[keycloak-user] Kerberos token
Marek Posolda
mposolda at redhat.com
Wed May 25 07:43:18 EDT 2016
Hi,
it seems from the log, that you tried to put Kerberos
(SpnegoAuthenticator) to the directAccessGrant flow, is it correct? This
won't work. The implementation of SpnegoAuthenticator is supposed to
work just for browser based flow when browser is supposed to send HTTP
header with SPNEGO token like "Authorization: Negotiate
your-spnego-kerberos-token" .
It seems that to avoid similar confusions, we should have some filters
(or authentication subtypes), which will allow to specify which
authenticator is supposed to be used in which flow. I've created JIRA
for that https://issues.jboss.org/browse/KEYCLOAK-3043 .
If I understand correctly your usecase, you sent username+password to
direct grant authentication and you want Keycloak to verify the given
username+password against Kerberos right? In this case, you can just use
default directGrant flow without any changes. All you need to do is to
check the flag " Use Kerberos For Password Authentication" in the
configuration of your LDAP federation provider.
Marek
On 23/05/16 17:51, Gareth Healy wrote:
> I am trying to hook up APIMan with KeyCloak using Kerberos and OAuth2.
> I am trying to get a token from key cloak using the following URL:
>
> curl -X POST
> http://localhost:29080/auth/realms/freeipa/protocol/openid-connect/token
> -H "Content-Type: application/x-www-form-urlencoded" -d
> "username=admin" -d 'password=Secret123' -d 'grant_type=password'
> -d 'client_id=mapper' -d
> 'client_secret=027fbd51-135b-47d6-86cd-7ce541b38984'
>
>
> But, get an exception back:
>
>
> 2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default
> task-51) AUTHENTICATE CLIENT
> 2016-05-23 14:22:25,676 TRACE [org.keycloak.services] (default
> task-51) Using executions for client authentication:
> [de08b32a-a4a5-469c-91cc-0fbca51e1c2f,
> de3db156-dcc2-4346-bf3a-e56e8e10ed5f]
> 2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default
> task-51) client authenticator: client-secret
> 2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default
> task-51) client authenticator SUCCESS: client-secret
> 2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default
> task-51) Client mapper authenticated by client-secret
> 2016-05-23 14:22:25,676 TRACE
> [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
> (default task-51) Adding cache operation: ADD on
> 7ad60b45-4e69-45a4-a995-ee65d9ee47ae
> 2016-05-23 14:22:25,676 TRACE
> [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
> (default task-51) Adding cache operation: REPLACE on
> 7ad60b45-4e69-45a4-a995-ee65d9ee47ae
> 2016-05-23 14:22:25,676 TRACE
> [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
> (default task-51) Adding cache operation: REPLACE on
> 7ad60b45-4e69-45a4-a995-ee65d9ee47ae
> 2016-05-23 14:22:25,676 TRACE
> [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
> (default task-51) Adding cache operation: REPLACE on
> 7ad60b45-4e69-45a4-a995-ee65d9ee47ae
> 2016-05-23 14:22:25,676 TRACE
> [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
> (default task-51) Adding cache operation: REPLACE on
> 7ad60b45-4e69-45a4-a995-ee65d9ee47ae
> 2016-05-23 14:22:25,676 TRACE
> [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
> (default task-51) Adding cache operation: REPLACE on
> 7ad60b45-4e69-45a4-a995-ee65d9ee47ae
> 2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default
> task-51) AUTHENTICATE ONLY
> 2016-05-23 14:22:25,676 TRACE
> [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
> (default task-51) Adding cache operation: REPLACE on
> 7ad60b45-4e69-45a4-a995-ee65d9ee47ae
> 2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default
> task-51) processFlow
> 2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default
> task-51) check execution: direct-grant-validate-username
> requirement: REQUIRED
> 2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default
> task-51) authenticator: direct-grant-validate-username
> 2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default
> task-51) invoke authenticator.authenticate
> 2016-05-23 14:22:25,676 TRACE
> [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
> (default task-51) Adding cache operation: REPLACE on
> 7ad60b45-4e69-45a4-a995-ee65d9ee47ae
> 2016-05-23 14:22:25,677 TRACE
> [org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore]
> (default task-51) Using filter for LDAP search:
> (&(uid=admin)(objectclass=person)) . Searching in DN:
> cn=users,cn=accounts,dc=example,dc=test
> 2016-05-23 14:22:25,682 TRACE
> [org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore]
> (default task-51) Found ldap object and populated with the
> attributes. LDAP Object: LDAP Object [ dn:
> uid=admin,cn=users,cn=accounts,dc=example,dc=test , uuid:
> afc65b08-1e75-11e6-9645-02420a01010f, attributes: {uid=[admin],
> gecos=[Administrator], sn=[Administrator], cn=[Administrator],
> createTimestamp=[20160520102908Z],
> modifyTimestamp=[20160523142225Z]}, readOnly attribute names:
> [createtimestamp, modifytimestamp] ]
> 2016-05-23 14:22:25,682 TRACE
> [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
> (default task-51) Adding cache operation: REPLACE on
> 7ad60b45-4e69-45a4-a995-ee65d9ee47ae
> 2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default
> task-51) authenticator SUCCESS: direct-grant-validate-username
> 2016-05-23 14:22:25,682 TRACE
> [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
> (default task-51) Adding cache operation: REPLACE on
> 7ad60b45-4e69-45a4-a995-ee65d9ee47ae
> 2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default
> task-51) check execution: direct-grant-validate-password
> requirement: DISABLED
> 2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default
> task-51) execution is processed
> 2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default
> task-51) check execution: auth-spnego requirement: ALTERNATIVE
> 2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default
> task-51) authenticator: auth-spnego
> 2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default
> task-51) invoke authenticator.authenticate
> 2016-05-23 14:22:25,682 TRACE [org.keycloak.services] (default
> task-51) Sending back WWW-Authenticate: Negotiate
> 2016-05-23 14:22:25,682 TRACE
> [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
> (default task-51) Adding cache operation: REPLACE on
> 7ad60b45-4e69-45a4-a995-ee65d9ee47ae
> 2016-05-23 14:22:25,683 ERROR [io.undertow.request] (default
> task-51) UT005023: Exception handling request to
> /auth/realms/freeipa/protocol/openid-connect/token:
> org.jboss.resteasy.spi.UnhandledException:
> java.lang.IllegalArgumentException: RESTEASY003715: path was null
> at
> org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
> at
> org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
> at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> at
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
> at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:78)
> at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
> at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> at
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
> at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> at
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
> at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> at
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
> at
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
> at
> io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
> at
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: java.lang.IllegalArgumentException: RESTEASY003715:
> path was null
> at
> org.jboss.resteasy.specimpl.ResteasyUriBuilder.path(ResteasyUriBuilder.java:357)
> at
> org.keycloak.authentication.AuthenticationProcessor$Result.getActionUrl(AuthenticationProcessor.java:478)
> at
> org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.optionalChallengeRedirect(SpnegoAuthenticator.java:137)
> at
> org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.challengeNegotiation(SpnegoAuthenticator.java:121)
> at
> org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:65)
> at
> org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:183)
> at
> org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:789)
> at
> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildResourceOwnerPasswordCredentialsGrant(TokenEndpoint.java:379)
> at
> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:125)
> at sun.reflect.GeneratedMethodAccessor587.invoke(Unknown Source)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:497)
> at
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
> ... 37 more
>
>
> Looking in the code, i can see i am missing the "flowPath", but not
> sure where this should be set.
>
> https://github.com/keycloak/keycloak/blob/1.9.x/services/src/main/java/org/keycloak/authentication/authenticators/browser/SpnegoAuthenticator.java#L137
>
> https://github.com/keycloak/keycloak/blob/1.9.x/services/src/main/java/org/keycloak/authentication/AuthenticationProcessor.java#L476
>
>
> Can anyone point me in the right direction please.
>
> --
> Gareth Healy
> UKI Middleware Consultant
> Red Hat UK Ltd
> 200 Fowler Avenue
> Farnborough, Hants
> GU14 7JP, UK
>
> Mobile: +44(0)7818511214 <tel:%2B44%280%297818511214>
> E-Mail: gahealy at redhat.com <mailto:gahealy at redhat.com>
>
> Registered in England and Wales under Company Registration No. 03798903
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160525/d16e1094/attachment-0001.html
More information about the keycloak-user
mailing list