[keycloak-user] Logging for X509 authentication flow
Sebastian Laskawiec
slaskawi at redhat.com
Thu Mar 21 07:31:28 EDT 2019
>From your post, I'm not exactly sure what x509 Authenticator you're
referring to.
If we are talking about authentication Clients, than
`org.keycloak.authentication.authenticators.client.X509ClientAuthenticator`
category should be used. However, if we're considering Users, then you
should use `org.keycloak.authentication.authenticators.x509`.
Also, please make sure you configured logging handlers properly. If you
wish to observe the output on the console, please take a look at
`console-handler` XML element and change its from INFO to DEBUG. You should
find more information about configuring loggers on Wildfly related pages.
On Tue, Mar 19, 2019 at 6:43 PM Nalyvayko, Peter <pnalyvayko at agi.com> wrote:
> Hey Raymond,
>
> Edit standalone.xml and add the following configuration under <subsystem
> xmlns="urn:jboss:domain:logging:3.0">:
>
> <logger category="org.keycloak.authentication.authenticators.x509">
> <level name="TRACE"/>
> </logger>
> <logger category="org.keycloak.services.x509">
> <level name="TRACE"/>
> </logger>
>
> You will have to restart the service. Hope this helps
>
> Cheers
>
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org <
> keycloak-user-bounces at lists.jboss.org> On Behalf Of Page, Raymond
> (Techical Solutions )
> Sent: Tuesday, March 19, 2019 12:22 PM
> To: keycloak-user at lists.jboss.org
> Subject: [keycloak-user] Logging for X509 authentication flow
>
> I'm trying to get keycloak working with Wildfly authenticating clients
> directly by X.509 and then using the authentication flow in keycloak to
> translate that to a local user.
>
>
> Unfortunately, it's not working and I'm not getting useful logging out of
> keycloak to determine what's wrong with my configuration. To debug, I need
> to know that undertow is passing the certificate successfully to keycloak,
> that keycloak's X509-form authentication is receiving the proper identity,
> the identity extracted from the certificate for authentication comparison,
> what it's being compared to (is the CN or DN being regexed and is it being
> compared to the keycloak custom attribute that I specified). What I get
> from enabling debug logging that's not jboss modules loads is:
>
> 18:59:38,702 WARN [org.keycloak.events] (default task-1)
> type=LOGIN_ERROR, realmId=TEST, clientId=https://auth.test.local,
> userId=null, ipAddress=192.168.0.100, error=client_not_found
>
>
> Can someone provide details on how to get debug logging for undertow and
> the X509-form-config authentication?
>
>
> --
> Raymond Page, CTR (US)
> Automation Engineer, UoT
> TIS CTR to Booz | Allen | Hamilton
> page_raymond at ne.bah.com
> raymond.c.page15.ctr at mail.mil
> C: (321) 549-7243<tel:(321)+549-7243>
> W: (703) 679-8618<tel:(703)+679-8618>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list