[keycloak-user] Kerberos & login, multiple environments with multiple users

Dominik Guhr pinguwien at gmail.com
Wed Feb 28 08:30:45 EST 2018 

Hi everyone,

so I've built a custom kerberos authenticator which should, depending on 
a querystring, not automatically login. So, when I add &login=manual to 
the url, kerberos authenticator starts, checks, and stops.
Now everything is fine when I use this authenticator under normal 
conditions, in one tab, but:

- As a dev, I sometimes have different tabs with different environments 
open. e.g. http://myapp-local, http://myapp-dev - these apps are 
different clients in keycloak as well, e.g. my-webapp-local, my-webapp-dev

Now I get logged in via kerberos in myapp-local, logout in myapp-test 
and try to login with different credentials manually in myapp-test. 
Then, the AuthenticationProcessor raises the following exception when 
doing this with kerberos login-enabled browsers (chrome, ie):

=====================
2018-02-28 09:57:12,236 WARN  [org.keycloak.events] (default task-2) 
type=LOGIN_ERROR, realmId=myrealm, clientId=my-webapp-dev, userId=null, 
ipAddress=10.242.50.137, error=different_user_authenticated, 
auth_method=openid-connect, auth_type=code, response_type=code, 
redirect_uri=https://myurl/my-webapp-dev/, consent=no_consent_required, 
previous_user=f:1661b7a5-933a-4bda-8bb9-6822c7f40211:412997, 
code_id=eb950380-511d-41a0-b816-d06b2331569c, response_mode=query
2018-02-28 09:57:12,236 WARN  [org.keycloak.services] (default task-2) 
KC-SERVICES0013: Failed authentication: 
org.keycloak.services.ErrorPageException: HTTP 500 Internal Server Error
     at 
org.keycloak.authentication.AuthenticationProcessor.attachSession(AuthenticationProcessor.java:898)
     at 
org.keycloak.services.managers.AuthenticationManager.finishedRequiredActions(AuthenticationManager.java:796)
     at 
org.keycloak.authentication.AuthenticationProcessor.authenticationComplete(AuthenticationProcessor.java:951)
     at 
org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:724)
     at 
org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:145)
     at 
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:395)
     at 
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:139)
     at sun.reflect.GeneratedMethodAccessor513.invoke(Unknown Source)
     at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
     at java.lang.reflect.Method.invoke(Method.java:498)
     at 
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
     at 
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
     at 
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
     at 
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
     at 
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
     at 
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
     at 
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
     at 
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
     at 
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
     at 
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
     at 
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
     at 
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
     at 
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
     at 
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
     at 
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
     at 
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
     at 
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
     at 
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
     at 
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
     at 
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
     at 
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
     at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
     at 
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
     at 
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
     at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
     at 
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
     at 
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
     at 
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
     at 
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
     at 
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
     at 
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
     at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
     at 
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
     at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
     at 
org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
     at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
     at 
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
     at 
io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
     at 
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
     at 
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
     at 
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
     at 
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
     at 
org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
     at 
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
     at 
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
     at 
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
     at 
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
     at 
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
     at 
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
     at 
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
     at 
io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
     at 
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
     at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
     at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
     at java.lang.Thread.run(Thread.java:745)


=================
and in the browser I get an "unexpected error when handling request to 
identity provider" errormsg.

When doing the same thing in firefox (no kerberos, manual login, open 2 
tabs in 2 different environments and login with different users), I get 
at least the errormsg "You are already authenticated as different user 
[name] in this session. Please logout first."

So, my questions are:
- Why is this not possible?
- Is there anything I can do (having a custom authenticator for 
kerberos/AD and a custom userstorageprovider for applicationdb) to make 
it possible to have different users logged in in different tabs for 
different kc-clients in the same realm?
- More specifically: Is there a possibility to use the 
AuthenticationProcessor in an SPI without having to make a custom 
keycloakbuild and remove the check in line 246/setAuthenticatedUser, or 
does this mess up the whole authentication session?

Would be great to get a hint here.

Thanks!

Best regards,
Dominik

More information about the keycloak-user mailing list