11:21 a.m.
I'm trying to get keycloak working with Wildfly authenticating clients directly by
X.509 and then using the authentication flow in keycloak to translate that to a local
user.
Unfortunately, it's not working and I'm not getting useful logging out of keycloak
to determine what's wrong with my configuration. To debug, I need to know that
undertow is passing the certificate successfully to keycloak, that keycloak's
X509-form authentication is receiving the proper identity, the identity extracted from the
certificate for authentication comparison, what it's being compared to (is the CN or
DN being regexed and is it being compared to the keycloak custom attribute that I
specified). What I get from enabling debug logging that's not jboss modules loads is:
18:59:38,702 WARN [org.keycloak.events] (default task-1) type=LOGIN_ERROR, realmId=TEST,
clientId=https://auth.test.local, userId=null, ipAddress=192.168.0.100,
error=client_not_found
Can someone provide details on how to get debug logging for undertow and the
X509-form-config authentication?
--
Raymond Page, CTR (US)
Automation Engineer, UoT
TIS CTR to Booz | Allen | Hamilton
page_raymond(a)ne.bah.com
raymond.c.page15.ctr(a)mail.mil
C: (321) 549-7243<tel:(321)+549-7243>
W: (703) 679-8618<tel:(703)+679-8618>
12:40 p.m.
Hey Raymond,
Edit standalone.xml and add the following configuration under <subsystem
xmlns="urn:jboss:domain:logging:3.0">:
<logger category="org.keycloak.authentication.authenticators.x509">
<level name="TRACE"/>
</logger>
<logger category="org.keycloak.services.x509">
<level name="TRACE"/>
</logger>
You will have to restart the service. Hope this helps
Cheers
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org>
On Behalf Of Page, Raymond (Techical Solutions )
Sent: Tuesday, March 19, 2019 12:22 PM
To: keycloak-user(a)lists.jboss.org
Subject: [keycloak-user] Logging for X509 authentication flow
I'm trying to get keycloak working with Wildfly authenticating clients directly by
X.509 and then using the authentication flow in keycloak to translate that to a local
user.
Unfortunately, it's not working and I'm not getting useful logging out of keycloak
to determine what's wrong with my configuration. To debug, I need to know that
undertow is passing the certificate successfully to keycloak, that keycloak's
X509-form authentication is receiving the proper identity, the identity extracted from the
certificate for authentication comparison, what it's being compared to (is the CN or
DN being regexed and is it being compared to the keycloak custom attribute that I
specified). What I get from enabling debug logging that's not jboss modules loads is:
18:59:38,702 WARN [org.keycloak.events] (default task-1) type=LOGIN_ERROR, realmId=TEST,
clientId=https://auth.test.local, userId=null, ipAddress=192.168.0.100,
error=client_not_found
Can someone provide details on how to get debug logging for undertow and the
X509-form-config authentication?
--
Raymond Page, CTR (US)
Automation Engineer, UoT
TIS CTR to Booz | Allen | Hamilton
page_raymond(a)ne.bah.com
raymond.c.page15.ctr(a)mail.mil
C: (321) 549-7243<tel:(321)+549-7243>
W: (703) 679-8618<tel:(703)+679-8618>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2:35 p.m.
I'm not sure if this makes a difference, but I have <subsystem
xmlns="urn:jboss:domain:logging:6.0"> not <subsystem
xmlns="urn:jboss:domain:logging:3.0">
I added the two new categories to the domain:logging:6.0, but I don't get any
additional output. I'm speculating there might be an issue from undertow to keycloak,
how do I log undertow?
________________________________
From: Nalyvayko, Peter <pnalyvayko(a)agi.com>
Sent: Tuesday, March 19, 2019 1:40:37 PM
To: Page, Raymond (Techical Solutions ); keycloak-user(a)lists.jboss.org
Subject: [External] RE: Logging for X509 authentication flow
Hey Raymond,
Edit standalone.xml and add the following configuration under <subsystem
xmlns="urn:jboss:domain:logging:3.0">:
<logger category="org.keycloak.authentication.authenticators.x509">
<level name="TRACE"/>
</logger>
<logger category="org.keycloak.services.x509">
<level name="TRACE"/>
</logger>
You will have to restart the service. Hope this helps
Cheers
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org>
On Behalf Of Page, Raymond (Techical Solutions )
Sent: Tuesday, March 19, 2019 12:22 PM
To: keycloak-user(a)lists.jboss.org
Subject: [keycloak-user] Logging for X509 authentication flow
I'm trying to get keycloak working with Wildfly authenticating clients directly by
X.509 and then using the authentication flow in keycloak to translate that to a local
user.
Unfortunately, it's not working and I'm not getting useful logging out of keycloak
to determine what's wrong with my configuration. To debug, I need to know that
undertow is passing the certificate successfully to keycloak, that keycloak's
X509-form authentication is receiving the proper identity, the identity extracted from the
certificate for authentication comparison, what it's being compared to (is the CN or
DN being regexed and is it being compared to the keycloak custom attribute that I
specified). What I get from enabling debug logging that's not jboss modules loads is:
18:59:38,702 WARN [org.keycloak.events] (default task-1) type=LOGIN_ERROR, realmId=TEST,
clientId=https://urldefense.proofpoint.com/v2/url?u=https-3A__auth.test.l...,
userId=null, ipAddress=192.168.0.100, error=client_not_found
Can someone provide details on how to get debug logging for undertow and the
X509-form-config authentication?
--
Raymond Page, CTR (US)
Automation Engineer, UoT
TIS CTR to Booz | Allen | Hamilton
page_raymond(a)ne.bah.com
raymond.c.page15.ctr(a)mail.mil
C: (321) 549-7243<tel:(321)+549-7243>
W: (703) 679-8618<tel:(703)+679-8618>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mail...
2:58 p.m.
Raymond,
I assume you've followed the steps described in
https://www.keycloak.org/docs/4.8/server_admin/, "6.6. X.509 Client Certificate User
Authentication"? Another suggestion is to double check your app OIDC configuration
and make sure it is properly configured with a valid client id - the clientId in the error
output looks suspicious.
My $0.02
From: Page, Raymond (Techical Solutions ) <Page_Raymond(a)ne.bah.com>
Sent: Tuesday, March 19, 2019 3:35 PM
To: Nalyvayko, Peter <pnalyvayko(a)agi.com>; keycloak-user(a)lists.jboss.org
Subject: Re: Logging for X509 authentication flow
I'm not sure if this makes a difference, but I have <subsystem
xmlns="urn:jboss:domain:logging:6.0"> not <subsystem
xmlns="urn:jboss:domain:logging:3.0">
I added the two new categories to the domain:logging:6.0, but I don't get any
additional output. I'm speculating there might be an issue from undertow to keycloak,
how do I log undertow?
________________________________
From: Nalyvayko, Peter <pnalyvayko@agi.com<mailto:pnalyvayko@agi.com>>
Sent: Tuesday, March 19, 2019 1:40:37 PM
To: Page, Raymond (Techical Solutions );
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
Subject: [External] RE: Logging for X509 authentication flow
Hey Raymond,
Edit standalone.xml and add the following configuration under <subsystem
xmlns="urn:jboss:domain:logging:3.0">:
<logger category="org.keycloak.authentication.authenticators.x509">
<level name="TRACE"/>
</logger>
<logger category="org.keycloak.services.x509">
<level name="TRACE"/>
</logger>
You will have to restart the service. Hope this helps
Cheers
-----Original Message-----
From:
keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>
<keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>>
On Behalf Of Page, Raymond (Techical Solutions )
Sent: Tuesday, March 19, 2019 12:22 PM
To: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
Subject: [keycloak-user] Logging for X509 authentication flow
I'm trying to get keycloak working with Wildfly authenticating clients directly by
X.509 and then using the authentication flow in keycloak to translate that to a local
user.
Unfortunately, it's not working and I'm not getting useful logging out of keycloak
to determine what's wrong with my configuration. To debug, I need to know that
undertow is passing the certificate successfully to keycloak, that keycloak's
X509-form authentication is receiving the proper identity, the identity extracted from the
certificate for authentication comparison, what it's being compared to (is the CN or
DN being regexed and is it being compared to the keycloak custom attribute that I
specified). What I get from enabling debug logging that's not jboss modules loads is:
18:59:38,702 WARN [org.keycloak.events] (default task-1) type=LOGIN_ERROR, realmId=TEST,
clientId=https://urldefense.proofpoint.com/v2/url?u=https-3A__auth.test.l...,
userId=null, ipAddress=192.168.0.100, error=client_not_found
Can someone provide details on how to get debug logging for undertow and the
X509-form-config authentication?
--
Raymond Page, CTR (US)
Automation Engineer, UoT
TIS CTR to Booz | Allen | Hamilton
page_raymond@ne.bah.com<mailto:page_raymond@ne.bah.com>
raymond.c.page15.ctr@mail.mil<mailto:raymond.c.page15.ctr@mail.mil>
C: (321) 549-7243<tel:(321)+549-7243>
W: (703) 679-8618<tel:(703)+679-8618>
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mail...
6:31 a.m.
From your post, I'm not exactly sure what x509 Authenticator
you're
referring to.
If we are talking about authentication Clients, than
`org.keycloak.authentication.authenticators.client.X509ClientAuthenticator`
category should be used. However, if we're considering Users, then you
should use `org.keycloak.authentication.authenticators.x509`.
Also, please make sure you configured logging handlers properly. If you
wish to observe the output on the console, please take a look at
`console-handler` XML element and change its from INFO to DEBUG. You should
find more information about configuring loggers on Wildfly related pages.
On Tue, Mar 19, 2019 at 6:43 PM Nalyvayko, Peter <pnalyvayko(a)agi.com> wrote:
Hey Raymond,
Edit standalone.xml and add the following configuration under <subsystem
xmlns="urn:jboss:domain:logging:3.0">:
<logger category="org.keycloak.authentication.authenticators.x509">
<level name="TRACE"/>
</logger>
<logger category="org.keycloak.services.x509">
<level name="TRACE"/>
</logger>
You will have to restart the service. Hope this helps
Cheers
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org <
keycloak-user-bounces(a)lists.jboss.org> On Behalf Of Page, Raymond
(Techical Solutions )
Sent: Tuesday, March 19, 2019 12:22 PM
To: keycloak-user(a)lists.jboss.org
Subject: [keycloak-user] Logging for X509 authentication flow
I'm trying to get keycloak working with Wildfly authenticating clients
directly by X.509 and then using the authentication flow in keycloak to
translate that to a local user.
Unfortunately, it's not working and I'm not getting useful logging out of
keycloak to determine what's wrong with my configuration. To debug, I need
to know that undertow is passing the certificate successfully to keycloak,
that keycloak's X509-form authentication is receiving the proper identity,
the identity extracted from the certificate for authentication comparison,
what it's being compared to (is the CN or DN being regexed and is it being
compared to the keycloak custom attribute that I specified). What I get
from enabling debug logging that's not jboss modules loads is:
18:59:38,702 WARN [org.keycloak.events] (default task-1)
type=LOGIN_ERROR, realmId=TEST, clientId=https://auth.test.local,
userId=null, ipAddress=192.168.0.100, error=client_not_found
Can someone provide details on how to get debug logging for undertow and
the X509-form-config authentication?
--
Raymond Page, CTR (US)
Automation Engineer, UoT
TIS CTR to Booz | Allen | Hamilton
page_raymond(a)ne.bah.com
raymond.c.page15.ctr(a)mail.mil
C: (321) 549-7243<tel:(321)+549-7243>
W: (703) 679-8618<tel:(703)+679-8618>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2575
days inactive
2577
days old
4 comments
3 participants
participants (3)
-
Nalyvayko, Peter -
Page, Raymond (Techical Solutions ) -
Sebastian Laskawiec