[keycloak-user] Issue on Direct Grant API
Stian Thorgersen
sthorger at redhat.com
Fri Dec 8 03:39:12 EST 2017
On 7 December 2017 at 17:55, Marcelo Miura <marcelo.miura at gdcommunity.co.uk>
wrote:
> Ok, I understand your thoughts.
>
> So I’ll probably find some issues if I ran a newer version of keycloak on
> the same database if I try to upgrade it?
>
Huh? Not sure if it's the fact that I haven't had my morning coffee yet or
not, but that sentence makes no sense to me.
>
>
> On 5 Dec 2017, at 18:16, Stian Thorgersen <sthorger at redhat.com> wrote:
>
> As "hmac-generated" was introduced in 2.5.5 there is no way you would
> have that in the DB unless you have imported data from a newer Keycloak or
> have ran a newer Keycloak against the DB.
>
> We also will not support you on any issues in Keycloak unless you use the
> latest version. We simply don't have capacity to do that in the free
> community version.
>
> On 5 December 2017 at 15:25, Marcelo Miura <marcelo.miura at gdcommunity.co.
> uk> wrote:
>
>> No, the versions were not changed, as far as I know. But I’ll check it.
>> Thanks!
>>
>>
>> On 5 Dec 2017, at 11:29, Marek Posolda <mposolda at redhat.com> wrote:
>>
>> Today, I've tested something and actually simulated the issue, which is
>> very similar to your issue with the keys/providers. The stacktrace was
>> almost the same.
>>
>> In my case, it was caused by the fact that I messed things a bit and
>> "downgrade" the Keycloak to use the database, which was using the newer
>> Keycloak before. In details what I did was:
>> - Start Keycloak 3.4.1 with clean MySQL DB
>> - Stopped Keycloak 3.4.1
>> - Started older Keycloak version 3.3.0 against the same MySQL DB, which
>> was previously used for 3.4.1.
>>
>> The fact it is broken is, that in 3.4.1 were added some new
>> implementations of providers, which are saved in DB as ComponentModels.
>> When you start the older 3.3.0 version, the ComponentModel is read from DB,
>> which references new provider implementations, which don't yet exists in
>> 3.3.0. Hence it blows and throws the stacktrace below.
>>
>> Could it be the case, that you messed things in similar manner and
>> started older version of KC against "new" DB?
>>
>> Marek
>>
>> On 05/12/17 13:44, Marcelo Miura wrote:
>>
>> Actually that’s because it’s been running for one year and just now it
>> started with the issues. Just trying to figure out what was the cause.
>> Could this keys / providers missing has something to do with the direct
>> grant authentication flow issue?
>>
>>
>> On 5 Dec 2017, at 06:16, Stian Thorgersen <sthorger at redhat.com> wrote:
>>
>> Are you actually using 2.4.0.CR1? That's old and unsupported, maybe you
>> actually wanted to use 3.4.0.CR1? "hmac-generated" was added in 2.5.5.
>>
>> On 4 December 2017 at 18:40, Marcelo Miura <marcelo.miura at gdcommunity.co.
>> uk> wrote:
>>
>>> Thanks for your answers.
>>>
>>> http://localhost:8080/auth/admin/master/console/#/server-info/providers
>>> On keys I see the following:
>>> rsa
>>> java-keystore
>>> rsa-generated
>>> On the COMPONENT table of the keycloak db, I could see 2 records related
>>> to hmac-generated. I removed both in attempt to fix the problem (it’s
>>> happening on my dev server). On production I do not see those records and
>>> it's currently working fine.
>>> Then, I tried to created the provider rsa again, so the old provider
>>> appeared back. Then I deleted the providers that I created and the error
>>> related to the keys is not showing anymore.
>>> But I’m still facing the authentication issue by Direct Grant.
>>>
>>> On my local server I do not have this issue.
>>> Version used: 2.4.0.CR1
>>>
>>>
>>> On 4 Dec 2017, at 14:34, Marek Posolda <mposolda at redhat.com> wrote:
>>>
>>> Does this happen when you start latest Keycloak from clean state? Or did
>>> you migrate from some previous version?
>>>
>>> Marek
>>>
>>> On 04/12/17 14:57, Marcelo Miura wrote:
>>>
>>> Hi,
>>>
>>> I’m using Direct Grant to authenticate with an admin user to be able to
>>> create new users into Keycloak and be able to reset user passwords.
>>>
>>> But for some reason, the authentication is not working anymore. It’s
>>> returning that the user credentials are invalid, as follows:
>>> {
>>> "error": "invalid_grant",
>>> "error_description": "Invalid user credentials"
>>> }
>>>
>>> But when logging in into the Admin Console, the credentials are working
>>> fine.
>>>
>>> Keycloak log:
>>>
>>> 2017-11-30 20:22:31,631 WARN [org.keycloak.events] (default task-29)
>>> type=LOGIN_ERROR, realmId=master, clientId=admin, userId=null,
>>> ipAddress=xxx.xx.xx.xx error=invalid_user_credentials,
>>> auth_method=openid-connect, grant_type=password,
>>> client_auth_method=client-secret, username=admin
>>> 2017-11-30 20:22:31,631 WARN [org.keycloak.services] (Brute Force
>>> Protector) KC-SERVICES0053: login failure for user <userid> from
>>> xxx.xx.xx.xx
>>>
>>> *replaced some values as required by the client
>>>
>>> Not sure if it’s related but on the last days when accessing the realm
>>> settings - keys, it was displaying an error: "Error! An unexpected server
>>> error has occurred” and the tabs Active and Providers didn’t show any keys.
>>> Keycloak log:
>>>
>>> 2017-11-30 20:20:52,033 ERROR [org.keycloak.keys.DefaultKeyManager]
>>> (default task-24) Failed to load provider <provider id>:
>>> java.lang.NullPointerException
>>> at org.keycloak.keys.DefaultKeyManager.getProviders(DefaultKeyM
>>> anager.java:133)
>>> at org.keycloak.keys.DefaultKeyManager.getPublicKey(DefaultKeyM
>>> anager.java:70)
>>> at org.keycloak.services.managers.AuthenticationManager.verifyI
>>> dentityToken(AuthenticationManager.java:688)
>>> at org.keycloak.services.managers.AppAuthManager.authenticateBe
>>> arerToken(AppAuthManager.java:64)
>>> at org.keycloak.services.resources.admin.AdminRoot.authenticate
>>> RealmAdminRequest(AdminRoot.java:175)
>>> at org.keycloak.services.resources.admin.AdminRoot.getRealmsAdm
>>> in(AdminRoot.java:209)
>>> at sun.reflect.GeneratedMethodAccessor371.invoke(Unknown Source)
>>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>>> thodAccessorImpl.java:43)
>>> at java.lang.reflect.Method.invoke(Method.java:498)
>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.createResourc
>>> e(ResourceLocatorInvoker.java:79)
>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.createResourc
>>> e(ResourceLocatorInvoker.java:58)
>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
>>> ceLocatorInvoker.java:100)
>>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro
>>> nousDispatcher.java:395)
>>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro
>>> nousDispatcher.java:202)
>>> at org.jboss.resteasy.plugins.server.servlet.ServletContainerDi
>>> spatcher.service(ServletContainerDispatcher.java:221)
>>> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc
>>> her.service(HttpServletDispatcher.java:56)
>>> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc
>>> her.service(HttpServletDispatcher.java:51)
>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>>> at io.undertow.servlet.handlers.ServletHandler.handleRequest(Se
>>> rvletHandler.java:85)
>>> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d
>>> oFilter(FilterHandler.java:129)
>>> at org.keycloak.services.filters.KeycloakSessionServletFilter.d
>>> oFilter(KeycloakSessionServletFilter.java:90)
>>> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilte
>>> r.java:60)
>>> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d
>>> oFilter(FilterHandler.java:131)
>>> at io.undertow.servlet.handlers.FilterHandler.handleRequest(Fil
>>> terHandler.java:84)
>>> at io.undertow.servlet.handlers.security.ServletSecurityRoleHan
>>> dler.handleRequest(ServletSecurityRoleHandler.java:62)
>>> at io.undertow.servlet.handlers.ServletDispatchingHandler.handl
>>> eRequest(ServletDispatchingHandler.java:36)
>>> at org.wildfly.extension.undertow.security.SecurityContextAssoc
>>> iationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>>> at io.undertow.server.handlers.Pr
>>> <http://io.undertow.server.handlers.pr/>edicateHandler.handleRequest(P
>>> redicateHandler.java:43)
>>> at io.undertow.servlet.handlers.security.SSLInformationAssociat
>>> ionHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>>> at io.undertow.servlet.handlers.security.ServletAuthenticationC
>>> allHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>>> at io.undertow.server.handlers.Pr
>>> <http://io.undertow.server.handlers.pr/>edicateHandler.handleRequest(P
>>> redicateHandler.java:43)
>>> at io.undertow.security.handlers.AbstractConfidentialityHandler
>>> .handleRequest(AbstractConfidentialityHandler.java:46)
>>> at io.undertow.servlet.handlers.security.ServletConfidentiality
>>> ConstraintHandler.handleRequest(ServletConfidentialityConstr
>>> aintHandler.java:64)
>>> at io.undertow.security.handlers.AuthenticationMechanismsHandle
>>> r.handleRequest(AuthenticationMechanismsHandler.java:60)
>>> at io.undertow.servlet.handlers.security.CachedAuthenticatedSes
>>> sionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>> at io.undertow.security.handlers.NotificationReceiverHandler.ha
>>> ndleRequest(NotificationReceiverHandler.java:50)
>>> at io.undertow.security.handlers.AbstractSecurityContextAssocia
>>> tionHandler.handleRequest(AbstractSecurityContextAssociation
>>> Handler.java:43)
>>> at io.undertow.server.handlers.Pr
>>> <http://io.undertow.server.handlers.pr/>edicateHandler.handleRequest(P
>>> redicateHandler.java:43)
>>> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHa
>>> ndler.handleRequest(JACCContextIdHandler.java:61)
>>> at io.undertow.server.handlers.Pr
>>> <http://io.undertow.server.handlers.pr/>edicateHandler.handleRequest(P
>>> redicateHandler.java:43)
>>> at io.undertow.server.handlers.Pr
>>> <http://io.undertow.server.handlers.pr/>edicateHandler.handleRequest(P
>>> redicateHandler.java:43)
>>> at io.undertow.servlet.handlers.ServletInitialHandler.handleFir
>>> stRequest(ServletInitialHandler.java:284)
>>> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchR
>>> equest(ServletInitialHandler.java:263)
>>> at io.undertow.servlet.handlers.ServletInitialHandler.access$00
>>> 0(ServletInitialHandler.java:81)
>>> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleR
>>> equest(ServletInitialHandler.java:174)
>>> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>>> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchan
>>> ge.java:793)
>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>>> Executor.java:1142)
>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>>> lExecutor.java:617)
>>> at java.lang.Thread.run(Thread.java:745)
>>>
>>> 2017-11-30 20:20:52,038 ERROR [io.undertow.request] (default task-24)
>>> UT005023: Exception handling request to /auth/admin/realms/master/components:
>>> org.jboss.resteasy.spi.UnhandledException: java.lang.RuntimeException:
>>> java.lang.IllegalArgumentException: No such provider 'hmac-generated'
>>> at org.jboss.resteasy.core.ExceptionHandler.handleApplicationEx
>>> ception(ExceptionHandler.java:76)
>>> at org.jboss.resteasy.core.ExceptionHandler.handleException(Exc
>>> eptionHandler.java:212)
>>> at org.jboss.resteasy.core.SynchronousDispatcher.writeException
>>> (SynchronousDispatcher.java:168)
>>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro
>>> nousDispatcher.java:411)
>>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro
>>> nousDispatcher.java:202)
>>> at org.jboss.resteasy.plugins.server.servlet.ServletContainerDi
>>> spatcher.service(ServletContainerDispatcher.java:221)
>>> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc
>>> her.service(HttpServletDispatcher.java:56)
>>> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc
>>> her.service(HttpServletDispatcher.java:51)
>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>>> at io.undertow.servlet.handlers.ServletHandler.handleRequest(Se
>>> rvletHandler.java:85)
>>> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d
>>> oFilter(FilterHandler.java:129)
>>> at org.keycloak.services.filters.KeycloakSessionServletFilter.d
>>> oFilter(KeycloakSessionServletFilter.java:90)
>>> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilte
>>> r.java:60)
>>> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d
>>> oFilter(FilterHandler.java:131)
>>> at io.undertow.servlet.handlers.FilterHandler.handleRequest(Fil
>>> terHandler.java:84)
>>> at io.undertow.servlet.handlers.security.ServletSecurityRoleHan
>>> dler.handleRequest(ServletSecurityRoleHandler.java:62)
>>> at io.undertow.servlet.handlers.ServletDispatchingHandler.handl
>>> eRequest(ServletDispatchingHandler.java:36)
>>> at org.wildfly.extension.undertow.security.SecurityContextAssoc
>>> iationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>>> at io.undertow.server.handlers.Pr
>>> <http://io.undertow.server.handlers.pr/>edicateHandler.handleRequest(P
>>> redicateHandler.java:43)
>>> at io.undertow.servlet.handlers.security.SSLInformationAssociat
>>> ionHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>>> at io.undertow.servlet.handlers.security.ServletAuthenticationC
>>> allHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>>> at io.undertow.server.handlers.Pr
>>> <http://io.undertow.server.handlers.pr/>edicateHandler.handleRequest(P
>>> redicateHandler.java:43)
>>> at io.undertow.security.handlers.AbstractConfidentialityHandler
>>> .handleRequest(AbstractConfidentialityHandler.java:46)
>>> at io.undertow.servlet.handlers.security.ServletConfidentiality
>>> ConstraintHandler.handleRequest(ServletConfidentialityConstr
>>> aintHandler.java:64)
>>> at io.undertow.security.handlers.AuthenticationMechanismsHandle
>>> r.handleRequest(AuthenticationMechanismsHandler.java:60)
>>> at io.undertow.servlet.handlers.security.CachedAuthenticatedSes
>>> sionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>> at io.undertow.security.handlers.NotificationReceiverHandler.ha
>>> ndleRequest(NotificationReceiverHandler.java:50)
>>> at io.undertow.security.handlers.AbstractSecurityContextAssocia
>>> tionHandler.handleRequest(AbstractSecurityContextAssociation
>>> Handler.java:43)
>>> at io.undertow.server.handlers.Pr
>>> <http://io.undertow.server.handlers.pr/>edicateHandler.handleRequest(P
>>> redicateHandler.java:43)
>>> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHa
>>> ndler.handleRequest(JACCContextIdHandler.java:61)
>>> at io.undertow.server.handlers.Pr
>>> <http://io.undertow.server.handlers.pr/>edicateHandler.handleRequest(P
>>> redicateHandler.java:43)
>>> at io.undertow.server.handlers.Pr
>>> <http://io.undertow.server.handlers.pr/>edicateHandler.handleRequest(P
>>> redicateHandler.java:43)
>>> at io.undertow.servlet.handlers.ServletInitialHandler.handleFir
>>> stRequest(ServletInitialHandler.java:284)
>>> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchR
>>> equest(ServletInitialHandler.java:263)
>>> at io.undertow.servlet.handlers.ServletInitialHandler.access$00
>>> 0(ServletInitialHandler.java:81)
>>> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleR
>>> equest(ServletInitialHandler.java:174)
>>> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>>> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchan
>>> ge.java:793)
>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>>> Executor.java:1142)
>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>>> lExecutor.java:617)
>>> at java.lang.Thread.run(Thread.java:745)
>>> Caused by: java.lang.RuntimeException: java.lang.IllegalArgumentException:
>>> No such provider 'hmac-generated'
>>> at org.keycloak.models.utils.ComponentUtil.getComponentConfigPr
>>> operties(ComponentUtil.java:69)
>>> at org.keycloak.models.utils.ComponentUtil.getComponentConfigPr
>>> operties(ComponentUtil.java:39)
>>> at org.keycloak.models.utils.StripSecretsUtils.strip(StripSecre
>>> tsUtils.java:39)
>>> at org.keycloak.models.utils.ModelToRepresentation.toRepresenta
>>> tion(ModelToRepresentation.java:815)
>>> at org.keycloak.services.resources.admin.ComponentResource.getC
>>> omponents(ComponentResource.java:118)
>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce
>>> ssorImpl.java:62)
>>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>>> thodAccessorImpl.java:43)
>>> at java.lang.reflect.Method.invoke(Method.java:498)
>>> at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInje
>>> ctorImpl.java:139)
>>> at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget
>>> (ResourceMethodInvoker.java:295)
>>> at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(Resourc
>>> eMethodInvoker.java:249)
>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
>>> tObject(ResourceLocatorInvoker.java:138)
>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
>>> ceLocatorInvoker.java:107)
>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
>>> tObject(ResourceLocatorInvoker.java:133)
>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
>>> ceLocatorInvoker.java:107)
>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
>>> tObject(ResourceLocatorInvoker.java:133)
>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
>>> ceLocatorInvoker.java:101)
>>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro
>>> nousDispatcher.java:395)
>>> ... 37 more
>>> Caused by: java.lang.IllegalArgumentException: No such provider
>>> 'hmac-generated'
>>> at org.keycloak.models.utils.ComponentUtil.getComponentFactory(
>>> ComponentUtil.java:81)
>>> at org.keycloak.models.utils.ComponentUtil.getComponentConfigPr
>>> operties(ComponentUtil.java:56)
>>> ... 55 more
>>>
>>>
>>> But when I check the keycloak database, seems that the key and provider
>>> are there.
>>> Any thoughts?
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>
>
More information about the keycloak-user
mailing list