[keycloak-user] Error on application log in

Stian Thorgersen stian at redhat.com
Fri Nov 28 02:55:47 EST 2014


Hi,

I've just verified that it works fine to connect to a remote Keycloak server with SSL enabled.

Without a trustore configured I get:

  08:38:46,584 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-12) failed to turn code into token: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

Is this the same error you're seeing?

Then I added disable-trust-manager to the applications keycloak.json:

  {
    ...
    "disable-trust-manager": true
  }

Which works fine, but obviously you want to use a truststore:

  {
    "truststore": "cacerts.jks",
    "truststore-password" : "password"
  }

If you still can't get things to work you can send me the following things and I'll look into it:

* Server logs
* Complete steps to reproduce issue
  - Configuration of SSL (including how you generate your certificate and keystore)
  - Any changes to Keycloak configuration
  - Sample application (including keycloak.json and how you generate your truststore)

----- Original Message -----
> From: "Fabián Silva" <afsg77 at gmail.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: "Stan Silvert" <ssilvert at redhat.com>, keycloak-user at lists.jboss.org
> Sent: Thursday, 27 November, 2014 7:05:07 PM
> Subject: Re: [keycloak-user] Error on application log in
> 
> I have tried "disable-trust-manager": true, but did not worked. I still get
> the "403 - Forbidden".
> I tried also to set the "truststore" : "path/to/truststore.jks" and
> "truststore-password" : "pass" and also did not worked.
> The only thing that has worked is to deploy it with a wildfly without the
> SSL enabled.
> Is there another thing I can try, to make it worked with a domain wildfly
> with SSL enabled?
> 
> Regards
> 
> On Mon, Nov 24, 2014 at 2:29 AM, Stian Thorgersen <stian at redhat.com> wrote:
> 
> > The options you're after are truststore, truststore-password and
> > disable-trust-manager, not client-keystore.
> >
> > ----- Original Message -----
> > > From: "Fabián Silva" <afsg77 at gmail.com>
> > > To: "Stian Thorgersen" <stian at redhat.com>
> > > Cc: "Stan Silvert" <ssilvert at redhat.com>, keycloak-user at lists.jboss.org
> > > Sent: Saturday, 22 November, 2014 12:58:16 AM
> > > Subject: Re: [keycloak-user] Error on application log in
> > >
> > >
> > http://docs.jboss.org/keycloak/docs/1.1.0.Beta1/userguide/html/ch07.html#adapter-config
> > > "client-keystore
> > > Not supported yet, but we will support in future versions."
> > > So if my adapter has SSL enabled is not supported yet? Or how do I
> > > configure it to work if my adapter has the SSL enabled?
> > > I tried with an adapter without SSL enabled and the keycloak with the SSL
> > > enabled and it worked. But when I tried it with both, the adapter and the
> > > keycloak with SSL enabled, it doesn't work. I got the following logs on
> > the
> > > adapter:
> > > ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-6)
> > > failed to turn code into token
> > > ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-6)
> > > status from server: 404
> > >
> > > Regards
> > >
> > > On Thu, Nov 20, 2014 at 2:25 AM, Stian Thorgersen <stian at redhat.com>
> > wrote:
> > >
> > > > Are there no errors or warning in the server log? Try enabling debug
> > for
> > > > org.keycloak and see if there's anything interesting.
> > > >
> > > > First thing try the exact same setup (two servers), but without ssl.
> > > >
> > > > If that works disable enable ssl, but disable the trust manager in the
> > > > adapter (disable-trust-manager option on adapter, see
> > > >
> > http://docs.jboss.org/keycloak/docs/1.1.0.Beta1/userguide/html/ch07.html#adapter-config
> > > > ).
> > > >
> > > > If it still works create a truststore and import your certificate. Then
> > > > set truststore and truststore-password on the adapter.
> > > >
> > > > ----- Original Message -----
> > > > > From: "Fabián Silva" <afsg77 at gmail.com>
> > > > > To: "Stan Silvert" <ssilvert at redhat.com>
> > > > > Cc: keycloak-user at lists.jboss.org
> > > > > Sent: Wednesday, 19 November, 2014 6:35:15 PM
> > > > > Subject: Re: [keycloak-user] Error on application log in
> > > > >
> > > > > I tried deploying it onto a local wildfly in domain without the SSL
> > > > enabled
> > > > > and it worked. What I can't figure it out is why the SSL is causing
> > > > conflict
> > > > > and how to solve this, I can't simply disable the SSL.
> > > > >
> > > > > Regards
> > > > >
> > > > > On Wed, Nov 19, 2014 at 11:28 AM, Stan Silvert < ssilvert at redhat.com
> > >
> > > > wrote:
> > > > >
> > > > >
> > > > >
> > > > > Have you tried it using the two servers but without SSL?
> > > > >
> > > > > You can set ssl-required to "none" on the adapter (application) side.
> > > > Also on
> > > > > the Keycloak server side, try setting Access Type to "public". Do
> > one of
> > > > > those at a time and see if either causes it to work. That might
> > narrow it
> > > > > down a bit.
> > > > >
> > > > >
> > > > > On 11/19/2014 11:29 AM, Fabián Silva wrote:
> > > > >
> > > > >
> > > > >
> > > > > Hi,
> > > > > I'm running out of ideas in here. In simple terms I got a Wildfly
> > > > running on
> > > > > domain on a server and a keycloak on another server. I set the
> > adapters
> > > > on
> > > > > my wildfly and deploy, to this wildfly, a web app that uses keycloak.
> > > > When I
> > > > > try to access the web app it displays the keycloak login, it
> > validates
> > > > the
> > > > > users ok, but when you access with a correct user and password it
> > shows
> > > > the
> > > > > "403 - Forbidden". At first I thought it was some issue with the
> > roles,
> > > > but
> > > > > that didn't fix it.
> > > > >
> > > > > Regards
> > > > >
> > > > > On Fri, Nov 14, 2014 at 10:20 AM, Fabián Silva < afsg77 at gmail.com >
> > > > wrote:
> > > > >
> > > > >
> > > > >
> > > > > Hi,
> > > > > It is already set to use the absolute path. And the keycloak is
> > working
> > > > when
> > > > > I deploy the application to my local wildfly domain. The issue is
> > when I
> > > > try
> > > > > to deploy to another wildfly in domain mode on a separate server. The
> > > > > application is the same and the only difference I can tell from the
> > two
> > > > > wildflys is that the local don't have the SSL/HTTPS enabled. I have
> > the
> > > > > keycloak adapter set in both domains.
> > > > >
> > > > > I'm trying to trace those errors on the keycloak code to try to
> > > > understand
> > > > > what is happening, but I haven't been so lucky with this.
> > > > >
> > > > > Regards
> > > > > Alejandro Fabián Silva Grifé
> > > > >
> > > > > On Fri, Nov 14, 2014 at 2:27 AM, Marek Posolda < mposolda at redhat.com
> > >
> > > > wrote:
> > > > >
> > > > >
> > > > >
> > > > > Hi,
> > > > >
> > > > > it failed on the adapter (application) side and error 404 means "Not
> > > > found".
> > > > > So adapter can't find the keycloak server to turn code into token.
> > Make
> > > > sure
> > > > > to configure "auth-server-url" in keycloak.json for your application
> > > > > properly. If relative uri doesn't work for some reason, you can
> > rather
> > > > try
> > > > > to use absolute uri for auth-server-url like "
> > > > https://localhost:8443/auth" .
> > > > >
> > > > > Marek
> > > > >
> > > > >
> > > > > On 14.11.2014 01:31, Fabián Silva wrote:
> > > > >
> > > > >
> > > > >
> > > > > I have a keycloak installed on wildfly standalone. I'm trying to
> > deploy
> > > > an
> > > > > application, that use this keycloak, on a separate server with
> > wilflly
> > > > > running on domain mode. I tried first to deploy on a domain out of
> > the
> > > > box
> > > > > on my local machine, setting the
> > > > keycloak-wildfly-adapter-dist-1.0.4.Final.
> > > > > It deploys fine and does the authentication without any issues. When
> > I
> > > > try
> > > > > to migrate it to the server running my wilfly (also in domain mode
> > and
> > > > the
> > > > > keycloak adapter set), it deploys fine and shows the keycloak login
> > once
> > > > you
> > > > > enter the application. But the problem is that when you login it
> > > > displays a
> > > > > "403 - Forbidden" and on the log I'm seeing
> > > > > ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default
> > task-6)
> > > > > failed to turn code into token
> > > > > ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default
> > task-6)
> > > > > status from server: 404
> > > > > The only difference between those two wildfly domain mode is that in
> > the
> > > > > local I don't have the the SSL/HTTPS enabled.
> > > > >
> > > > > Have anyone seen this error? or have an idea of what this could be?
> > > > >
> > > > > Regards
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > keycloak-user mailing list keycloak-user at lists.jboss.org
> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > keycloak-user mailing list keycloak-user at lists.jboss.org
> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > keycloak-user mailing list
> > > > > keycloak-user at lists.jboss.org
> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > keycloak-user mailing list
> > > > > keycloak-user at lists.jboss.org
> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > >
> > >
> >
> 



More information about the keycloak-user mailing list