZ5M_XjRWuHJlt_T4r3djak7sH_XOXUmHAuih
>>>>>>>>>
xXrm7HLv8DU3OzHpN3FinOWufOdTCv9Ywww0DRq4ha1M7dodqMuv1H5d3XVB
>>>>>>>>>
n_kuHK68zWRI3t9WI4ZNeaEU0whLSnBqcbJ54dQrBloUPS4bpYG-BqfSNYs6
>>>>>>>>>
bG8cyJHQ4_FRpAi3X9qWOCwaPrZ5Z_vQfNbYcgIfON_puN8QfRxihg90KQYO
>>>>>>>>>
p4lJpU5JqeaVmYp9eOYTb5iQzOuLWDXenyIBmvT_K84HZKh8t5eWsqH01st-
>>>>>>>>> Ls7uJcNAUM9PXRM7JswCjhouuQGBM6dn5iICoL00acuxg",
>>>>>>>>> "not-before-policy": 0,
>>>>>>>>> "session_state":
"3231f46f-229b-42d3-a419-089a21396e67"
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I checked it in jwt.io . The kid is same as the
"rsa-generated"
>>>>>>>>> one, shown in the screen shot I shared yesterday.
Although jwt complained
>>>>>>>>> as "Invalid Signature" .
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Thomas, the connectivity should not be an issue as I
am able to
>>>>>>>>> get the access token from my app wildfly server
using curl. So keycloak is
>>>>>>>>> reachable from my wildfly server. Anything specific
you did to resolve your
>>>>>>>>> issue ?
>>>>>>>>>
>>>>>>>>> Regards,
>>>>>>>>> Rajesh
>>>>>>>>>
>>>>>>>>> On Tue, Jul 25, 2017 at 11:12 AM, Sebastien Blanc
<
>>>>>>>>> sblanc(a)redhat.com> wrote:
>>>>>>>>>
>>>>>>>>>> This looks all correct. Could you try paste your
access token or
>>>>>>>>>> even check it your self on jwt.io to see if the
kid is present ?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Mon, Jul 24, 2017 at 6:47 PM, Rajesh Ghosh
<
>>>>>>>>>> ghosh.rajesh(a)gmail.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> Sebastien,
>>>>>>>>>>>
>>>>>>>>>>> I am attaching a pdf containing the screen
shots. Few more
>>>>>>>>>>> points I wanted to mention.
>>>>>>>>>>>
>>>>>>>>>>> i) I didn't install the public client
-- "bkofc-web" in the
>>>>>>>>>>> wildfly container which hosts my REST
services. I did it for "bkofc-svc"
>>>>>>>>>>> client which is bearer only. I hope that is
the correct approach.
>>>>>>>>>>> ii) Both keycloak and my application are
running on docker
>>>>>>>>>>> containers locally in my laptop.
>>>>>>>>>>>
>>>>>>>>>>> Let me know if you need anything else to
analyze.
>>>>>>>>>>>
>>>>>>>>>>> Thanks,
>>>>>>>>>>> Rajesh
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Mon, Jul 24, 2017 at 9:13 PM, Sebastien
Blanc <
>>>>>>>>>>> sblanc(a)redhat.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> yes please
>>>>>>>>>>>>
>>>>>>>>>>>> On Mon, Jul 24, 2017 at 4:54 PM, Rajesh
Ghosh <
>>>>>>>>>>>> ghosh.rajesh(a)gmail.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> Yes definitely. I did replace it with
the actual war name.
>>>>>>>>>>>>> Let me know if you would like me to
paste screen shots of realm
>>>>>>>>>>>>> configurations, client
configurations.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Thanks,
>>>>>>>>>>>>> Rajesh
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Mon, Jul 24, 2017 at 8:12 PM,
Sebastien Blanc <
>>>>>>>>>>>>> sblanc(a)redhat.com> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Ok and for :
>>>>>>>>>>>>>> <secure-deployment
name="my war file.war">
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Did you replace that with the
actual name of your war file ?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Mon, Jul 24, 2017 at 4:35 PM,
Rajesh Ghosh <
>>>>>>>>>>>>>> ghosh.rajesh(a)gmail.com>
wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Hello Sebastien,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I am using 3.1.0.Final
build.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Thanks,
>>>>>>>>>>>>>>> Rajesh
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Mon, Jul 24, 2017 at 7:56
PM, Sebastien Blanc <
>>>>>>>>>>>>>>> sblanc(a)redhat.com> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Which version of Keycloak
are you using ?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On Mon, Jul 24, 2017 at
3:15 PM, Rajesh Ghosh <
>>>>>>>>>>>>>>>>
ghosh.rajesh(a)gmail.com> wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I am trying to secure
my REST services using the method
>>>>>>>>>>>>>>>>> described in the
>>>>>>>>>>>>>>>>> document --
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
http://blog.keycloak.org/2015/
>>>>>>>>>>>>>>>>>
10/getting-started-with-keycloak-securing.html
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I am securing my war
using JBoss subsystem , instead of
>>>>>>>>>>>>>>>>> per-war option. The
>>>>>>>>>>>>>>>>> relevant sections
from my standalone.xml are posted
>>>>>>>>>>>>>>>>> below.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
<extensions>
>>>>>>>>>>>>>>>>> ......
>>>>>>>>>>>>>>>>> <extension
module="org.keycloak.keycloak-
>>>>>>>>>>>>>>>>>
adapter-subsystem"/>
>>>>>>>>>>>>>>>>>
</extensions>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
<security-domains>
>>>>>>>>>>>>>>>>>
.....
>>>>>>>>>>>>>>>>>
<security-domain name="keycloak">
>>>>>>>>>>>>>>>>>
<authentication>
>>>>>>>>>>>>>>>>>
<login-module
>>>>>>>>>>>>>>>>>
code="org.keycloak.adapters.jboss.KeycloakLoginModule"
>>>>>>>>>>>>>>>>>
flag="required"/>
>>>>>>>>>>>>>>>>>
</authentication>
>>>>>>>>>>>>>>>>>
</security-domain>
>>>>>>>>>>>>>>>>>
</security-domains>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> <subsystem
xmlns="urn:jboss:domain:keycloak:1.1">
>>>>>>>>>>>>>>>>>
<secure-deployment name="my war file.war">
>>>>>>>>>>>>>>>>>
<realm>bkofc</realm>
>>>>>>>>>>>>>>>>>
<resource>bkofc-svc</resource>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
<use-resource-role-mappings>tr
>>>>>>>>>>>>>>>>>
ue</use-resource-role-mappings>
>>>>>>>>>>>>>>>>>
<bearer-only>true</bearer-only>
>>>>>>>>>>>>>>>>>
<auth-server-url>http://192.16
>>>>>>>>>>>>>>>>> 8.99.100/30001/auth
>>>>>>>>>>>>>>>>>
</auth-server-url>
>>>>>>>>>>>>>>>>>
<ssl-required>none</ssl-required>
>>>>>>>>>>>>>>>>>
<credential
>>>>>>>>>>>>>>>>>
name="secret">9bcc6d9f-9c72-4b
>>>>>>>>>>>>>>>>>
58-b297-79f0f207d9e1</credential>
>>>>>>>>>>>>>>>>>
</secure-deployment>
>>>>>>>>>>>>>>>>>
</subsystem>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I am able to obtain
the access token.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> curl -i curl --data
>>>>>>>>>>>>>>>>>
"grant_type=password&client_id
>>>>>>>>>>>>>>>>>
=bkofc-web&username=user&password=password"
>>>>>>>>>>>>>>>>>
http://192.168.99.100:30001/au
>>>>>>>>>>>>>>>>>
th/realms/bkofc/protocol/openid-connect/token
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Note:- I have created
2 clients -- i) bkofc-svc which is
>>>>>>>>>>>>>>>>> bearer only, for
>>>>>>>>>>>>>>>>> my REST services ii)
bkofc-web , a public client to
>>>>>>>>>>>>>>>>> simulate UI login
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> However when I try to
use the access token to invoke a
>>>>>>>>>>>>>>>>> service, I am
>>>>>>>>>>>>>>>>> getting the error -
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Status: 401
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> WWW-Authenticate
Bearer realm="bkofc",
>>>>>>>>>>>>>>>>>
error="invalid_token",
>>>>>>>>>>>>>>>>>
error_description="Didn't find publicKey for specified
>>>>>>>>>>>>>>>>> kid"
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Please let me know if
I am missing something here. I have
>>>>>>>>>>>>>>>>> been breaking my
>>>>>>>>>>>>>>>>> head last few days
without any luck ! I have also tried
>>>>>>>>>>>>>>>>> rotating the realm
>>>>>>>>>>>>>>>>> keys.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Thanks,
>>>>>>>>>>>>>>>>> Rajesh
>>>>>>>>>>>>>>>>>
_______________________________________________
>>>>>>>>>>>>>>>>> keycloak-user mailing
list
>>>>>>>>>>>>>>>>>
keycloak-user(a)lists.jboss.org
>>>>>>>>>>>>>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
9:13 a.m.
In the WildFly logs you should have also the error : Didn't find publicKey
for specified kid : <your kid> , can you double check it's printing the kid
?
On Tue, Jul 25, 2017 at 4:06 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com>
wrote:
Here is the response from curl ---
$ curl -v http://192.168.99.100:8080/OlpUIFwk2-1.0-SNAPSHOT/
services/sec/rest/us
erservice/users -H "Authorization: Bearer $KEY"
* Trying 192.168.99.100...
* Connected to 192.168.99.100 (192.168.99.100) port 8080 (#0)
> GET /OlpUIFwk2-1.0-SNAPSHOT/services/sec/rest/userservice/users HTTP/1.1
> Host: 192.168.99.100:8080
> User-Agent: curl/7.50.1
> Accept: */*
> Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOi
AiSldUIiwia2lkIiA6ICJSSEV
TaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXeXVUbzIwemJ6T280SGZRIn0.
eyJqdGkiOiJkNmY2MmM5YS1
hNjAwLTQ4ZmQtYmI3Ny0wMTI1NDQ0YmIzNWMiLCJleHAiOjE1MDA5OTAyNDg
sIm5iZiI6MCwiaWF0Ijo
xNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzAwMDE
vYXV0aC9yZWFsbXMvYmt
vZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzdWIiOiIwYTA5MTQ0OC0wNjAyLTQ
2YmMtOWU4MS05MjE1Zjg
zYjVjOTgiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJia29mYy13ZWIiLCJhdXR
oX3RpbWUiOjAsInNlc3N
pb25fc3RhdGUiOiIzMjMxZjQ2Zi0yMjliLTQyZDMtYTQxOS0wODlhMjEzOTZ
lNjciLCJhY3IiOiIxIiw
iY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2MC03ZTkyLTQ1ZDQtYjdmNy0xNWF
kYTY2NmE4Y2EiLCJhbGx
vd2VkLW9yaWdpbnMiOlsiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjgwODAvIl0
sInJlYWxtX2FjY2VzcyI
6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiIsInVzZXIiXX0sInJlc29
1cmNlX2FjY2VzcyI6eyJ
yZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzIjpbInZpZXctcmVhbG0iLCJ2aWV
3LWlkZW50aXR5LXByb3Z
pZGVycyIsIm1hbmFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF
0aW9uIiwicmVhbG0tYWR
taW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlldy1hdXR
ob3JpemF0aW9uIiwibWF
uYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsbSIsInZpZXctZXZlbnRzIiwidml
ldy11c2VycyIsInZpZXc
tY2xpZW50cyIsIm1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWV
udHMiXX0sImFjY291bnQ
iOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1
saW5rcyIsInZpZXctcHJ
vZmlsZSJdfX0sIm5hbWUiOiIiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzdXB
lcmFkbWluIiwiZW1haWw
iOiJ0cmlsaWEudGVjaEBnbWFpbC5jb20ifQ.JCGcaQ-8yYhoOT_
DfHvNa5HvG3x5WBI3ZcC4WEcBA3NU
L-mQdUhU1aEK9G5VulcRbMeYp9f_rFnFip-N9g3JwPGhR6ozgwdXlI09JAjM6zLk7
cy0UKig5ghHX1-g
Xb5EHChzhmGI_xtV77t9dcKBjW4V3f7eFwDmCMyWj8bqyoFMDTIp_
Gz67Wt1iUXAaCZ5fIdXs3epdG82
NhJrjQsIKiYGzUg9JY2Dkvg_tHGHESN85KsW2TNj8Jd0CuS-
cF0rOqx82pohW6RQMAZmGyMVofsxH_uR
rEbvpmI_ofkAUF6qCuLDD7idZC_j1ARXH-EOWxHgnSEDXc6SF2aAegmCpw
>
< HTTP/1.1 401 Unauthorized
< Expires: 0
< Cache-Control: no-cache, no-store, must-revalidate
< X-Powered-By: Undertow/1
< Server: WildFly/10
< Pragma: no-cache
< Date: Tue, 25 Jul 2017 14:04:31 GMT
< Connection: keep-alive
< WWW-Authenticate: Bearer realm="bkofc", error="invalid_token",
error_description="Didn't find publicKey for specified kid"
< Content-Type: text/html;charset=UTF-8
< Content-Length: 71
<
* Connection #0 to host 192.168.99.100 left intact
<html><head><title>Error</title></head><body>Unauthorized</body></html>$
$
Thanks,
Rajesh
On Tue, Jul 25, 2017 at 7:30 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com>
wrote:
> Sure. I was using postman to invoke the service. This is the command used
> by postman --
>
> ------------------------------------------------------------------------
>
> GET /OlpUIFwk2-1.0-SNAPSHOT/services/sec/rest/userservice/users HTTP/1.1
> Host: 192.168.99.100:8080
> Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgO
> iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
> XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiJkNmY2MmM5YS1hNjAwLTQ4ZmQtY
> mI3Ny0wMTI1NDQ0YmIzNWMiLCJleHAiOjE1MDA5OTAyNDgsIm5iZiI6MCwia
> WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
> zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
> WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
> XAiOiJCZWFyZXIiLCJhenAiOiJia29mYy13ZWIiLCJhdXRoX3RpbWUiOjAsI
> nNlc3Npb25fc3RhdGUiOiIzMjMxZjQ2Zi0yMjliLTQyZDMtYTQxOS0wODlhM
> jEzOTZlNjciLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2M
> C03ZTkyLTQ1ZDQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJhbGxvd2VkLW9yaWdpb
> nMiOlsiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjgwODAvIl0sInJlYWxtX2FjY
> 2VzcyI6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiIsInVzZXIiXX0sI
> nJlc291cmNlX2FjY2VzcyI6eyJyZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzI
> jpbInZpZXctcmVhbG0iLCJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycyIsIm1hb
> mFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwicmVhb
> G0tYWRtaW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlld
> y1hdXRob3JpemF0aW9uIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsb
> SIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsI
> m1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiXX0sImFjY
> 291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb
> 3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiIiLCJwcmVmZ
> XJyZWRfdXNlcm5hbWUiOiJzdXBlcmFkbWluIiwiZW1haWwiOiJ0cmlsaWEud
> GVjaEBnbWFpbC5jb20ifQ.JCGcaQ-8yYhoOT_DfHvNa5HvG3x5WBI3ZcC4WEcBA3NUL-
> mQdUhU1aEK9G5VulcRbMeYp9f_rFnFip-N9g3JwPGhR6ozgwdXlI09JAjM6z
> Lk7cy0UKig5ghHX1-gXb5EHChzhmGI_xtV77t9dcKBjW4V3
> f7eFwDmCMyWj8bqyoFMDTIp_Gz67Wt1iUXAaCZ5fIdXs3epdG82NhJrjQsIK
> iYGzUg9JY2Dkvg_tHGHESN85KsW2TNj8Jd0CuS-cF0rOqx82pohW6RQMAZmG
> yMVofsxH_uRrEbvpmI_ofkAUF6qCuLDD7idZC_j1ARXH-EOWxHgnSEDXc6SF2aAegmCpw
> Cache-Control: no-cache
> Postman-Token: d378eefe-82c8-9c3d-0140-ef56c62f9b97
>
>
> ------------------------------------------------------------
> ---------------
>
> The "userservice" is my own service for other attributes of users. I also
> made sure that the service executes without the security.
>
> Thanks,
> Rajesh
>
>
> On Tue, Jul 25, 2017 at 7:24 PM, Sebastien Blanc <sblanc(a)redhat.com>
> wrote:
>
>> Okay, to have the complete picture could paste the command you issue to
>> call your REST service ?
>>
>>
>> On Tue, Jul 25, 2017 at 3:50 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com>
>> wrote:
>>
>>> Sebastien,
>>>
>>> Here is a token response -
>>>
>>> {
>>> "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>> iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>> XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiJkNmY2MmM5YS1hNjAwLTQ4ZmQtY
>>> mI3Ny0wMTI1NDQ0YmIzNWMiLCJleHAiOjE1MDA5OTAyNDgsIm5iZiI6MCwia
>>> WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>> zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>> WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>> XAiOiJCZWFyZXIiLCJhenAiOiJia29mYy13ZWIiLCJhdXRoX3RpbWUiOjAsI
>>> nNlc3Npb25fc3RhdGUiOiIzMjMxZjQ2Zi0yMjliLTQyZDMtYTQxOS0wODlhM
>>> jEzOTZlNjciLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2M
>>> C03ZTkyLTQ1ZDQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJhbGxvd2VkLW9yaWdpb
>>> nMiOlsiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjgwODAvIl0sInJlYWxtX2FjY
>>> 2VzcyI6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiIsInVzZXIiXX0sI
>>> nJlc291cmNlX2FjY2VzcyI6eyJyZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzI
>>> jpbInZpZXctcmVhbG0iLCJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycyIsIm1hb
>>> mFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwicmVhb
>>> G0tYWRtaW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlld
>>> y1hdXRob3JpemF0aW9uIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsb
>>> SIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsI
>>> m1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiXX0sImFjY
>>> 291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb
>>> 3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiIiLCJwcmVmZ
>>> XJyZWRfdXNlcm5hbWUiOiJzdXBlcmFkbWluIiwiZW1haWwiOiJ0cmlsaWEud
>>> GVjaEBnbWFpbC5jb20ifQ.JCGcaQ-8yYhoOT_DfHvNa5HvG3x5WBI3ZcC4WE
>>> cBA3NUL-mQdUhU1aEK9G5VulcRbMeYp9f_rFnFip-N9g3JwPGhR6ozgwdXlI
>>> 09JAjM6zLk7cy0UKig5ghHX1-gXb5EHChzhmGI_xtV77t9dcKBjW4V3
>>> f7eFwDmCMyWj8bqyoFMDTIp_Gz67Wt1iUXAaCZ5fIdXs3epdG82NhJ
>>> rjQsIKiYGzUg9JY2Dkvg_tHGHESN85KsW2TNj8Jd0CuS-cF0rOq
>>> x82pohW6RQMAZmGyMVofsxH_uRrEbvpmI_ofkAUF6qCuLDD7idZC_j1ARXH-
>>> EOWxHgnSEDXc6SF2aAegmCpw",
>>> "expires_in": 300,
>>> "refresh_expires_in": 1800,
>>> "refresh_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>> iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>> XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiIyYzE4ZjkxYi0yMDljLTQwY2ItY
>>> TE5OS02NGIwZTEyYjRkOGIiLCJleHAiOjE1MDA5OTE3NDgsIm5iZiI6MCwia
>>> WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>> zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>> WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>> XAiOiJSZWZyZXNoIiwiYXpwIjoiYmtvZmMtd2ViIiwiYXV0aF90aW1lIjowL
>>> CJzZXNzaW9uX3N0YXRlIjoiMzIzMWY0NmYtMjI5Yi00MmQzLWE0MTktMDg5Y
>>> TIxMzk2ZTY3IiwiY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2MC03ZTkyLTQ1Z
>>> DQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiO
>>> lsidW1hX2F1dGhvcml6YXRpb24iLCJ1c2VyIl19LCJyZXNvdXJjZV9hY2Nlc
>>> 3MiOnsicmVhbG0tbWFuYWdlbWVudCI6eyJyb2xlcyI6WyJ2aWV3LXJlYWxtI
>>> iwidmlldy1pZGVudGl0eS1wcm92aWRlcnMiLCJtYW5hZ2UtaWRlbnRpdHktc
>>> HJvdmlkZXJzIiwiaW1wZXJzb25hdGlvbiIsInJlYWxtLWFkbWluIiwiY3JlY
>>> XRlLWNsaWVudCIsIm1hbmFnZS11c2VycyIsInZpZXctYXV0aG9yaXphdGlvb
>>> iIsIm1hbmFnZS1ldmVudHMiLCJtYW5hZ2UtcmVhbG0iLCJ2aWV3LWV2ZW50c
>>> yIsInZpZXctdXNlcnMiLCJ2aWV3LWNsaWVudHMiLCJtYW5hZ2UtYXV0aG9ya
>>> XphdGlvbiIsIm1hbmFnZS1jbGllbnRzIl19LCJhY2NvdW50Ijp7InJvbGVzI
>>> jpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2a
>>> WV3LXByb2ZpbGUiXX19fQ.Uz0rqNlj09T_SdnfZK9ZxBcJ5EIEwwHCN5VwKI
>>> hIF6Ua32fDlf1UvZSoZTmr5jiHeiwpp4JALWGTXsda4p-PlzMvwmMN5Qp46-
>>> EXGJQkqH4NNqZ1W_1mRGySYokQCSkmdvAZPFGrqxpeb1seuKgaaiXXMsrvai
>>> ucFCa8H599Ox6QRE3MkoLmm8w7_08kPG1_JjXIviHtwoWgsb0zCcMPyHRdCv
>>> _rs6FIoTQiCRZ2joaXSvIsmVAkchgZbeB-_RSWzlk3_oaOCQw7OWZJRqnAdG
>>> gDnL5jCCRLTVFnPo9TqKrt88h3fKkVuNuI8Y06sZ1If8wgSWRDRLUf0X8sampLww",
>>> "token_type": "bearer",
>>> "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>> iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>> XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiI2ZDJkNWMxNS01YmE3LTRhNTgtO
>>> TJkNC0wNGU0NTkyMjNkNGYiLCJleHAiOjE1MDA5OTAyNDgsIm5iZiI6MCwia
>>> WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>> zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>> WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>> XAiOiJJRCIsImF6cCI6ImJrb2ZjLXdlYiIsImF1dGhfdGltZSI6MCwic2Vzc
>>> 2lvbl9zdGF0ZSI6IjMyMzFmNDZmLTIyOWItNDJkMy1hNDE5LTA4OWEyMTM5N
>>> mU2NyIsImFjciI6IjEiLCJuYW1lIjoiIiwicHJlZmVycmVkX3VzZXJuYW1lI
>>> joic3VwZXJhZG1pbiIsImVtYWlsIjoidHJpbGlhLnRlY2hAZ21haWwuY29tI
>>> n0.eFVxG7MImPS4yCEiLOzhvZ5M_XjRWuHJlt_T4r3djak7sH_XOXUmHAuih
>>> xXrm7HLv8DU3OzHpN3FinOWufOdTCv9Ywww0DRq4ha1M7dodqMuv1H5d3XVB
>>> n_kuHK68zWRI3t9WI4ZNeaEU0whLSnBqcbJ54dQrBloUPS4bpYG-BqfSNYs6
>>> bG8cyJHQ4_FRpAi3X9qWOCwaPrZ5Z_vQfNbYcgIfON_puN8QfRxihg90KQYO
>>> p4lJpU5JqeaVmYp9eOYTb5iQzOuLWDXenyIBmvT_K84HZKh8t5eWsqH01st-
>>> Ls7uJcNAUM9PXRM7JswCjhouuQGBM6dn5iICoL00acuxg",
>>> "not-before-policy": 0,
>>> "session_state":
"3231f46f-229b-42d3-a419-089a21396e67"
>>> }
>>>
>>>
>>> I checked it in jwt.io . The kid is same as the "rsa-generated"
one,
>>> shown in the screen shot I shared yesterday. Although jwt complained as
>>> "Invalid Signature" .
>>>
>>>
>>> Thomas, the connectivity should not be an issue as I am able to get the
>>> access token from my app wildfly server using curl. So keycloak is
>>> reachable from my wildfly server. Anything specific you did to resolve your
>>> issue ?
>>>
>>> Regards,
>>> Rajesh
>>>
>>> On Tue, Jul 25, 2017 at 11:12 AM, Sebastien Blanc <sblanc(a)redhat.com>
>>> wrote:
>>>
>>>> This looks all correct. Could you try paste your access token or even
>>>> check it your self on jwt.io to see if the kid is present ?
>>>>
>>>>
>>>> On Mon, Jul 24, 2017 at 6:47 PM, Rajesh Ghosh
<ghosh.rajesh(a)gmail.com>
>>>> wrote:
>>>>
>>>>> Sebastien,
>>>>>
>>>>> I am attaching a pdf containing the screen shots. Few more points I
>>>>> wanted to mention.
>>>>>
>>>>> i) I didn't install the public client -- "bkofc-web"
in the
>>>>> wildfly container which hosts my REST services. I did it for
"bkofc-svc"
>>>>> client which is bearer only. I hope that is the correct approach.
>>>>> ii) Both keycloak and my application are running on docker
>>>>> containers locally in my laptop.
>>>>>
>>>>> Let me know if you need anything else to analyze.
>>>>>
>>>>> Thanks,
>>>>> Rajesh
>>>>>
>>>>>
>>>>> On Mon, Jul 24, 2017 at 9:13 PM, Sebastien Blanc
<sblanc(a)redhat.com>
>>>>> wrote:
>>>>>
>>>>>> yes please
>>>>>>
>>>>>> On Mon, Jul 24, 2017 at 4:54 PM, Rajesh Ghosh <
>>>>>> ghosh.rajesh(a)gmail.com> wrote:
>>>>>>
>>>>>>> Yes definitely. I did replace it with the actual war name.
Let me
>>>>>>> know if you would like me to paste screen shots of realm
configurations,
>>>>>>> client configurations.
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Rajesh
>>>>>>>
>>>>>>> On Mon, Jul 24, 2017 at 8:12 PM, Sebastien Blanc
<sblanc(a)redhat.com
>>>>>>> > wrote:
>>>>>>>
>>>>>>>> Ok and for :
>>>>>>>> <secure-deployment name="my war
file.war">
>>>>>>>>
>>>>>>>> Did you replace that with the actual name of your war
file ?
>>>>>>>>
>>>>>>>> On Mon, Jul 24, 2017 at 4:35 PM, Rajesh Ghosh <
>>>>>>>> ghosh.rajesh(a)gmail.com> wrote:
>>>>>>>>
>>>>>>>>> Hello Sebastien,
>>>>>>>>>
>>>>>>>>> I am using 3.1.0.Final build.
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>> Rajesh
>>>>>>>>>
>>>>>>>>> On Mon, Jul 24, 2017 at 7:56 PM, Sebastien Blanc
<
>>>>>>>>> sblanc(a)redhat.com> wrote:
>>>>>>>>>
>>>>>>>>>> Which version of Keycloak are you using ?
>>>>>>>>>>
>>>>>>>>>> On Mon, Jul 24, 2017 at 3:15 PM, Rajesh Ghosh
<
>>>>>>>>>> ghosh.rajesh(a)gmail.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> Hi,
>>>>>>>>>>>
>>>>>>>>>>> I am trying to secure my REST services using
the method
>>>>>>>>>>> described in the
>>>>>>>>>>> document --
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
http://blog.keycloak.org/2015/10/getting-started-with-keyclo
>>>>>>>>>>> ak-securing.html
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> I am securing my war using JBoss subsystem ,
instead of per-war
>>>>>>>>>>> option. The
>>>>>>>>>>> relevant sections from my standalone.xml are
posted below.
>>>>>>>>>>>
>>>>>>>>>>> <extensions>
>>>>>>>>>>> ......
>>>>>>>>>>> <extension
module="org.keycloak.keycloak-
>>>>>>>>>>> adapter-subsystem"/>
>>>>>>>>>>> </extensions>
>>>>>>>>>>>
>>>>>>>>>>> <security-domains>
>>>>>>>>>>> .....
>>>>>>>>>>> <security-domain
name="keycloak">
>>>>>>>>>>> <authentication>
>>>>>>>>>>> <login-module
>>>>>>>>>>>
code="org.keycloak.adapters.jboss.KeycloakLoginModule"
>>>>>>>>>>> flag="required"/>
>>>>>>>>>>> </authentication>
>>>>>>>>>>> </security-domain>
>>>>>>>>>>> </security-domains>
>>>>>>>>>>>
>>>>>>>>>>> <subsystem
xmlns="urn:jboss:domain:keycloak:1.1">
>>>>>>>>>>> <secure-deployment
name="my war file.war">
>>>>>>>>>>>
<realm>bkofc</realm>
>>>>>>>>>>>
<resource>bkofc-svc</resource>
>>>>>>>>>>>
>>>>>>>>>>>
<use-resource-role-mappings>true</use-resource-role-mappings>
>>>>>>>>>>>
<bearer-only>true</bearer-only>
>>>>>>>>>>>
<auth-server-url>http://192.16
>>>>>>>>>>> 8.99.100/30001/auth
>>>>>>>>>>> </auth-server-url>
>>>>>>>>>>>
<ssl-required>none</ssl-required>
>>>>>>>>>>> <credential
>>>>>>>>>>>
name="secret">9bcc6d9f-9c72-4b58-b297-79f0f207d9e1</credential>
>>>>>>>>>>> </secure-deployment>
>>>>>>>>>>> </subsystem>
>>>>>>>>>>>
>>>>>>>>>>> I am able to obtain the access token.
>>>>>>>>>>>
>>>>>>>>>>> curl -i curl --data
>>>>>>>>>>>
"grant_type=password&client_id=bkofc-web&username=user&passw
>>>>>>>>>>> ord=password"
>>>>>>>>>>>
http://192.168.99.100:30001/auth/realms/bkofc/protocol/openi
>>>>>>>>>>> d-connect/token
>>>>>>>>>>>
>>>>>>>>>>> Note:- I have created 2 clients -- i)
bkofc-svc which is
>>>>>>>>>>> bearer only, for
>>>>>>>>>>> my REST services ii) bkofc-web , a public
client to simulate
>>>>>>>>>>> UI login
>>>>>>>>>>>
>>>>>>>>>>> However when I try to use the access token to
invoke a service,
>>>>>>>>>>> I am
>>>>>>>>>>> getting the error -
>>>>>>>>>>>
>>>>>>>>>>> Status: 401
>>>>>>>>>>>
>>>>>>>>>>> WWW-Authenticate Bearer
realm="bkofc", error="invalid_token",
>>>>>>>>>>> error_description="Didn't find
publicKey for specified kid"
>>>>>>>>>>>
>>>>>>>>>>> Please let me know if I am missing something
here. I have been
>>>>>>>>>>> breaking my
>>>>>>>>>>> head last few days without any luck ! I have
also tried
>>>>>>>>>>> rotating the realm
>>>>>>>>>>> keys.
>>>>>>>>>>>
>>>>>>>>>>> Thanks,
>>>>>>>>>>> Rajesh
>>>>>>>>>>>
_______________________________________________
>>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>>> keycloak-user(a)lists.jboss.org
>>>>>>>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
2:20 p.m.
I already had this issue when the application was not able to reach
keycloak to retrieve the keys.
Is there an exception earlier in the log file ?
On Mon, Jul 24, 2017, at 17:43, Sebastien Blanc wrote:
yes please
On Mon, Jul 24, 2017 at 4:54 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com>
wrote:
> Yes definitely. I did replace it with the actual war name. Let me know if
> you would like me to paste screen shots of realm configurations, client
> configurations.
>
> Thanks,
> Rajesh
>
> On Mon, Jul 24, 2017 at 8:12 PM, Sebastien Blanc <sblanc(a)redhat.com>
> wrote:
>
>> Ok and for :
>> <secure-deployment name="my war file.war">
>>
>> Did you replace that with the actual name of your war file ?
>>
>> On Mon, Jul 24, 2017 at 4:35 PM, Rajesh Ghosh <ghosh.rajesh(a)gmail.com>
>> wrote:
>>
>>> Hello Sebastien,
>>>
>>> I am using 3.1.0.Final build.
>>>
>>> Thanks,
>>> Rajesh
>>>
>>> On Mon, Jul 24, 2017 at 7:56 PM, Sebastien Blanc <sblanc(a)redhat.com>
>>> wrote:
>>>
>>>> Which version of Keycloak are you using ?
>>>>
>>>> On Mon, Jul 24, 2017 at 3:15 PM, Rajesh Ghosh
<ghosh.rajesh(a)gmail.com>
>>>> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I am trying to secure my REST services using the method described
in
>>>>> the
>>>>> document --
>>>>>
>>>>>
>>>>> http://blog.keycloak.org/2015/10/getting-started-with-keyclo
>>>>> ak-securing.html
>>>>>
>>>>>
>>>>> I am securing my war using JBoss subsystem , instead of per-war
>>>>> option. The
>>>>> relevant sections from my standalone.xml are posted below.
>>>>>
>>>>> <extensions>
>>>>> ......
>>>>> <extension
module="org.keycloak.keycloak-adapter-subsystem"/>
>>>>> </extensions>
>>>>>
>>>>> <security-domains>
>>>>> .....
>>>>> <security-domain name="keycloak">
>>>>> <authentication>
>>>>> <login-module
>>>>> code="org.keycloak.adapters.jboss.KeycloakLoginModule"
>>>>> flag="required"/>
>>>>> </authentication>
>>>>> </security-domain>
>>>>> </security-domains>
>>>>>
>>>>> <subsystem
xmlns="urn:jboss:domain:keycloak:1.1">
>>>>> <secure-deployment name="my war
file.war">
>>>>> <realm>bkofc</realm>
>>>>> <resource>bkofc-svc</resource>
>>>>>
>>>>>
<use-resource-role-mappings>true</use-resource-role-mappings>
>>>>> <bearer-only>true</bearer-only>
>>>>>
<auth-server-url>http://192.168.99.100/30001/auth
>>>>> </auth-server-url>
>>>>> <ssl-required>none</ssl-required>
>>>>> <credential
>>>>>
name="secret">9bcc6d9f-9c72-4b58-b297-79f0f207d9e1</credential>
>>>>> </secure-deployment>
>>>>> </subsystem>
>>>>>
>>>>> I am able to obtain the access token.
>>>>>
>>>>> curl -i curl --data
>>>>>
"grant_type=password&client_id=bkofc-web&username=user&passw
>>>>> ord=password"
>>>>> http://192.168.99.100:30001/auth/realms/bkofc/protocol/openi
>>>>> d-connect/token
>>>>>
>>>>> Note:- I have created 2 clients -- i) bkofc-svc which is bearer
only,
>>>>> for
>>>>> my REST services ii) bkofc-web , a public client to simulate UI
login
>>>>>
>>>>> However when I try to use the access token to invoke a service, I
am
>>>>> getting the error -
>>>>>
>>>>> Status: 401
>>>>>
>>>>> WWW-Authenticate Bearer realm="bkofc",
error="invalid_token",
>>>>> error_description="Didn't find publicKey for specified
kid"
>>>>>
>>>>> Please let me know if I am missing something here. I have been
>>>>> breaking my
>>>>> head last few days without any luck ! I have also tried rotating
the
>>>>> realm
>>>>> keys.
>>>>>
>>>>> Thanks,
>>>>> Rajesh
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user(a)lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>
>>
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2697
days inactive
2698
days old
20 comments
3 participants
participants (3)
-
Rajesh Ghosh -
Sebastien Blanc -
Thomas Recloux