Redhat sso after deletion of Master-realm client in master Realm, rdsso admin login (/auth/admin/master/console/) is blank.
And in the rdsso server log, we can see this Error
ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-10971) Uncaught server error: java.lang.NullPointerException
Since the redsso background is live, we are not trying to troubleshoot more.
Note: We just deleted 1 master-realm client out of 70 and this has messed up our admin login console.
In Keycloak, the "realmname-realm" in the master realm (including 'master-realm') clients are essential for the operation of the admin console. Deleting them will result in the admin console not being operational, as you have noticed. The fix is restoring the client back to its previous state, probably best done through a database restore.
Related
I have setup a jboss instance in a container and am trying to get the console working remotely. I setup the ingrerss to map /console and /management and can now get a login screen to present. Whenever I enter the default "admin" that is deployed, it fails with the following error:
Access Denied: Insufficient privileges to access this interface.
I looked at this page which was a similar issue but the resolution was for an apache server and does not work with K3s/Kubernetetes: Wildfly management console Access Denied Insufficient Privileges
Is there a way to get console authentication working in jboss from outside of a container?
Edit:
Jboss states the following error when attempting to login:
Request rejected due to HOST/ORIGIN mismatch
I am studying jBPM (KIE Server and Business Central) and Keycloak. In isolation, I managed to run all this software with success. However, when I try to integrate between them, the authentication of users on the website works (Keycloak login page to access the Business Central site), however it seems that the authentication of the REST services call, both from the KIE Server and from the Business Central, stops working (unauthorized) and the KIE Server is unable to synchronize with its Controller (Business Central).
Below are more details on the subject.
I have been searching for a few days for a solution to the problem but without success.
Although I have already consulted this excellent site, this is my first question and I do not have much reference on which file is recommended to attach to the question. If you see a specific file, please sign that I will attach it.
I appreciate any help.
Notes (useful information) about the environment and problems encountered:
Only 1 Wildfly 20.0.1 environment (server) hosting KIE Server 7.43.1.Final, Business Central 7.43.1.Final and Keycloak 11.0.2, with the Keycloak adapter installed, on Windows 10.
In Keycloak, Realm was created with the name VHLLEmpresaRealm and 2 clients (applications):
VHLLEmpresaKIEServer: with public access.
VHLLEmpresaBusinessCentral: with confidential access.
In the Keycloak, the user kieserver with password kieserver1! was created and assigned to various roles (both Realm and Clients), among them: admin, rest-all, kie-server, kiemgmt and user.
Authentication with kieserver User and your Password on the Business Central website working properly integrated with Keycloak (Keycloak login page). Authentication with Google (social login) working properly.
Business Central configured to show and manage the users registered in the Keycloak.
Problems observed:
When starting the Wildfly server, the KIE Server is unable to synchronize with the Controller Business Central (see the Startup Log - Doc 06). The attempt below is repeated at startup several times without success, followed by NullPointerException with lines copied below:
17:13:30,057 INFO [org.kie.server.controller.websocket.client.WebSocketKieServerControllerImpl] (KieServer-ControllerConnect) Kie Server points to non Web Socket controller 'http://localhost:8080/business-central/rest/controller', using default REST mechanism
17:13:30,214 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-6) Uncaught server error: java.lang.NullPointerException
at org.keycloak.storage.StorageId.isLocalStorage(StorageId.java:77)
at org.keycloak.credential.UserCredentialStoreManager.getStoreForUser(UserCredentialStoreManager.java:54)
...
17:13:30,214 WARN [org.kie.server.services.impl.controller.DefaultRestControllerImpl] (KieServer-ControllerConnect) Exception encountered while syncing with controller at http://localhost:8080/business-central/rest/controller/server/wildfly-kieserver error Error while sending PUT request to http://localhost:8080/business-central/rest/controller/server/wildfly-kieserver response code 401
Link to complete file:
https://drive.google.com/file/d/1kr47ap9frsCQB8oyQE2dEm2gfl7__s0G/view?usp=sharing
On the Business Central website, on the Deployments page (which shows the Servers too), the KIE Server server does not appear as available (see Doc 07).
Link to complete file:
https://drive.google.com/file/d/1lKiCZdOp7yRvHibfgJ8ZOE_dZIAnkE6U/view?usp=sharing
In the CURL command to access the Business Central REST services, even if the kieserver user and password are passed, the answer is NOT authorized (see Doc 08).
COMMAND: curl -X GET http://kieserver:kieserver1!#localhost:8080/business-central/rest/repositories -v
RESPONSE: ErrorUnauthorized
Link to complete file:
https://drive.google.com/file/d/1V_CH_hiTkhLh-AtgRvP0YkZ3afwBc4tZ/view?usp=sharing
Other Files:
Wildfly Settings - STANDALONE-FULL.XML
https://drive.google.com/file/d/1f0xvRDPiId1RymZkMGIUaIMB_EuGpbud/view?usp=sharing
I'm not sure if this is the correct way to solve the problem, but after continuing my studies and research for a few more days, using the CURL command to call a Business Central service (below), I obtained the Access Token and through the website jwt.io, I noticed in the content of this Token that the audience (aud) field was not filled in with the Keycloak Client ID that requested the Token.
curl -d "grant_type=password" -d "client_id=VHLLEmpresaBusinessCentral" -d "client_secret=020c8841-50ee-437e-af16-XXXXXXXX" -d "username=kieserver" -d "password=kieserverXXXXX" -d "scope=VHLLEmpresaEscopo" http://localhost:8180/auth/realms/VHLLEmpresaRealm/protocol/openid-connect/token
So, I created a Client Scope, I created a Mapper for the Audience to add the Client's own ID and associated this Client Scope to the corresponding Client.
The second change that was necessary was to override the Direct Grant Flow with the "direct grant" value for each Client involved.
With the two changes above, the synchronization between KIE Server and Business Central has returned to work.
Whenever I try to open process definition in drools , Getting the Below Error
Invalid credentials to load data from remote server. Contact your system administrator.
I have given all permissions to role permission to user but still this error shows up.
While many details from your problem are not clear, here is the bottom line of this issue.
You are logging into the business-central with user 'nithish'. This user, will be used in the remote REST requests to your kie server instance. This means that user 'nithish' needs to exists on the kie-server side as well - otherwise kie-server will not recognise that user, thus authentication will fail. He needs to be created there with the same password and same roles as are present on the business-central side. I would advise at least
kie-server, rest-all,admin
roles.
The server you've installed your business central on has no access rights.
Today I met a strange issue about my Windows kubectl client suddenly raise authorization issue in connecting ICp.
I was using ICP with a Widows configured kubectl.exe. Then, after a while, due to laptop automatic sleeping, my VPN connection was disconnected, hence lose connection to remote ICP. Later I came back and re-connect the ICP. I use kubectl command again and faced:
error: You must be logged in to the server (Unauthorized)
On ICP master node, nothing wrong if I used:
kubectl -s 127.0.0.1:8888 -n kube-system get pods -o wide
I went back to re-configure client (pasted the code copied from admin -> configure kubectl), commands executed successful but when I issue
kubectl get pods
still error.
I checked article:
kubectl - error: You must be logged in to the server
kubectl error: "You must be logged in to the server (the server has asked for the client to provide credentials)"
error: You must be logged in to the server (the server has asked for the client to provide credentials)
It looks like didn't much helpful
It turns out that the tokens was invalid (not sure if it because of 12 hours expiration). If you simply F5 the browser page you didn't re-authenticated but still can access the console page, but actually the token should be updated by re-login ICP Portal again.
The issue was fixed by re-access the ICP portal:
https://<master host>:8443/console/
This will re-allow you authenticate. After that, go to admin -> configure client, paste the latest commands you will find the token might be updated. Executing the new commands solved the issue.
2 Question still left:
a) If the page was long opened and token expired, ICP portal page may not auto refreshed to force you re-login, that means the token in set-credentials command are still old.
b) Even setting old tokens are accepted and command never complain an error even warning. This may mislead us when token are changed on servers, e.g, If I saved the commands to a local txt file and re-execute it again (even after token expired), the commands still finished successful, but actually I still didn't get authenticated correctly when I try to login.
I'm trying to connect a Spring App Keycloak, but I get this error:
After I enter to my app, and I was redirected to Keycloak for authentication, I receive an error in my browser:
192.168.1.66 redirected you too many times.
Full url
URL: http://192.168.1.66:9092/keycloak-sp-example/sso/login?state=139%2F1ed115fb-4d4f-468c-9a72-845f9cfa9cdb&code=PVGhg5X28G8fjNt36tMGHTJIP7CQdHOhoK4XhPgUh3E.2d885db5-5c4f-43b1-9095-305494718a97
And, in the console, I got:
ERROR org.keycloak.adapters.OAuthRequestAuthenticator - failed verification of token: Token is not active.
It's a bug? Or is anything that I should configure in the console?
I found the problem, I was testing the product in a virtual machine without the correct time zone configured.
Try to sync the server timing of Keycloak and application server or else increase the access token life span which is not recommended.