[keycloak-user] Do realm public keys expire?

Jamie Beznoski Jamie.Beznoski at cira.ca
Tue Apr 21 13:47:19 EDT 2015 

Thanks for the reply, Bill.  See below for stack trace.

Not sure if it's related, though.... our client app does an anonymous login to JBoss remoting at startup.  These anonymous logins always throw an exception in our BearerTokenLoginModule, and they are generally harmless  (JBoss LoginContext consumes them and allows our client app access anyway).  The below was logged at ERROR level in our JBoss server log, which doesn't usually happen.

Wish I could give you more, but this was an outage that affected several people, so we were more concerned with a quick resolution than an investigation :)

Thanks,
Jamie

org.keycloak.VerificationException: Couldn't parse token
 	at org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:24)
 	at org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:16)
 	at ca.cira.jboss.loginmodules.AbstractKeycloakLoginModule.bearerAuth(AbstractKeycloakLoginModule.java:187)
 	at ca.cira.jboss.loginmodules.BearerTokenLoginModule.doAuth(BearerTokenLoginModule.java:18)
 	at ca.cira.jboss.loginmodules.AbstractKeycloakLoginModule.login(AbstractKeycloakLoginModule.java:95)
 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 	at java.lang.reflect.Method.invoke(Method.java:606)
 	at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762)
 	at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
 	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690)
 	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688)
 	at java.security.AccessController.doPrivileged(Native Method)
 	at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687)
 	at javax.security.auth.login.LoginContext.login(LoginContext.java:595)
 	at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:408)
 	at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345)
 	at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:323)
 	at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146)
 	at org.jboss.as.security.service.SimpleSecurityManager.authenticate(SimpleSecurityManager.java:446)
 	at org.jboss.as.security.service.SimpleSecurityManager.push(SimpleSecurityManager.java:347)
 	at org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:52)
 	at org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:48)
 	at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:83)
 	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
 	at org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64)
 	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
 	at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59)
 	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
 	at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)
 	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
 	at org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:55)
 	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
 	at org.jboss.as.ee.component.TCCLInterceptor.processInvocation(TCCLInterceptor.java:45)
 	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
 	at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
 	at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:185)
 	at org.jboss.as.ejb3.remote.protocol.versionone.MethodInvocationMessageHandler.invokeMethod(MethodInvocationMessageHandler.java:329)
 	at org.jboss.as.ejb3.remote.protocol.versionone.MethodInvocationMessageHandler.access$100(MethodInvocationMessageHandler.java:70)
 	at org.jboss.as.ejb3.remote.protocol.versionone.MethodInvocationMessageHandler$1.run(MethodInvocationMessageHandler.java:203)
 	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
 	at java.util.concurrent.FutureTask.run(FutureTask.java:262)
 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
 	at java.lang.Thread.run(Thread.java:745)
 	at org.jboss.threads.JBossThread.run(JBossThread.java:122)
 Caused by: java.lang.IllegalArgumentException: Parsing error
 	at org.keycloak.jose.jws.JWSInput.<init>(JWSInput.java:27)
 	at org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:22)


-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Bill Burke
Sent: April-21-15 1:09 PM
To: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Do realm public keys expire?

I thought it was only certificates that expire.  You have a stack trace/log file available?

On 4/21/2015 12:27 PM, Jamie Beznoski wrote:
> Hi,
>
> We set up a realm to use in conjunction with a JBoss login module - 
> the BearerTokenLoginModule available here:
>
> https://github.com/keycloak/keycloak/blob/master/integration/adapter-c
> ore/src/main/java/org/keycloak/adapters/jaas/BearerTokenLoginModule.ja
> va
>
>
> Our application in question is a standalone Java app that invokes EJBs 
> remotely on our JBoss server.  The JBoss EJB remoting subsystem is 
> secured by the BearerTokenLoginModule.
>
> This configuration worked well for us for several months, but last 
> week we started to see issues.  Our client app could no longer 
> authenticate against the JBoss server.  We generated a new realm 
> public key (Settings
> -> Keys -> Generate new keys) and the issue was resolved.
> Unfortunately, we were fire-fighting at the time and can't provide you 
> with much more information than that.
>
> Anyway, my (hopefully easy) question is: do the realm keys expire 
> after a certain period?
>
> Thanks,
>
> Jamie Beznoski
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list