[keycloak-user] Need help: Configuring keycloak to work with IBM Websphere Application Server

T, Suseendhiran (Nokia - IN/Bangalore) suseendhiran.t at nokia.com
Fri Jun 24 05:32:25 EDT 2016


Hello All,

I am trying to configure Keycloak as openID connect provider and IBM Websphere Application Server as Relying Party.
During authentication, keycloak sends the JWT. But IBM Websphere Application Server could not verify the token.

Below Exception is thrown:
com.ibm.websphere.security.WebTrustAssociationFailedException: CWTAI2007E: The OpenID Connect replying party (RP) encountered a failure during the login. The exception is [Failed to validate id token, exception thrown during verify [key is invalid]]. Check the logs for details that lead to this exception.
        at com.ibm.ws.security.oidc.client.RelyingParty.handleSigninCallback(RelyingParty.java:428)
        ...<skipping trace>
        at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1881)
Caused by: com.ibm.ws.security.oidc.client.RelyingPartyException: Failed to validate id token, exception thrown during verify [key is invalid]
        at com.ibm.ws.security.oidc.client.SessionCache.updateEntryUsingStateId(SessionCache.java:352)
        at com.ibm.ws.security.oidc.client.RelyingParty.handleSigninCallback(RelyingParty.java:411)
        ... 28 more
Caused by: java.lang.IllegalStateException: key is invalid
        at net.oauth.jsontoken.crypto.RsaSHA256Verifier.<init>(RsaSHA256Verifier.java:45)
        at com.ibm.ws.security.openidconnect.token.JWT.getJsonTokenParser(JWT.java:1017)
        at com.ibm.ws.security.openidconnect.token.JWT.verify(JWT.java:881)
        at com.ibm.ws.security.openidconnect.token.IDToken.verify(IDToken.java:578)
        at com.ibm.ws.security.oidc.client.SessionData.setIdToken(SessionData.java:294)
        at com.ibm.ws.security.oidc.client.SessionData.update(SessionData.java:131)
        at com.ibm.ws.security.oidc.client.SessionCache.updateEntryUsingStateId(SessionCache.java:343)
        ... 29 more
Caused by: java.security.InvalidKeyException: No installed provider supports this key: (null)
        at java.security.Signature$Delegate.chooseProvider(Signature.java:1139)
        at java.security.Signature$Delegate.engineInitVerify(Signature.java:1172)
        at java.security.Signature.initVerify(Signature.java:462)
        at net.oauth.jsontoken.crypto.RsaSHA256Verifier.<init>(RsaSHA256Verifier.java:41)
        ... 35 more
. Make sure that the setup is correct and that the user credentials are valid.
[6/7/16 8:58:30:493 IST] 000002bb WebCollaborat A   SECJ0056E: Authentication failed for reason CWTAI2007E: The OpenID Connect replying party (RP) encountered a failure during the login. The exception is [Failed to validate id token, exception thrown during verify [key is invalid]]. Check the logs for details that lead to this exception.
-------------------------------------------------------------------------------------------------------------------------------------------

I have attached the Websphere log during authentication, Could someone help me analyse the issue?

Versions used:
Keycloak -1.9.4.Final
IBM WebSphere Application Server Network Deployment - Version 8.5.5.8

Please let me know if any information needed.

Regards,
Suseendhiran T



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160624/7c3454ea/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SystemOut.log
Type: application/octet-stream
Size: 6403 bytes
Desc: SystemOut.log
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160624/7c3454ea/attachment-0001.obj 


More information about the keycloak-user mailing list