[keycloak-user] Client secret not provided in request

Charles Moulliard cmoullia at redhat.com
Wed Dec 14 06:46:26 EST 2016


oups. Added /auth at the end of my SSO URL and now Spring Boot + Keycloak
rocks in OpenShift.

On Wed, Dec 14, 2016 at 12:28 PM, Sebastien Blanc <sblanc at redhat.com> wrote:

> URL from configuration is the one from the keycloak.json :
> "auth-server-url" , looks like you forgot an /auth
>
> On Wed, Dec 14, 2016 at 12:02 PM, Charles Moulliard <cmoullia at redhat.com>
> wrote:
>
>> The curl request works now but I'm getting this error when the token
>> received will be checked by the SpringBoot Tomcat Adapter
>>
>> Request
>>
>> curl -sk -X POST https://secure-sso-sso.e8ca.en
>> gint.openshiftapps.com/auth/realms/master/protocol/openid-connect/token
>> -d grant_type=password -d username=admin -d client_secret=MYSECRET -d
>> password=admin -d client_id=demoapp
>>
>> What "URL from configuration" refers to ?
>>
>> 2016-12-14 10:49:29.273 ERROR 1 --- [nio-8080-exec-6]
>> o.k.a.BearerTokenRequestAuthenticator    : Failed to verify token
>>
>> org.keycloak.common.VerificationException: Token audience doesn't match
>> domain. Token issuer is https://secure-sso-sso.e8ca.en
>> gint.openshiftapps.com/auth/realms/master, but URL from configuration is
>> https://secure-sso-sso.e8ca.engint.openshiftapps.com/realms/master
>> at org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:49)
>> ~[keycloak-core-1.9.8.Final.jar!/:1.9.8.Final]
>> at org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:35)
>> ~[keycloak-core-1.9.8.Final.jar!/:1.9.8.Final]
>> at org.keycloak.adapters.BearerTokenRequestAuthenticator.
>> authenticateToken(BearerTokenRequestAuthenticator.java:87)
>> ~[keycloak-adapter-core-1.9.8.Final.jar!/:1.9.8.Final]
>> at org.keycloak.adapters.BearerTokenRequestAuthenticator.
>> authenticate(BearerTokenRequestAuthenticator.java:82)
>> ~[keycloak-adapter-core-1.9.8.Final.jar!/:1.9.8.Final]
>> at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:65)
>> ~[keycloak-adapter-core-1.9.8.Final.jar!/:1.9.8.Final]
>> at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorVa
>> lve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:206)
>> ~[keycloak-tomcat-core-adapter-1.9.8.Final.jar!/:1.9.8.Final]
>> at org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.auth
>> enticate(KeycloakAuthenticatorValve.java:48)
>> ~[keycloak-tomcat8-adapter-1.9.8.Final.jar!/:1.9.8.Final]
>> at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:577)
>> [tomcat-embed-core-8.0.36.jar!/:8.0.36]
>> at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorVa
>> lve.invoke(AbstractKeycloakAuthenticatorValve.java:187)
>> ~[keycloak-tomcat-core-adapter-1.9.8.Final.jar!/:1.9.8.Final]
>> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
>> [tomcat-embed-core-8.0.36.jar!/:8.0.36]
>> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
>> [tomcat-embed-core-8.0.36.jar!/:8.0.36]
>> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
>> [tomcat-embed-core-8.0.36.jar!/:8.0.36]
>> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:528)
>> [tomcat-embed-core-8.0.36.jar!/:8.0.36]
>> at org.apache.coyote.http11.AbstractHttp11Processor.process(Abs
>> tractHttp11Processor.java:1100) [tomcat-embed-core-8.0.36.jar!/:8.0.36]
>> at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler
>> .process(AbstractProtocol.java:687) [tomcat-embed-core-8.0.36.jar!
>> /:8.0.36]
>> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1520)
>> [tomcat-embed-core-8.0.36.jar!/:8.0.36]
>> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1476)
>> [tomcat-embed-core-8.0.36.jar!/:8.0.36]
>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>> [na:1.8.0_101]
>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>> [na:1.8.0_101]
>> at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>> [tomcat-embed-core-8.0.36.jar!/:8.0.36]
>> at java.lang.Thread.run(Thread.java:745) [na:1.8.0_101]
>>
>> Charles Moulliard
>> Sr. Pr. Software Engineer @redhat
>> cmoulliard at redhat.com | work: +31 205 65 12 84 <+31%2020%20565%201284> |
>> mobile: +32 473 60 40 14 <+32%20473%2060%2040%2014>
>> Twitter: @cmoulliard <http://twitter.com/cmoulliard> | blog:
>> cmoulliard.github.io
>> committer: apache camel, karaf, servicemix, hawtio, fabric8, drools,
>> jbpm, deltaspike
>>
>> On Wed, Dec 14, 2016 at 8:56 AM, Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>>> Your guess is correct. Or you can also use the much more complicated way
>>> of using basic auth header for client id and secret, but let's not get into
>>> that ;)
>>>
>>> On 14 December 2016 at 08:54, Sebastien Blanc <sblanc at redhat.com> wrote:
>>>
>>>> I guess "-d client_secret=my_secret" ? ;)
>>>>
>>>> On Wed, Dec 14, 2016 at 8:48 AM, Charles Moulliard <cmoullia at redhat.com
>>>> > wrote:
>>>>
>>>>> How do I provide the client secret within the curl request ? An example
>>>>> would be great ;-)
>>>>>
>>>>> On Wed, Dec 14, 2016 at 8:27 AM, Stian Thorgersen <sthorger at redhat.com
>>>>> >
>>>>> wrote:
>>>>>
>>>>> > Error message is pretty self explanatory here - you're missing the
>>>>> client
>>>>> > secret
>>>>> >
>>>>> > On 14 December 2016 at 08:17, Charles Moulliard <cmoullia at redhat.com
>>>>> >
>>>>> > wrote:
>>>>> >
>>>>> >> Hi,
>>>>> >>
>>>>> >> Why do I get this error when I issue tthis curl request to get a
>>>>> token
>>>>> >>
>>>>> >> curl -sk -X POST
>>>>> >> https://secure-sso-sso.e8ca.engint.openshiftapps.com/auth/re
>>>>> >> alms/master/protocol/openid-connect/token
>>>>> >> -d
>>>>> >> <https://secure-sso-sso.e8ca.engint.openshiftapps.com/auth/r
>>>>> ealms/master/protocol/openid-connect/token-d>
>>>>> >> grant_type=password -d username=admin -d password=admin -d
>>>>> >> client_id=demoapp
>>>>> >>
>>>>> >> {"error_description":"Client secret not provided in
>>>>> >> request","error":"unauthorized_client"}
>>>>> >>
>>>>> >> Keycloak Version : 1.9.8
>>>>> >> client_id: demoapp
>>>>> >>
>>>>> >> Do I have to set another filed instead of username/password &
>>>>> >> grant_type=password ?
>>>>> >>
>>>>> >> Regards,
>>>>> >>
>>>>> >> Charles
>>>>> >> _______________________________________________
>>>>> >> keycloak-user mailing list
>>>>> >> keycloak-user at lists.jboss.org
>>>>> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>> >>
>>>>> >
>>>>> >
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>
>>
>


More information about the keycloak-user mailing list