[keycloak-user] failed verification of token
Pratik Parikh
pratik.p.parikh at gmail.com
Mon Nov 17 02:48:12 EST 2014
Hi Bill,
Another update: I was able to reslove SSL handsack issue. And can now
assure that the trust between keycloak server and aerogear client is
established.
I am still running into an issue whereby upon login the adapter expects
a cookie and does not find it? Does aerogear team have to enhance anything
to obtain this "state cookie"?? below is the debug trace from aerogear side.
Aerogear Log:
2014-11-17 07:40:21,804 DEBUG [org.keycloak.adapters.PreAuthActionsHandler]
(default task-17) adminRequest
https://XXX.XXX.XXX.XXX:8443/ag-push/index.html?code=IcrbsPykYJ5v8UeXHgmzSEldZpo58vUh2e3Ik9r6Yu8.75228531-4f07-4b99-9c4f-acd5abc111fd&state=322036a7-b0b6-40b7-852f-60aa592bce01
2014-11-17 07:40:21,804 DEBUG [org.keycloak.adapters.PreAuthActionsHandler]
(default task-17) adminRequest
https://XXX.XXX.XXX.XXX:8443/ag-push/index.html?code=IcrbsPykYJ5v8UeXHgmzSEldZpo58vUh2e3Ik9r6Yu8.75228531-4f07-4b99-9c4f-acd5abc111fd&state=322036a7-b0b6-40b7-852f-60aa592bce01
2014-11-17 07:40:21,804 DEBUG [org.keycloak.adapters.RequestAuthenticator]
(default task-17) Account was not in session, returning null
2014-11-17 07:40:21,804 DEBUG
[org.keycloak.adapters.OAuthRequestAuthenticator] (default task-17) there
was a code, resolving
2014-11-17 07:40:21,804 DEBUG
[org.keycloak.adapters.OAuthRequestAuthenticator] (default task-17)
checking state cookie for after code
2014-11-17 07:40:21,804 WARN
[org.keycloak.adapters.OAuthRequestAuthenticator] (default task-17) No
state cookie
Regards,
Pratik Parikh
On Sat, Nov 15, 2014 at 1:39 PM, Pratik Parikh <pratik.p.parikh at gmail.com>
wrote:
> Hi Bill,
>
> My goal is get liveoak, aerogear and keycloak working on different
> servers. LiveOak uses Keycloak and Aerogear. Following are the steps i
> took.
>
> 1) Install Keycloak on one server with self signed certificate. It is
> accessible via https://XXX.XXX.XXX.XXX:8443/auth
> <https://xxx.xxx.xxx.xxx:8443/auth>. Worked
> 2) Installed AreoGear on another server with self signed certificate.
> It is accessible via https://XXX.XXX.XXX.XXX:8443/ag-push
> <https://xxx.xxx.xxx.xxx:8443/ag-push>. Worked
> 3) Imported attached JSON in as a new aerogear realm in keycloak.
> Worked
> 4) Updated Keycloak to use MongoDB. Worked
> 5) Update application aerogear with keycloak.json restarted wildfly
> server. Updated application under AreoGear to use
> https://XXX.XXX.XXX.XXX:8443/ag-push/*
> <https://xxx.xxx.xxx.xxx:8443/ag-push/*> as a redirect uri. Worked.
> 6) Restarted both the wildfly servers.
> 7) After restart tried to login to
> https://XXX.XXX.XXX.XXX:8443/ag-push/
> <https://xxx.xxx.xxx.xxx:8443/ag-push/> forwarded me to
> https://XXX.XXX.XXX.XXX:8443/auth <https://xxx.xxx.xxx.xxx:8443/auth> login
> page. Successfull login was achieved.
> 8) PROBLEM: After login redirect to
> https://XXX.XXX.XXX.XXX:8443/ag-push/
> <https://xxx.xxx.xxx.xxx:8443/ag-push/> where by i get error "No state
> cookie" in AreoGear log, which is coming from OAuthRequestAuthenticator
> line 116 because the adapter can not find a cookie with name "
> OAuth_Token_Request_State" in HTTP.
>
> Troubleshooting Try 1.
> 1) updated aerogear to use 1.0.1.Beta1 Adapter. Still works does not
> solve the problem same error.
>
> Troubleshooting Try 2.
> 1) updated keycloak.json by adding *"disable-trust-manager": true*.
> Still works does not solve the problem same error.
>
> Troubleshooting Try 3.
> 1) updated keycloak.json by adding *"disable-trust-manager":
> false,"truststore": "/path","truststore-password": "password"*. Still
> works doe not solve the problem. I have a question is "*truststore*" a
> local path to the keycloak jks cert or this is a path to remote keycloak
> cert? I copied the keycloak.jks and pointed to that locally using ${jboss.server.config.dir}/trustcerts/keycloak.jks?
> is this correct? After doing this i tried to invoke
>
> https://XXX.XXX.XXXX.XXXX:8443/ag-push/rest/ping
>
> Get the login screen
>
> then i get Forbidden with below exception:
>
> 2014-11-15 18:31:13,664 ERROR
> [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-6) failed
> to turn code into token: javax.net.ssl.SSLPeerUnverifiedException: peer not
> authenticated
> at
> sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:431)
> [jsse.jar:1.8.0_25]
> at
> org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
> [httpclient-4.2.1.jar:4.2.1]
> at
> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572)
> [httpclient-4.2.1.jar:4.2.1]
> at
> org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
> [httpclient-4.2.1.jar:4.2.1]
> at
> org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151)
> [httpclient-4.2.1.jar:4.2.1]
> at
> org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125)
> [httpclient-4.2.1.jar:4.2.1]
> at
> org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640)
> [httpclient-4.2.1.jar:4.2.1]
> at
> org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479)
> [httpclient-4.2.1.jar:4.2.1]
> at
> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)
> [httpclient-4.2.1.jar:4.2.1]
> at
> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)
> [httpclient-4.2.1.jar:4.2.1]
> at
> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784)
> [httpclient-4.2.1.jar:4.2.1]
> at
> org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:116)
> [keycloak-adapter-core-1.0.4.Final.jar:]
> at
> org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:93)
> [keycloak-adapter-core-1.0.4.Final.jar:]
> at
> org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:256)
> [keycloak-adapter-core-1.0.4.Final.jar:]
> at
> org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:205)
> [keycloak-adapter-core-1.0.4.Final.jar:]
> at
> org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:68)
> [keycloak-adapter-core-1.0.4.Final.jar:]
> at
> org.keycloak.adapters.undertow.UndertowKeycloakAuthMech.keycloakAuthenticate(UndertowKeycloakAuthMech.java:82)
> [keycloak-undertow-adapter-1.0.4.Final.jar:]
> at
> org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:61)
> [keycloak-undertow-adapter-1.0.4.Final.jar:]
> at
> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:281)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> at
> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:298)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> at
> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:268)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> at
> io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:131)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> at
> io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:106)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> at
> io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:99)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:54)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> at
> io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:27)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> at
> io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> at
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:61)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> at
> io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> at
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> at
> io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> at
> org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69)
> [keycloak-undertow-adapter-1.0.4.Final.jar:]
> at
> org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69)
> [keycloak-undertow-adapter-1.0.4.Final.jar:]
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:240)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> at
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> at
> io.undertow.server.Connectors.executeRootHandler(Connectors.java:177)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> at
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> [rt.jar:1.8.0_25]
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> [rt.jar:1.8.0_25]
> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_25]
>
> Please help i feel like i am very close just missing something
> simple.
>
>
> Regards,
> Pratik Parikh
>
> On Fri, Nov 14, 2014 at 9:34 AM, Pratik Parikh <pratik.p.parikh at gmail.com>
> wrote:
>
>> Hi Bill,
>>
>> My goal is get liveoak, aerogear and keycloak working on different
>> servers. LiveOak uses Keycloak and Aerogear. Following are the steps i
>> took.
>>
>> 1) Install Keycloak on one server with self signed certificate. It
>> is accessible via https://XXX.XXX.XXX.XXX:8443/auth. Worked
>> 2) Installed AreoGear on another server with self signed
>> certificate. It is accessible via https://XXX.XXX.XXX.XXX:8443/ag-push.
>> Worked
>> 3) Imported attached JSON in as a new aerogear realm in keycloak.
>> Worked
>> 4) Updated Keycloak to use MongoDB. Worked
>> 5) Update application aerogear with keycloak.json restarted wildfly
>> server. Updated application under AreoGear to use
>> https://XXX.XXX.XXX.XXX:8443/ag-push/* as a redirect uri. Worked.
>> 6) Restarted both the wildfly servers.
>> 7) After restart tried to login to
>> https://XXX.XXX.XXX.XXX:8443/ag-push/ forwarded me to
>> https://XXX.XXX.XXX.XXX:8443/auth login page. Successfull login was
>> achieved.
>> 8) PROBLEM: After login redirect to
>> https://XXX.XXX.XXX.XXX:8443/ag-push/ where by i get error "No state
>> cookie" in AreoGear log, which is coming from OAuthRequestAuthenticator
>> line 116 because the adapter can not find a cookie with name "
>> OAuth_Token_Request_State" in HTTP.
>>
>> Troubleshooting Try 1.
>> 1) updated aerogear to use 1.0.1.Beta1 Adapter. Still works does not
>> solve the problem same error.
>>
>> Troubleshooting Try 2.
>> 1) updated keycloak.json by adding *"disable-trust-manager": true*.
>> Still works does not solve the problem same error.
>>
>> Troubleshooting Try 2. Still have not done but will do today is
>> 1) updated keycloak.json by adding *"disable-trust-manager":
>> false,"truststore": "/path","truststore-password": "password"*. Will
>> report back shortly.
>>
>> Regards,
>> Pratik Parikh
>>
>> On Fri, Nov 14, 2014 at 8:46 AM, Bill Burke <bburke at redhat.com> wrote:
>>
>>> Can you explain your problem again? I think I am misunderstanding what
>>> problems you are having. You linked this message:
>>>
>>> http://lists.jboss.org/pipermail/keycloak-user/2014-November/001170.html
>>>
>>> We do not support OIDC scope param, but you can limit the application's
>>> scope in the admin console.
>>>
>>> On 11/13/2014 10:28 PM, Pratik Parikh wrote:
>>> > Hi Bill,
>>> >
>>> > Is this because both of my server (keycloak and aerogear are
>>> > https). Do i need to establish trust between them?
>>> >
>>> > Regards,
>>> > Pratik Parikh
>>> >
>>> > On Thu, Nov 13, 2014 at 8:18 PM, Pratik Parikh
>>> > <pratik.p.parikh at gmail.com <mailto:pratik.p.parikh at gmail.com>> wrote:
>>> >
>>> > Hi Bill,
>>> >
>>> > Thanks i turned the scope off under the application but that
>>> > did not help. Could you please help us understand what is going
>>> > on. I am trying to look the code but seems like it is going to
>>> take
>>> > be a bit to figure it out. It seems like HttpFacade.Cookies is
>>> > suppose to have state cookie which is contained in
>>> > KeycloakDeployment. I did try what you suggest was that not
>>> > correctly understood by me? I am new to keycloak but this is a
>>> great
>>> > project would like to understand it and use it to its fullest
>>> > extend. Can you help me get past this problem. Thanks in advance.
>>> >
>>> > Regards,
>>> > --
>>> > Pratik Parikh
>>> > - Mantra - Keep It Simple and Straightforward
>>> >
>>> >
>>> >
>>> >
>>> > --
>>> > Pratik Parikh
>>> > - Mantra - Keep It Simple and Straightforward
>>> >
>>> >
>>> > _______________________________________________
>>> > keycloak-user mailing list
>>> > keycloak-user at lists.jboss.org
>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> >
>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>>
>> --
>> Pratik Parikh
>> - Mantra - Keep It Simple and Straightforward
>>
>
>
>
> --
> Pratik Parikh
> - Mantra - Keep It Simple and Straightforward
>
--
Pratik Parikh
- Mantra - Keep It Simple and Straightforward
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141117/06a3f866/attachment-0001.html
More information about the keycloak-user
mailing list