[keycloak-user] Keycloak as SSO

Stephen Henrie stephen at saasindustries.com
Sat Nov 11 15:59:23 EST 2017


I finally figured out the issue and want to respond to my question in case
this helps anyone else. I had configured the client on the SSO IP realm
using a client template that had no mappers defined. I was able to fix the
login issue by simply recreating that client without a template so the
default mappers would be configured.

The error message above is pretty useless in finding something like this.
The end user login error response is completely opaque and the above error
in the logs, "Not found serialized context in clientSession" may be useful
to those that understand the internals of Keycloak, but it is kinda useless
for kaylocak users like myself for figuring out configuration issues. I
also have not been able to find any documentation on what client session
notes really are nothing that would have helped me understand that client
mapping data is considered serialized context in a client session.



On Fri, Nov 10, 2017 at 2:58 PM, Stephen Henrie <stephen at saasindustries.com>
wrote:

>
> When running a Keycloak instance as a localhost using the default H2
> database backend, I have been successful at configuring SSO identity
> providers across Keycloak realms, so that one primary realm acts as the
> identity provider and the other realms are authenticating against that
> primary realm using an IP link.
>
> However, when I try to do the same thing in our cloud environment using a
> Postgres database backend,  I am getting the generic "Invalid username or
> password."  error which happens during the default first broker login
> authorization sequence. I have some debugging info below. Can someone help
> me understand what it is trying to tell me?
>
> I believe that I have things configured exactly the same in both my
> localhost and in the cloud instances, so I am struggling to understand the
> source of the problem.
>
> Any help is appreciated.
>
> Thanks
> Stephen
>
>
>
> 21:42:30,974 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-50) processFlow
> 21:42:30,974 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-50) check execution: idp-review-profile requirement: DISABLED
> 21:42:30,974 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-50) execution is processed
> 21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-50) check execution: idp-create-user-if-unique requirement:
> ALTERNATIVE
> 21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-50) authenticator: idp-create-user-if-unique
> 21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-50) invoke authenticator.authenticate:
> idp-create-user-if-unique
> 21:42:30,975 WARN  [org.keycloak.services] (default task-50)
> KC-SERVICES0020: Email is null. Reset flow and enforce showing
> reviewProfile page
> 21:42:30,975 DEBUG [org.keycloak.authentication.AuthenticationProcessor]
> (default task-50) RESET FLOW
> 21:42:30,975 DEBUG [org.keycloak.authentication.AuthenticationProcessor]
> (default task-50) AUTHENTICATE
> 21:42:30,975 DEBUG [org.keycloak.authentication.AuthenticationProcessor]
> (default task-50) AUTHENTICATE ONLY
> 21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-50) processFlow
> 21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-50) check execution: idp-review-profile requirement: DISABLED
> 21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-50) execution is processed
> 21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-50) check execution: idp-create-user-if-unique requirement:
> ALTERNATIVE
> 21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-50) authenticator: idp-create-user-if-unique
> 21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-50) invoke authenticator.authenticate:
> idp-create-user-if-unique
> 21:42:30,975 WARN  [org.keycloak.services] (default task-50)
> KC-SERVICES0013: Failed authentication: org.keycloak.authentication.AuthenticationFlowException:
> Not found serialized context in clientSession
>     at org.keycloak.authentication.authenticators.broker.
> AbstractIdpAuthenticator.authenticate(AbstractIdpAuthenticator.java:66)
>     at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(
> DefaultAuthenticationFlow.java:200)
>     at org.keycloak.authentication.AuthenticationProcessor.
> authenticateOnly(AuthenticationProcessor.java:843)
>     at org.keycloak.authentication.AuthenticationProcessor.authenticate(
> AuthenticationProcessor.java:714)
>     at org.keycloak.authentication.DefaultAuthenticationFlow.
> processResult(DefaultAuthenticationFlow.java:264)
>     at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(
> DefaultAuthenticationFlow.java:201)
>     at org.keycloak.authentication.AuthenticationProcessor.
> authenticateOnly(AuthenticationProcessor.java:843)
>     at org.keycloak.authentication.AuthenticationProcessor.authenticate(
> AuthenticationProcessor.java:714)
>     at org.keycloak.services.resources.LoginActionsService.processFlow(
> LoginActionsService.java:279)
>     at org.keycloak.services.resources.LoginActionsService.
> brokerLoginFlow(LoginActionsService.java:713)
>     at org.keycloak.services.resources.LoginActionsService.
> firstBrokerLoginGet(LoginActionsService.java:632)
>     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>     at sun.reflect.NativeMethodAccessorImpl.invoke(
> NativeMethodAccessorImpl.java:62)
>     at sun.reflect.DelegatingMethodAccessorImpl.invoke(
> DelegatingMethodAccessorImpl.java:43)
>     at java.lang.reflect.Method.invoke(Method.java:498)
>
>
> 21:42:30,976 WARN  [org.keycloak.events] (default task-50)
> type=IDENTITY_PROVIDER_FIRST_LOGIN_ERROR, realmId=experiment,
> clientId=chassi-web-app, userId=null, ipAddress=172.17.0.1,
> error=invalid_user_credentials, identity_provider=chassi-oidc,
> auth_method=openid-connect, redirect_uri=http://localhost:3000/,
> identity_provider_identity=abfa50e5-57ad-4b53-ab72-7cbd6fca8465,
> code_id=60963d99-cf55-4e0a-8e28-df0ddacadf5f
> 21:4
>


More information about the keycloak-user mailing list