[keycloak-user] KeyCloak pose no login challenge
shimin q
shimin_q at yahoo.com
Sun May 28 10:57:54 EDT 2017
Thanks for your suggestion. I just tried incognito chrome window and cleared the browser cache and Java cache. Unfortunately, https://135.112.180.27/rtna2 , after redirecting to
https://135.112.180.27:8666/auth/realms/rtna/protocol/openid-connect/auth?response_type=code&client_id=rtna2&redirect_uri=https%3A%2F%2F135.112.180.27%2Frtna2%2F&state=e76d1caa-a528-4498-98d4-098544fd3987&login=true&scope=openid
"We're Sorry...invalid user name or password" came up again (still no login challenge)
server.log:
2017-05-28 10:38:49,866 WARN [org.keycloak.events] (default task-104) type=LOGIN_ERROR, realmId=rtna, clientId=rtna2, userId=null, ipAddress=135.224.18.117, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, response_type=code, redirect_uri=https://135.112.180.27/rtna2/, code_id=260dc630-40e5-4b83-955a-df76d8d04d63, response_mode=query
I also tried another existing GWT web app (https://135.112.180.27/nara) deployed under the same Tomcat server. Same config/set up, but this one is even worse, it never even got to the redirecting to keycloak auth, instead it is throwing me an exception: (of course, no login challenge/form either)
HTTP Status 500 -
type Exception reportmessagedescription The server encountered an internal error that prevented it from fulfilling this request.exceptionjava.lang.NullPointerException
org.keycloak.adapters.PreAuthActionsHandler.preflightCors(PreAuthActionsHandler.java:107)
org.keycloak.adapters.PreAuthActionsHandler.handleRequest(PreAuthActionsHandler.java:79)
org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:181)
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436)
org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:190)
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
java.lang.Thread.run(Unknown Source)
note The full stack trace of the root cause is available in the Apache Tomcat/7.0.69 logs.
Any ideas what could be wrong? I am pulling my hairs out :-( this is not supposed to be this hard! I have been trying to get this to work for the last 3 days. At one time, the login challenge did come up, but after I typed in user name /password, it throws me HTTP 403 error, never redirected me to my web app (https://135.112.180.27/rtna2). Tried various config changes, I ended up with this situation where login challenge is not posted at all.
Please help!!
From: Sebastien Blanc <sblanc at redhat.com>
To: Bill Burke <bburke at redhat.com>; "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>; shimin q <shimin_q at yahoo.com>
Sent: Sunday, May 28, 2017 2:22 AM
Subject: Re: [keycloak-user] KeyCloak pose no login challenge
Try again in an inconginito window and empty your cash. BTW, you mentioned you have a ReactJS app , have also considered using the keycloak JS lib to secure your web app ?
Le dim. 28 mai 2017 à 05:59, shimin q <shimin_q at yahoo.com> a écrit :
Another piece of info when the "We're sorry...invalid user name or password" message was shown (without login challenge ever posted)... keycloak server.log file has this warning:
2017-05-27 20:33:59,936 WARN [org.keycloak.events] (default task-80) type=LOGIN_ERROR, realmId=rtna, clientId=rtna2, userId=null, ipAddress=135.224.13.68, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, response_type=code, redirect_uri=https://135.112.180.27/rtna2/, code_id=689abbad-ccad-469a-86be-1e489b0dba15, response_mode=query
How could this be, there was no login challenge so I couldn't even input user name and password!
From: shimin q <shimin_q at yahoo.com>
To: Bill Burke <bburke at redhat.com>; "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
Sent: Saturday, May 27, 2017 4:28 PM
Subject: Re: [keycloak-user] KeyCloak pose no login challenge
Thanks. a bit of progress, once I changed from "/rtna2/*" to "/*", it is redirecting my web app URL
https://135.112.180.27/rtna2
to
https://135.112.180.27:8666/auth/realms/rtna/protocol/openid-connect/auth?response_type=code&client_id=rtna2&redirect_uri=https%3A%2F%2F135.112.180.27%2Frtna2%2F&state=c55f81fb-72ad-4660-b257-6bfa119adb75&login=true&scope=openid
Unfortunately, still no login challenges, I got the following error message instead
"We are sorry...invalid user name or password"
I am trying to figure out where I configured realm "rtna" or client "rtna2" wrong...here is the keycloak.json that I used (generated under the Installation tab of the client "rtna2":
{ "realm": "rtna", "realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhvJlVZqi8KaZDZVPPl29y/nnPBHaPvH+NoG71w6BMDwIImw6vkNlO3CSr+kRAyLnpnP/9248gEZx6YwqEKwE4Oy5R6wuuxwOd2FdpYFM2wDw5zhF7U4oYy0WK1m31/hQdLGnpKtDdGReEwdkMOMtG655Nnqw8WdtmF3S2XcEm2t0gaNoYycd6gl4670nRqx6bRxs6UndERHZmHfkzLcL71RflgO1cyuOqMsjMb7oWIDy5bkE4ddB69TAbrpXVzLvwG1OIaM/XdfXOZIaIAajfacP3Vk8bZFa9eAsh5BVaeGzlqktsdk1JjbV0a14OVXQcCRusnV2wE+zSZhPNxhfFwIDAQAB", "auth-server-url": "https://135.112.180.27:8666/auth", "ssl-required": "all", "resource": "rtna2", "public-client": true, "use-resource-role-mappings": true}
Please, any tips/ideas why I am now getting the "invalid user name or password" instead of a keycloak login form? Thanks!
From: Bill Burke <bburke at redhat.com>
To: keycloak-user at lists.jboss.org
Sent: Saturday, May 27, 2017 1:29 PM
Subject: Re: [keycloak-user] KeyCloak pose no login challenge
I think i know what it is. Your security constraint is wrong. It should
be "/*" for the url pattern, not "/rtna2/*". You are not supposed to
specify the root context in web.xml url patterns.
On 5/26/17 12:04 PM, shimin q wrote:
> I wrote a simple reactJS web app ("/rtna2") deployed under Tomcat 7. I followed the steps below, but keycloak does not seem to work - no login challenge was posed, and when I type https://<my server ip>/rtna2, it went straight to the the web app.
> 1 - download the tomcat 7 keycloak adaptor zip and unzip in my tomcat lib/2 - rtna2 app is deployed under tomcat webapps/3 - modify rtna2/META-INF/context.xml:
> <?xml version="1.0" encoding="UTF-8"?><Context path="/rtna2" debug="0" privileged="true" > <Valve className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/></Context>4 - add keycloak.json under rtna2/WEB-INF:
>
> { "realm": "rtna", "realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhvJlVZqi8KaZDZVPPl29y/nnPBHaPvH+NoG71w6BMDwIImw6vkNlO3CSr+kRAyLnpnP/9248gEZx6YwqEKwE4Oy5R6wuuxwOd2FdpYFM2wDw5zhF7U4oYy0WK1m31/hQdLGnpKtDdGReEwdkMOMtG655Nnqw8WdtmF3S2XcEm2t0gaNoYycd6gl4670nRqx6bRxs6UndERHZmHfkzLcL71RflgO1cyuOqMsjMb7oWIDy5bkE4ddB69TAbrpXVzLvwG1OIaM/XdfXOZIaIAajfacP3Vk8bZFa9eAsh5BVaeGzlqktsdk1JjbV0a14OVXQcCRusnV2wE+zSZhPNxhfFwIDAQAB", "auth-server-url": "https://135.112.180.27:8666/auth", "ssl-required": "external", "resource": "rtna2", "public-client": true}
> 5. modify rtna2/WEB-INF/web.xml:
> <?xml version="1.0" encoding="UTF-8"?><web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" >
>
> <!-- Default page to serve --><module-name>rtna2</module-name><welcome-file-list> <welcome-file>index.html</welcome-file> </welcome-file-list> <security-constraint> <web-resource-collection> <web-resource-name>rtna2</web-resource-name> <url-pattern>/rtna2/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> </security-constraint>
> <login-config> <auth-method>BASIC</auth-method> <realm-name>rtna</realm-name> </login-config>
> <security-role> <role-name>admin</role-name> </security-role> <security-role> <role-name>user</role-name> </security-role> <security-role> <role-name>sudo</role-name> </security-role></web-app>
> I have tried "<auth-method>KEYCLOAK</auth-method>" also, does not work
> 6. in the keycloak admin console, added a "rtna" realm, and added "rtna2" client in the realm:
> client id: rtna2Access type: public (tried "confidential" also)Authorization enabled: on ("off" also)Root URL: https://135.112.180.27/rtna2Valid Redirect URLs: https://135.112.180.27/rtna2/*Base URL: https://135.112.180.27/rtna2Admin URL: https://135.112.180.27/rtna2Web Origins: https://135.112.180.27/rtna2/*
> I found relative paths for these URLs do not work, it gave me Http 404 not found (https://135.112.180.27/rtna2) error. But once I put the absolute paths, it took me right to the web app without posing the login challenge!
> What could possibly be wrong? Please advise! Thanks!!
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list