[keycloak-user] Kerberos token
Gareth Healy
gahealy at redhat.com
Wed May 25 09:02:08 EDT 2016
Hi Marek,
Thanks for the clarification.
Cheers.
On Wed, May 25, 2016 at 12:43 PM, Marek Posolda <mposolda at redhat.com> wrote:
> Hi,
>
> it seems from the log, that you tried to put Kerberos
> (SpnegoAuthenticator) to the directAccessGrant flow, is it correct? This
> won't work. The implementation of SpnegoAuthenticator is supposed to work
> just for browser based flow when browser is supposed to send HTTP header
> with SPNEGO token like "Authorization: Negotiate
> your-spnego-kerberos-token" .
>
> It seems that to avoid similar confusions, we should have some filters (or
> authentication subtypes), which will allow to specify which authenticator
> is supposed to be used in which flow. I've created JIRA for that
> https://issues.jboss.org/browse/KEYCLOAK-3043 .
>
> If I understand correctly your usecase, you sent username+password to
> direct grant authentication and you want Keycloak to verify the given
> username+password against Kerberos right? In this case, you can just use
> default directGrant flow without any changes. All you need to do is to
> check the flag " Use Kerberos For Password Authentication" in the
> configuration of your LDAP federation provider.
>
> Marek
>
>
>
> On 23/05/16 17:51, Gareth Healy wrote:
>
> I am trying to hook up APIMan with KeyCloak using Kerberos and OAuth2. I
> am trying to get a token from key cloak using the following URL:
>
> curl -X POST
> http://localhost:29080/auth/realms/freeipa/protocol/openid-connect/token
> -H "Content-Type: application/x-www-form-urlencoded" -d "username=admin"
> -d 'password=Secret123' -d 'grant_type=password' -d 'client_id=mapper' -d
> 'client_secret=027fbd51-135b-47d6-86cd-7ce541b38984'
>
>
> But, get an exception back:
>
>
> 2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51)
> AUTHENTICATE CLIENT
> 2016-05-23 14:22:25,676 TRACE [org.keycloak.services] (default task-51)
> Using executions for client authentication:
> [de08b32a-a4a5-469c-91cc-0fbca51e1c2f, de3db156-dcc2-4346-bf3a-e56e8e10ed5f]
> 2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51)
> client authenticator: client-secret
> 2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51)
> client authenticator SUCCESS: client-secret
> 2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51)
> Client mapper authenticated by client-secret
> 2016-05-23 14:22:25,676 TRACE
> [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
> (default task-51) Adding cache operation: ADD on
> 7ad60b45-4e69-45a4-a995-ee65d9ee47ae
> 2016-05-23 14:22:25,676 TRACE
> [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
> (default task-51) Adding cache operation: REPLACE on
> 7ad60b45-4e69-45a4-a995-ee65d9ee47ae
> 2016-05-23 14:22:25,676 TRACE
> [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
> (default task-51) Adding cache operation: REPLACE on
> 7ad60b45-4e69-45a4-a995-ee65d9ee47ae
> 2016-05-23 14:22:25,676 TRACE
> [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
> (default task-51) Adding cache operation: REPLACE on
> 7ad60b45-4e69-45a4-a995-ee65d9ee47ae
> 2016-05-23 14:22:25,676 TRACE
> [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
> (default task-51) Adding cache operation: REPLACE on
> 7ad60b45-4e69-45a4-a995-ee65d9ee47ae
> 2016-05-23 14:22:25,676 TRACE
> [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
> (default task-51) Adding cache operation: REPLACE on
> 7ad60b45-4e69-45a4-a995-ee65d9ee47ae
> 2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51)
> AUTHENTICATE ONLY
> 2016-05-23 14:22:25,676 TRACE
> [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
> (default task-51) Adding cache operation: REPLACE on
> 7ad60b45-4e69-45a4-a995-ee65d9ee47ae
> 2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51)
> processFlow
> 2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51)
> check execution: direct-grant-validate-username requirement: REQUIRED
> 2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51)
> authenticator: direct-grant-validate-username
> 2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51)
> invoke authenticator.authenticate
> 2016-05-23 14:22:25,676 TRACE
> [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
> (default task-51) Adding cache operation: REPLACE on
> 7ad60b45-4e69-45a4-a995-ee65d9ee47ae
> 2016-05-23 14:22:25,677 TRACE
> [org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore] (default
> task-51) Using filter for LDAP search: (&(uid=admin)(objectclass=person)) .
> Searching in DN: cn=users,cn=accounts,dc=example,dc=test
> 2016-05-23 14:22:25,682 TRACE
> [org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore] (default
> task-51) Found ldap object and populated with the attributes. LDAP Object:
> LDAP Object [ dn: uid=admin,cn=users,cn=accounts,dc=example,dc=test , uuid:
> afc65b08-1e75-11e6-9645-02420a01010f, attributes: {uid=[admin],
> gecos=[Administrator], sn=[Administrator], cn=[Administrator],
> createTimestamp=[20160520102908Z], modifyTimestamp=[20160523142225Z]},
> readOnly attribute names: [createtimestamp, modifytimestamp] ]
> 2016-05-23 14:22:25,682 TRACE
> [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
> (default task-51) Adding cache operation: REPLACE on
> 7ad60b45-4e69-45a4-a995-ee65d9ee47ae
> 2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default task-51)
> authenticator SUCCESS: direct-grant-validate-username
> 2016-05-23 14:22:25,682 TRACE
> [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
> (default task-51) Adding cache operation: REPLACE on
> 7ad60b45-4e69-45a4-a995-ee65d9ee47ae
> 2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default task-51)
> check execution: direct-grant-validate-password requirement: DISABLED
> 2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default task-51)
> execution is processed
> 2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default task-51)
> check execution: auth-spnego requirement: ALTERNATIVE
> 2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default task-51)
> authenticator: auth-spnego
> 2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default task-51)
> invoke authenticator.authenticate
> 2016-05-23 14:22:25,682 TRACE [org.keycloak.services] (default task-51)
> Sending back WWW-Authenticate: Negotiate
> 2016-05-23 14:22:25,682 TRACE
> [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
> (default task-51) Adding cache operation: REPLACE on
> 7ad60b45-4e69-45a4-a995-ee65d9ee47ae
> 2016-05-23 14:22:25,683 ERROR [io.undertow.request] (default task-51)
> UT005023: Exception handling request to
> /auth/realms/freeipa/protocol/openid-connect/token:
> org.jboss.resteasy.spi.UnhandledException:
> java.lang.IllegalArgumentException: RESTEASY003715: path was null
> at
> org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
> at
> org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
> at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> at
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
> at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:78)
> at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
> at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> at
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
> at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> at
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
> at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> at
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
> at
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
> at
> io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
> at
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: java.lang.IllegalArgumentException: RESTEASY003715: path was
> null
> at
> org.jboss.resteasy.specimpl.ResteasyUriBuilder.path(ResteasyUriBuilder.java:357)
> at
> org.keycloak.authentication.AuthenticationProcessor$Result.getActionUrl(AuthenticationProcessor.java:478)
> at
> org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.optionalChallengeRedirect(SpnegoAuthenticator.java:137)
> at
> org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.challengeNegotiation(SpnegoAuthenticator.java:121)
> at
> org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:65)
> at
> org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:183)
> at
> org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:789)
> at
> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildResourceOwnerPasswordCredentialsGrant(TokenEndpoint.java:379)
> at
> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:125)
> at sun.reflect.GeneratedMethodAccessor587.invoke(Unknown Source)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:497)
> at
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
> ... 37 more
>
>
> Looking in the code, i can see i am missing the "flowPath", but not sure
> where this should be set.
>
>
> <https://github.com/keycloak/keycloak/blob/1.9.x/services/src/main/java/org/keycloak/authentication/authenticators/browser/SpnegoAuthenticator.java#L137>
> https://github.com/keycloak/keycloak/blob/1.9.x/services/src/main/java/org/keycloak/authentication/authenticators/browser/SpnegoAuthenticator.java#L137
>
>
> <https://github.com/keycloak/keycloak/blob/1.9.x/services/src/main/java/org/keycloak/authentication/AuthenticationProcessor.java#L476>
> https://github.com/keycloak/keycloak/blob/1.9.x/services/src/main/java/org/keycloak/authentication/AuthenticationProcessor.java#L476
>
>
> Can anyone point me in the right direction please.
>
> --
> Gareth Healy
> UKI Middleware Consultant
> Red Hat UK Ltd
> 200 Fowler Avenue
> Farnborough, Hants
> GU14 7JP, UK
>
> Mobile: +44(0)7818511214
> E-Mail: <gahealy at redhat.com>gahealy at redhat.com
>
> Registered in England and Wales under Company Registration No. 03798903
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
--
Gareth Healy
UKI Middleware Consultant
Red Hat UK Ltd
200 Fowler Avenue
Farnborough, Hants
GU14 7JP, UK
Mobile: +44(0)7818511214
E-Mail: gahealy at redhat.com
Registered in England and Wales under Company Registration No. 03798903
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160525/76371277/attachment-0001.html
More information about the keycloak-user
mailing list