[keycloak-user] Failed to make identity provider oauth callback: javax.net.ssl.SSLHandshakeException

Marek Posolda mposolda at redhat.com
Fri Feb 12 02:07:05 EST 2016


Facebook certificate should be signed by trusted authority, so it works 
with default JDK truststore. At least for me it always works.

Shouldn't truststore SPI use both provided file + default JDK truststore 
by default? We may have flag to disable default JDK truststore, but not 
sure if it's ever needed. Also shouldn't we rewrite SimpleHTTP to use 
Apache HTTP client provided by HttpClientProvider SPI?

Marek

On 11/02/16 15:23, Stian Thorgersen wrote:
> Does it work if you don't specify the truststore? That will use the 
> default truststore provided by the JDK.
>
> Also, does your truststore contain the required CA certs? For Facebook 
> to work it'll have to contain the required CA's for their certs
>
> On 11 February 2016 at 14:09, LEONARDO NUNES <leo.nunes at gjccorp.com.br 
> <mailto:leo.nunes at gjccorp.com.br>> wrote:
>
>     Hi, i'm getting the error below when I try to login with Facebook.
>     I've followed the instructions at
>     http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#truststore and
>     http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e337
>
>     I was able to login with Facebook when trying at localhost. But at
>     our development server we are getting this error.
>
>     We are using EAP in domain mode.
>
>     The truststore I placed inside of keycloak-server.json
>     "truststore": {
>             "file": {
>                 "file": "/home/soa/jboss/ssl/keycloak.jks",
>                 "password": "keycloak123",
>                 "hostname-verification-policy": "ANY",
>                 "disabled": false
>             }
>         }
>
>
>     #######
>
>     ERRO:
>
>
>     2016-02-11 10:44:53,927 ERROR
>     [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider]
>     (ajp-/192.168.162.73:8008-1) Failed to make identity provider
>     oauth callback: javax.net.ssl.SSLHandshakeException:
>     sun.security.validator.ValidatorException: PKIX path building
>     failed:
>     sun.security.provider.certpath.SunCertPathBuilderException: unable
>     to find valid certification path to requested target
>     at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>     [jsse.jar:1.8.0_45]
>     at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)
>     [jsse.jar:1.8.0_45]
>     at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
>     [jsse.jar:1.8.0_45]
>     at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
>     [jsse.jar:1.8.0_45]
>     at
>     sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
>     [jsse.jar:1.8.0_45]
>     at
>     sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
>     [jsse.jar:1.8.0_45]
>     at sun.security.ssl.Handshaker.processLoop(Handshaker.java:969)
>     [jsse.jar:1.8.0_45]
>     at sun.security.ssl.Handshaker.process_record(Handshaker.java:904)
>     [jsse.jar:1.8.0_45]
>     at
>     sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
>     [jsse.jar:1.8.0_45]
>     at
>     sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
>     [jsse.jar:1.8.0_45]
>     at
>     sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
>     [jsse.jar:1.8.0_45]
>     at
>     sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
>     [jsse.jar:1.8.0_45]
>     at
>     sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
>     [rt.jar:1.8.0_45]
>     at
>     sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
>     [rt.jar:1.8.0_45]
>     at
>     sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1282)
>     [rt.jar:1.8.0_45]
>     at
>     sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1257)
>     [rt.jar:1.8.0_45]
>     at
>     sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
>     [rt.jar:1.8.0_45]
>     at
>     org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:124)
>     at
>     org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228)
>     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>     [rt.jar:1.8.0_45]
>     at
>     sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>     [rt.jar:1.8.0_45]
>     at
>     sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>     [rt.jar:1.8.0_45]
>     at java.lang.reflect.Method.invoke(Method.java:497) [rt.jar:1.8.0_45]
>     at
>     org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167)
>     [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>     at
>     org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269)
>     [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>     at
>     org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227)
>     [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>     at
>     org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:159)
>     [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>     at
>     org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:107)
>     [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>     at
>     org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:154)
>     [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>     at
>     org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:92)
>     [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>     at
>     org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542)
>     [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>     at
>     org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524)
>     [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>     at
>     org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126)
>     [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>     at
>     org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
>     [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>     at
>     org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
>     [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>     at
>     org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
>     [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
>     at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
>     [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]
>     at
>     org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295)
>     [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>     at
>     org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
>     [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>     at
>     org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
>     [keycloak-services-1.8.1.Final.jar:1.8.1.Final]
>     at
>     org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246)
>     [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>     at
>     org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
>     [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>     at
>     org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231)
>     [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>     at
>     org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149)
>     [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>     at
>     org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.event(JBossWebContext.java:91)
>     at
>     org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.invoke(JBossWebContext.java:72)
>     at
>     org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
>     [jboss-as-web-7.4.3.Final-redhat-2.jar:7.4.3.Final-redhat-2]
>     at
>     org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145)
>     [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>     at
>     org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)
>     [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>     at
>     org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)
>     [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>     at
>     org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
>     [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>     at
>     org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:490)
>     [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>     at
>     org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:420)
>     [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>     at
>     org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926)
>     [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
>     at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_45]
>     Caused by: sun.security.validator.ValidatorException: PKIX path
>     building failed:
>     sun.security.provider.certpath.SunCertPathBuilderException: unable
>     to find valid certification path to requested target
>     at
>     sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
>     [rt.jar:1.8.0_45]
>     at
>     sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
>     [rt.jar:1.8.0_45]
>     at sun.security.validator.Validator.validate(Validator.java:260)
>     [rt.jar:1.8.0_45]
>     at
>     sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
>     [jsse.jar:1.8.0_45]
>     at
>     sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
>     [jsse.jar:1.8.0_45]
>     at
>     sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
>     [jsse.jar:1.8.0_45]
>     at
>     sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460)
>     [jsse.jar:1.8.0_45]
>     ... 50 more
>     Caused by:
>     sun.security.provider.certpath.SunCertPathBuilderException: unable
>     to find valid certification path to requested target
>     at
>     sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145)
>     [rt.jar:1.8.0_45]
>     at
>     sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
>     [rt.jar:1.8.0_45]
>     at
>     java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
>     [rt.jar:1.8.0_45]
>     at
>     sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
>     [rt.jar:1.8.0_45]
>     ... 56 more
>
>
>
>
>
>     -- 
>     Leonardo Nunes
>     ------------------------------------------------------------------------
>     /Esta mensagem pode conter informação confidencial e/ou
>     privilegiada. Se você não for o destinatário ou a pessoa
>     autorizada a receber esta mensagem, não poderá usar, copiar ou
>     divulgar as informações nela contidas ou tomar qualquer ação
>     baseada nessas informações. Se você recebeu esta mensagem por
>     engano, por favor avise imediatamente o remetente, respondendo o
>     e-mail e em seguida apague-o. Agradecemos sua cooperação.
>
>     This message may contain confidential and/or privileged
>     information. If you are not the addressee or authorized to receive
>     this for the addressee, you must not use, copy, disclose or take
>     any action based on this message or any information herein. If you
>     have received this message in error, please advise the sender
>     immediately by reply e-mail and delete this message. Thank you for
>     your cooperation/
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160212/311f1688/attachment-0001.html 


More information about the keycloak-user mailing list