We Keep Coding

keycloak on kubernetes: x509 auth with ingress - kubernetes

Does anyone have an example config for x509 authentication w/ Keycloak on Kubernetes via an ingress endpoint? I have x509 working fine w/ a NodePort setup, but access via ingress fails and Keycloak cycles to the username/password form.
18:37:54,474 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-2) AUTHENTICATE
18:37:54,474 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-2) AUTHENTICATE ONLY
18:37:54,474 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-2) processFlow: x509-browser
18:37:54,475 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-2) check execution: 'auth-cookie', requirement: 'ALTERNATIVE'
18:37:54,475 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-2) authenticator: auth-cookie
18:37:54,475 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-2) Going through the flow 'x509-browser' for adding executions
18:37:54,475 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-2) Going through the flow 'x509-browser forms' for adding executions
18:37:54,475 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-2) Selections when trying execution 'auth-cookie' : [ authSelection - auth-cookie, authSelection - auth-x509-client-username-form, authSelection - auth-username-password-form]
18:37:54,475 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-2) invoke authenticator.authenticate: auth-cookie
18:37:54,475 DEBUG [org.keycloak.services.util.CookieHelper] (default task-2) Could not find cookie KEYCLOAK_IDENTITY, trying KEYCLOAK_IDENTITY_LEGACY
18:37:54,475 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-2) Could not find cookie: KEYCLOAK_IDENTITY
18:37:54,476 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-2) authenticator ATTEMPTED: auth-cookie
18:37:54,476 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-2) check execution: 'auth-x509-client-username-form', requirement: 'ALTERNATIVE'
18:37:54,476 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-2) authenticator: auth-x509-client-username-form
18:37:54,476 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-2) Going through the flow 'x509-browser' for adding executions
18:37:54,476 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-2) Going through the flow 'x509-browser forms' for adding executions
18:37:54,476 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-2) Selections when trying execution 'auth-x509-client-username-form' : [ authSelection - auth-x509-client-username-form, authSelection - auth-username-password-form]
18:37:54,476 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-2) invoke authenticator.authenticate: auth-x509-client-username-form
18:37:54,476 DEBUG [org.keycloak.services] (default task-2) [X509ClientCertificateAuthenticator:authenticate] x509 client certificate is not available for mutual SSL.
18:37:54,476 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-2) authenticator ATTEMPTED: auth-x509-client-username-form
18:37:54,476 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-2) check execution: 'x509-browser forms flow', requirement: 'ALTERNATIVE'
18:37:54,476 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-2) processFlow: x509-browser forms
18:37:54,476 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-2) check execution: 'auth-username-password-form', requirement: 'REQUIRED'
18:37:54,476 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-2) authenticator: auth-username-password-form

Ingress is just an API and implemented by various providers, which support additional configuration in a product specific way.
In your example it is nginx.
Make sure that nginx is deployed with support for SNI based TLS passthrough, therefore keycloak will receive the original TLS connection and leverage client certificates.
For nginx the ingress configuration for that is an additional annotation:
annotations:
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
Relevant documentation: https://kubernetes.github.io/ingress-nginx/user-guide/tls/#ssl-passthrough

Related

I have setup the keycloak but it continuously redirects to login page in a loop.
I got the below error in logs:
2022-02-22 12:41:42,003 WARN [org.keycloak.events] (default task-2) type=REFRESH_TOKEN_ERROR, realmId=master, clientId=security-admin-console, userId=null, ipAddress=10.x.x.x, error=invalid_token, grant_type=refresh_token, client_auth_method=client-secret
Can anyone guide?

If you are behind apache/nginx, perhaps set httpOnly cookie! This can be reason that behavior in keycloak 15.0.2

I am now using Alibaba Canal to sync MySQL from datacenter A to datacenter B(the canal deploy in kubernetes), after I start the canal-server, shows error like this:
[root#canal-server-stable-0 bin]# tail -f /home/canal/logs/canal/canal.log
2021-05-26 11:47:32.329 [main] INFO com.alibaba.otter.canal.deployer.CanalLauncher - ## set default uncaught exception handler
2021-05-26 11:47:32.366 [main] INFO com.alibaba.otter.canal.deployer.CanalLauncher - ## load canal configurations
2021-05-26 11:47:32.849 [main] ERROR com.alibaba.otter.canal.deployer.CanalLauncher - ## Something goes wrong when starting up the canal Server:
com.alibaba.otter.canal.common.CanalException: load manager config failed.
Caused by: com.alibaba.otter.canal.common.CanalException: requestGet for canal config error: auth :admin is failed
2021-05-26 11:52:50.402 [main] INFO com.alibaba.otter.canal.deployer.CanalLauncher - ## set default uncaught exception handler
2021-05-26 11:52:50.432 [main] INFO com.alibaba.otter.canal.deployer.CanalLauncher - ## load canal configurations
2021-05-26 11:52:50.836 [main] ERROR com.alibaba.otter.canal.deployer.CanalLauncher - ## Something goes wrong when starting up the canal Server:
com.alibaba.otter.canal.common.CanalException: load manager config failed.
Caused by: com.alibaba.otter.canal.common.CanalException: requestGet for canal config error: auth :admin is failed
this is my canal server config:
[root#canal-server-stable-0 bin]# cat ../conf/canal.properties
# register ip
# canal.register.ip = canal-server-stable-0.canal-server-discovery-svc-stable.hades-pro.svc.cluster.local
canal.register.ip = 10.244.5.5
# canal admin config
canal.admin.manager = 10.105.49.36:8089
canal.admin.port = 11110
canal.admin.user = admin
canal.admin.passwd = 6bb4837eb74329105ee4568dda7dc67ed2ca2ad9
# admin auto register
canal.admin.register.auto = true
canal.admin.register.cluster = online
the hash password was encrypt from 123456. I am sure the password is right. I tried to find the password in database, it matched with my config:
I also using Arthas to trace the online app of canal-admin:
watch com.alibaba.otter.canal.admin.controller.PollingConfigController auth "{params,returnObj}" -x 3 -b
shows the password I pass is: 6bb4837eb74329105ee4568dda7dc67ed2ca2ad9. I did not know where is going wrong now, what should I do to fix it?

you can check canal admin conf/application.yaml file
canal:
adminUser: admin
adminPasswd: 123456
if you modified "canal.adminPasswd" attribute, you can modified it correct.
hope, help you.

I'm encountering the following errors while configuring kafka with Kerberos authentication.
Can somebody please let me know, what could be going wrong here in getting it fixed. Tried various options, but nothing seems to be working for me.
I could notice zookeeper is getting connected and in next attempt it fails
[2019-10-09 05:06:07,942] INFO Initiating client connection, connectString=kafka-d1.example.com:2181 sessionTimeout=6000 watcher=kafka.zookeeper.ZooKeeperClient$ZooKeeperClientWatcher$#6adbc9d (org.apache.zookeeper.ZooKeeper)
[2019-10-09 05:06:07,945] DEBUG zookeeper.disableAutoWatchReset is false (org.apache.zookeeper.ClientCnxn)
[2019-10-09 05:06:07,959] INFO [ZooKeeperClient] Waiting until connected. (kafka.zookeeper.ZooKeeperClient)
[2019-10-09 05:06:07,961] DEBUG JAAS loginContext is: Client (org.apache.zookeeper.client.ZooKeeperSaslClient)
[2019-10-09 05:06:08,252] INFO Client successfully logged in. (org.apache.zookeeper.Login)
[2019-10-09 05:06:08,253] INFO TGT refresh thread started. (org.apache.zookeeper.Login)
[2019-10-09 05:06:08,254] DEBUG Client principal is "kafka/kafka-d1.example.com#EXAMPLE.COM". (org.apache.zookeeper.Login)
[2019-10-09 05:06:08,261] DEBUG Server principal is "krbtgt/EXAMPLE.COM#EXAMPLE.COM". (org.apache.zookeeper.Login)
[2019-10-09 05:06:08,264] INFO TGT valid starting at: Wed Oct 09 05:06:08 EDT 2019 (org.apache.zookeeper.Login)
[2019-10-09 05:06:08,264] INFO TGT expires: Wed Oct 09 15:06:08 EDT 2019 (org.apache.zookeeper.Login)
[2019-10-09 05:06:08,264] INFO TGT refresh sleeping until: Wed Oct 09 13:06:47 EDT 2019 (org.apache.zookeeper.Login)
[2019-10-09 05:06:08,265] INFO Client will use GSSAPI as SASL mechanism. (org.apache.zookeeper.client.ZooKeeperSaslClient)
[2019-10-09 05:06:08,265] DEBUG creating sasl client: Client=kafka/kafka-d1.example.com#EXAMPLE.COM;service=zookeeper;serviceHostname=kafka-d1.example.com (org.apache.zookeeper.client.ZooKeeperSaslClient)
[2019-10-09 05:06:08,272] INFO Opening socket connection to server kafka-d1.example.com/10.14.61.17:2181. Will attempt to SASL-authenticate using Login Context section 'Client' (org.apache.zookeeper.ClientCnxn)
[2019-10-09 05:06:08,277] INFO Socket connection established to kafka-d1.example.com/10.14.61.17:2181, initiating session (org.apache.zookeeper.ClientCnxn)
[2019-10-09 05:06:08,278] DEBUG Session establishment request sent on kafka-d1.example.com/10.14.61.17:2181 (org.apache.zookeeper.ClientCnxn)
[2019-10-09 05:06:08,286] INFO Session establishment complete on server kafka-d1.example.com/10.14.61.17:2181, sessionid = 0x16dafa306f20009, negotiated timeout = 6000 (org.apache.zookeeper.ClientCnxn)
[2019-10-09 05:06:08,288] DEBUG ClientCnxn:sendSaslPacket:length=0 (org.apache.zookeeper.client.ZooKeeperSaslClient)
[2019-10-09 05:06:08,289] DEBUG saslClient.evaluateChallenge(len=0) (org.apache.zookeeper.client.ZooKeeperSaslClient)
[2019-10-09 05:06:08,289] INFO [ZooKeeperClient] Connected. (kafka.zookeeper.ZooKeeperClient)
[2019-10-09 05:06:08,300] ERROR An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]) occurred when evaluating Zookeeper Quorum Member's received SASL token. Zookeeper Client will go to AUTH_FAILED state. (org.apache.zookeeper.client.ZooKeeperSaslClient)
[2019-10-09 05:06:08,300] ERROR SASL authentication with Zookeeper Quorum member failed: javax.security.sasl.SaslException: An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]) occurred when evaluating Zookeeper Quorum Member's received SASL token. Zookeeper Client will go to AUTH_FAILED state. (org.apache.zookeeper.ClientCnxn)
[2019-10-09 05:06:08,300] ERROR [ZooKeeperClient] Auth failed. (kafka.zookeeper.ZooKeeperClient)
[2019-10-09 05:06:08,350] ERROR Fatal error during KafkaServer startup. Prepare to shutdown (kafka.server.KafkaServer)
org.apache.zookeeper.KeeperException$AuthFailedException: KeeperErrorCode = AuthFailed for /consumers
at org.apache.zookeeper.KeeperException.create(KeeperException.java:126)
at org.apache.zookeeper.KeeperException.create(KeeperException.java:54)
at kafka.zookeeper.AsyncResponse.maybeThrow(ZooKeeperClient.scala:546)
at kafka.zk.KafkaZkClient.createRecursive(KafkaZkClient.scala:1559)
at kafka.zk.KafkaZkClient.makeSurePersistentPathExists(KafkaZkClient.scala:1480)
at kafka.zk.KafkaZkClient$$anonfun$createTopLevelPaths$1.apply(KafkaZkClient.scala:1472)
at kafka.zk.KafkaZkClient$$anonfun$createTopLevelPaths$1.apply(KafkaZkClient.scala:1472)
at scala.collection.immutable.List.foreach(List.scala:392)
at kafka.zk.KafkaZkClient.createTopLevelPaths(KafkaZkClient.scala:1472)
at kafka.server.KafkaServer.initZkClient(KafkaServer.scala:373)
at kafka.server.KafkaServer.startup(KafkaServer.scala:202)
at kafka.server.KafkaServerStartable.startup(KafkaServerStartable.scala:38)
at kafka.Kafka$.main(Kafka.scala:75)
at kafka.Kafka.main(Kafka.scala)
[2019-10-09 05:06:08,354] INFO shutting down (kafka.server.KafkaServer)
[2019-10-09 05:06:08,356] INFO [ZooKeeperClient] Closing. (kafka.zookeeper.ZooKeeperClient)
[2019-10-09 05:06:08,357] DEBUG Close called on already closed client (org.apache.zookeeper.ZooKeeper)
[2019-10-09 05:06:08,359] INFO [ZooKeeperClient] Closed. (kafka.zookeeper.ZooKeeperClient)
[2019-10-09 05:06:08,361] INFO shut down completed (kafka.server.KafkaServer)
[2019-10-09 05:06:08,361] ERROR Exiting Kafka. (kafka.server.KafkaServerStartable)
[2019-10-09 05:06:08,364] INFO shutting down (kafka.server.KafkaServer)
Server {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab=/etc/keytabs/zookeeper.keytab
storeKey=true
useTicketCache=false
principal=zookeeper/kafka-d1.EXAMPLE.COM#EXAMPLE.COM;
};
cat /etc/kafka/jaas.conf
KafkaServer {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab="/etc/keytabs/kafka-d1.keytab"
principal="kafka/kafka-d1.EXAMPLE.COM#EXAMPLE.COM";
};
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab="/etc/keytabs/kafka-d1.keytab"
principal="kafka/kafka-d1.EXAMPLE.COM#EXAMPLE.COM";
};
/etc/krb5.conf
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_kdc = false
dns_lookup_realm = false
ticket_lifetime = 86400
renew_lifetime = 604800
forwardable = true
default_tgs_enctypes = aes256-cts
default_tkt_enctypes = aes256-cts
permitted_enctypes = aes256-cts
udp_preference_limit = 1
kdc_timeout = 3000
ignore_acceptor_hostname = true
[realms]
EXAMPLE.COM = {
kdc = srv-kerb.example.com
admin_server = srv-kerb.example.com
kdc = srv-kerb.example.com
}
[domain_realm]
Caused by: org.apache.kafka.common.errors.SaslAuthenticationException: An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]) occurred when evaluating SASL token received from the Kafka Broker. This may be caused by Java's being unable to resolve the Kafka Broker's hostname correctly. You may want to try to adding '-Dsun.net.spi.nameservice.provider.1=dns,sun' to your client's JVMFLAGS environment. Users must configure FQDN of kafka brokers when authenticating using SASL and socketChannel.socket().getInetAddress().getHostName() must match the hostname in principal/hostname#realm Kafka Client will go to AUTHENTICATION_FAILED state.

I had the same problem. Changing zookeeper host value, from IP address to FQDN (hostname) and also adding the hostname in /etc/hosts fixed the problem for me.

I have tried Developer Studio 11.3.0, and 12.0.0. I've tried EAP 6.4.0, and 7.1.0. Everything gives me the same error. I've run it with servers in RHEL on AWS and a DevStudio in Windows 10 or Windows 7. I've run it with server and DevStudio on the same Fedora system. Always the same error when I try to "start" the remote server:
The initialization produced an exception, which can occur due to incorrect security credentials. Please review the exception messages by clicking the Details button.
* java.io.IOException: java.net.ConnectException: WFLYPRT0053: Could not connect to http-remoting://LOCALHOST:9990. The connection failed
* java.net.ConnectException: WFLYPRT0053: Could not connect to http-remoting://LOCALHOST:9990. The connection failed
* WFLYPRT0053: Could not connect to http-remoting://LOCALHOST:9990. The connection failed
* Authentication failed: all available authentication mechanisms failed:
JBOSS-LOCAL-USER: javax.security.sasl.SaslException: ELY05128: [JBOSS-LOCAL-USER] Failed to read challenge file [Caused by java.io.FileNotFoundException: /datavirt/jboss/EAP-7.1.0/standalone/tmp/auth/local3848441195962286340.challenge (Permission denied)]
DIGEST-MD5: javax.security.sasl.SaslException: DIGEST-MD5: Server rejected authentication
Here's a bit of the server.log file, where things go wrong. (It's slightly different in 6.4.0, but not substantially.)
2018-09-01 23:20:52,946 TRACE [org.jboss.remoting.endpoint] (management I/O-2) Allocated tick to 8 of endpoint "miramanee:MANAGEMENT" <68fb9f51> (opened org.jboss.remoting3.EndpointImpl$TrackingExecutor#18776914)
2018-09-01 23:20:52,946 TRACE [org.xnio.nio] (management I/O-2) Running task org.jboss.remoting3.remote.ServerConnectionOpenListener$2#228e4439
2018-09-01 23:20:52,946 TRACE [org.xnio.nio.selector] (management I/O-2) Beginning select on sun.nio.ch.EPollSelectorImpl#617c6bff (with timeout)
2018-09-01 23:20:52,946 TRACE [org.xnio.nio] (management I/O-2) Select, queue is empty
2018-09-01 23:20:52,946 TRACE [org.wildfly.security] (management task-7) Handling RealmCallback: selected = [ManagementRealm]
2018-09-01 23:20:52,946 TRACE [org.wildfly.security] (management task-7) Handling NameCallback: authenticationName = admin
2018-09-01 23:20:52,946 TRACE [org.wildfly.security] (management task-7) Principal assigning: [admin], pre-realm rewritten: [admin#ManagementRealm], realm name: [DIGEST], post-realm rewritten: [admin#ManagementRealm], realm rewritten: [admin#ManagementRealm]
2018-09-01 23:20:52,947 TRACE [org.wildfly.security] (management task-7) Handling CredentialCallback: obtained credential for correct realm "ManagementRealm"
2018-09-01 23:20:52,947 TRACE [org.wildfly.security] (management task-7) Handling CredentialCallback: obtained credential: org.wildfly.security.credential.PasswordCredential#b75f36fa
2018-09-01 23:20:52,947 TRACE [org.jboss.remoting.remote.server] (management task-7) Server sending authentication rejected: javax.security.sasl.SaslException: ELY05055: [DIGEST-MD5] Authentication rejected (invalid proof)
at org.wildfly.security.sasl.digest.DigestSaslServer.validateDigestResponse(DigestSaslServer.java:281)
at org.wildfly.security.sasl.digest.DigestSaslServer.evaluateMessage(DigestSaslServer.java:358)
at org.wildfly.security.sasl.util.AbstractSaslParticipant.evaluateMessage(AbstractSaslParticipant.java:180)
at org.wildfly.security.sasl.digest.DigestSaslServer.evaluateResponse(DigestSaslServer.java:331)
at org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1.evaluateResponse(AuthenticationCompleteCallbackSaslServerFactory.java:58)
at org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer.evaluateResponse(AuthenticationTimeoutSaslServerFactory.java:106)
I am plumb stumped.

If you want to get it going quickly for learning/etc, then I can just say what I'm doing. I have RHEL 7 & EAP 7.1. I'm using dev studio 12 on same machine. When I added a server into dev studio, I had option to select local or remote. I selected local and had no problems starting via dev studio. The user I'm running dev studio with also has permissions to EAP home directory (I see file perm errors in your error). I also chose management options vs. Filesystem and shell operations. I also test, and this worked picking remote as well. But again, same server for everything/same localhost.

My configuration is:
JBoss EAP 7.1.4
RH-SSO 7.2.4
JDK 1.8.0u172
We have built a Rest/JSON web service based on the jboss-eap-quickstarts-7.1\contacts-jquerymobile example, without any of the JavaScript GUI components, which works fine.
We then attempted to secure this Rest/JSON web service using the redhat-sso-quickstarts-7.2.x\service-jee-jaxrs example for guidance, after getting the service-jee-jaxrs example running locally.
The Rest/JSON web service is secured using keycloak, and access is bearer only.
Here is the web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.1" blah blah blah >
<module-name>OurRestService</module-name>
<security-constraint>
<web-resource-collection>
<web-resource-name>All</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>mobilerole</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>KEYCLOAK</auth-method>
</login-config>
<security-role>
<role-name>mobilerole</role-name>
</security-role>
</web-app>
Here is the keycloak.json
{
"realm": "mobilerealm",
"bearer-only": true,
"auth-server-url": "blah blah localhost:8180/auth",
"ssl-required": "external",
"resource": "OurRestService",
"confidential-port": 0
}
Below is the JBoss server log output from an attempted GET using PostMan. As you can see the bearer only token is successfully authenticated by SSO, but the web service never fires, and PostMan gets a 403 Forbidden.
Please note the last 2 lines of the server log:
2018-08-30 13:13:19,851 DEBUG [org.keycloak.adapters.AuthenticatedActionsHandler] (default task-4) AuthenticatedActionsValve.invoke http://localhost:8080/OurRestService/rest/contacts/
2018-08-30 13:13:19,851 DEBUG [org.keycloak.adapters.AuthenticatedActionsHandler] (default task-4) Policy enforcement is disabled.
What am I missing?
2018-08-30 13:13:19,737 DEBUG [io.undertow.request] (default I/O-5) Matched prefix path /OurRestService for path /OurRestService/rest/contacts/
2018-08-30 13:13:19,738 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (default task-4) adminRequest ourUrlToGetPastStackOverflow10URLlimit/contacts/
2018-08-30 13:13:19,738 DEBUG [io.undertow.request.security] (default task-4) Security constraints for request /OurRestService/rest/contacts/ are [SingleConstraintMatch{emptyRoleSemantic=PERMIT, requiredRoles=[therole]}]
2018-08-30 13:13:19,738 DEBUG [io.undertow.request.security] (default task-4) Authenticating required for request HttpServerExchange{ GET /OurRestService/rest/contacts/ request {Postman-Token=[ba346ce6-995e-4c1c-859f-9d92c449b8c9], Accept=[*/*], cache-control=[no-cache], accept-encoding=[gzip, deflate], User-Agent=[PostmanRuntime/7.2.0], Connection=[keep-alive], Authorization=[Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJxSzJKWjUyVjFmU0pKRG82M0hmZHlJbjYyWERlX2hhSWhFMGV5ZXZkQlowIn0.eyJqdGkiOiI5YWM3MWUxMC1kMTYxLTRiYjYtYmE0OC1iMTRlZmJiZjRkZDEiLCJleHAiOjE1MzU2NDk0OTMsIm5iZiI6MCwiaWF0IjoxNTM1NjQ5MTkzLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvbW9iaWxlcmVhbG0iLCJhdWQiOiJhZG1pbi1jbGkiLCJzdWIiOiIyMThlYTcwNC0zYTdhLTQ3NjYtYTI1MS02OWQ5YWE4ZTc1ZmYiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhZG1pbi1jbGkiLCJhdXRoX3RpbWUiOjAsInNlc3Npb25fc3RhdGUiOiJjNjk4MzMxMi1mZTM1LTQwODQtYWQxMC1kZTQwOGY3NzQ1YzgiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbXSwicmVzb3VyY2VfYWNjZXNzIjp7fSwibmFtZSI6Ik1vYmlsZSBVc2VyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoibW9iaWxldXNlciIsImdpdmVuX25hbWUiOiJNb2JpbGUiLCJmYW1pbHlfbmFtZSI6IlVzZXIiLCJlbWFpbCI6InNoYXduLmZpcnRoQGdtYWlsLmNvbSJ9.HFCYIdW7Xyd0eKjXOouujVCUH5zjnxNDbOBLQOnjfOzEj4Ff4pHd6q6Ukl3unmWpvM9tU2FtzoPtsxQ-BqIu1ITBuq5_U-fk0OebTCOWtF566vW6BjJb3czRO8f3pB1hd5O7-xCT2KXSv-oEIi0s0ZweiLH0A1PeYy7wur_eCuhONgiu7wI6uR-gimcZVe7o3yhKsDnukrdR-N8xrp1T9PugQe5MZq20ER2Hvc-TW_npnTxRyCHa4tg59_p7-JBGA-BT03mFvOdd4vALeW8xkK3vtaVQevMSa8u3WZrpNGsAvoKpT6QTzm6W0TxAb3t_ptOjusxoLqqRacmP-C9OUg], Content-Type=[application/json], cookie=[JSESSIONID=E7uZRSGcR1FaiNDFCYmJcF7YnJaQof0yP3LxstT5.sfirth], Host=[localhost:8080]} response {X-Powered-By=[Undertow/1], Server=[JBoss-EAP/7]}}
2018-08-30 13:13:19,738 DEBUG [io.undertow.request.security] (default task-4) Setting authentication required for exchange HttpServerExchange{ GET /OurRestService/rest/contacts/ request {Postman-Token=[ba346ce6-995e-4c1c-859f-9d92c449b8c9], Accept=[*/*], cache-control=[no-cache], accept-encoding=[gzip, deflate], User-Agent=[PostmanRuntime/7.2.0], Connection=[keep-alive], Authorization=[Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJxSzJKWjUyVjFmU0pKRG82M0hmZHlJbjYyWERlX2hhSWhFMGV5ZXZkQlowIn0.eyJqdGkiOiI5YWM3MWUxMC1kMTYxLTRiYjYtYmE0OC1iMTRlZmJiZjRkZDEiLCJleHAiOjE1MzU2NDk0OTMsIm5iZiI6MCwiaWF0IjoxNTM1NjQ5MTkzLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvbW9iaWxlcmVhbG0iLCJhdWQiOiJhZG1pbi1jbGkiLCJzdWIiOiIyMThlYTcwNC0zYTdhLTQ3NjYtYTI1MS02OWQ5YWE4ZTc1ZmYiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhZG1pbi1jbGkiLCJhdXRoX3RpbWUiOjAsInNlc3Npb25fc3RhdGUiOiJjNjk4MzMxMi1mZTM1LTQwODQtYWQxMC1kZTQwOGY3NzQ1YzgiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbXSwicmVzb3VyY2VfYWNjZXNzIjp7fSwibmFtZSI6Ik1vYmlsZSBVc2VyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoibW9iaWxldXNlciIsImdpdmVuX25hbWUiOiJNb2JpbGUiLCJmYW1pbHlfbmFtZSI6IlVzZXIiLCJlbWFpbCI6InNoYXduLmZpcnRoQGdtYWlsLmNvbSJ9.HFCYIdW7Xyd0eKjXOouujVCUH5zjnxNDbOBLQOnjfOzEj4Ff4pHd6q6Ukl3unmWpvM9tU2FtzoPtsxQ-BqIu1ITBuq5_U-fk0OebTCOWtF566vW6BjJb3czRO8f3pB1hd5O7-xCT2KXSv-oEIi0s0ZweiLH0A1PeYy7wur_eCuhONgiu7wI6uR-gimcZVe7o3yhKsDnukrdR-N8xrp1T9PugQe5MZq20ER2Hvc-TW_npnTxRyCHa4tg59_p7-JBGA-BT03mFvOdd4vALeW8xkK3vtaVQevMSa8u3WZrpNGsAvoKpT6QTzm6W0TxAb3t_ptOjusxoLqqRacmP-C9OUg], Content-Type=[application/json], cookie=[JSESSIONID=E7uZRSGcR1FaiNDFCYmJcF7YnJaQof0yP3LxstT5.sfirth], Host=[localhost:8080]} response {X-Powered-By=[Undertow/1], Server=[JBoss-EAP/7]}}
2018-08-30 13:13:19,738 DEBUG [io.undertow.request.security] (default task-4) Attempting to authenticate HttpServerExchange{ GET /OurRestService/rest/contacts/ request {Postman-Token=[ba346ce6-995e-4c1c-859f-9d92c449b8c9], Accept=[*/*], cache-control=[no-cache], accept-encoding=[gzip, deflate], User-Agent=[PostmanRuntime/7.2.0], Connection=[keep-alive], Authorization=[Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJxSzJKWjUyVjFmU0pKRG82M0hmZHlJbjYyWERlX2hhSWhFMGV5ZXZkQlowIn0.eyJqdGkiOiI5YWM3MWUxMC1kMTYxLTRiYjYtYmE0OC1iMTRlZmJiZjRkZDEiLCJleHAiOjE1MzU2NDk0OTMsIm5iZiI6MCwiaWF0IjoxNTM1NjQ5MTkzLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvbW9iaWxlcmVhbG0iLCJhdWQiOiJhZG1pbi1jbGkiLCJzdWIiOiIyMThlYTcwNC0zYTdhLTQ3NjYtYTI1MS02OWQ5YWE4ZTc1ZmYiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhZG1pbi1jbGkiLCJhdXRoX3RpbWUiOjAsInNlc3Npb25fc3RhdGUiOiJjNjk4MzMxMi1mZTM1LTQwODQtYWQxMC1kZTQwOGY3NzQ1YzgiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbXSwicmVzb3VyY2VfYWNjZXNzIjp7fSwibmFtZSI6Ik1vYmlsZSBVc2VyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoibW9iaWxldXNlciIsImdpdmVuX25hbWUiOiJNb2JpbGUiLCJmYW1pbHlfbmFtZSI6IlVzZXIiLCJlbWFpbCI6InNoYXduLmZpcnRoQGdtYWlsLmNvbSJ9.HFCYIdW7Xyd0eKjXOouujVCUH5zjnxNDbOBLQOnjfOzEj4Ff4pHd6q6Ukl3unmWpvM9tU2FtzoPtsxQ-BqIu1ITBuq5_U-fk0OebTCOWtF566vW6BjJb3czRO8f3pB1hd5O7-xCT2KXSv-oEIi0s0ZweiLH0A1PeYy7wur_eCuhONgiu7wI6uR-gimcZVe7o3yhKsDnukrdR-N8xrp1T9PugQe5MZq20ER2Hvc-TW_npnTxRyCHa4tg59_p7-JBGA-BT03mFvOdd4vALeW8xkK3vtaVQevMSa8u3WZrpNGsAvoKpT6QTzm6W0TxAb3t_ptOjusxoLqqRacmP-C9OUg], Content-Type=[application/json], cookie=[JSESSIONID=E7uZRSGcR1FaiNDFCYmJcF7YnJaQof0yP3LxstT5.sfirth], Host=[localhost:8080]} response {Expires=[0], Cache-Control=[no-cache, no-store, must-revalidate], X-Powered-By=[Undertow/1], Server=[JBoss-EAP/7], Pragma=[no-cache]}}, authentication required: true
2018-08-30 13:13:19,738 DEBUG [io.undertow.request.security] (default task-4) Authentication outcome was NOT_ATTEMPTED with method io.undertow.security.impl.CachedAuthenticatedSessionMechanism#6715ee5d for HttpServerExchange{ GET /OurRestService/rest/contacts/ request {Postman-Token=[ba346ce6-995e-4c1c-859f-9d92c449b8c9], Accept=[*/*], cache-control=[no-cache], accept-encoding=[gzip, deflate], User-Agent=[PostmanRuntime/7.2.0], Connection=[keep-alive], Authorization=[Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJxSzJKWjUyVjFmU0pKRG82M0hmZHlJbjYyWERlX2hhSWhFMGV5ZXZkQlowIn0.eyJqdGkiOiI5YWM3MWUxMC1kMTYxLTRiYjYtYmE0OC1iMTRlZmJiZjRkZDEiLCJleHAiOjE1MzU2NDk0OTMsIm5iZiI6MCwiaWF0IjoxNTM1NjQ5MTkzLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvbW9iaWxlcmVhbG0iLCJhdWQiOiJhZG1pbi1jbGkiLCJzdWIiOiIyMThlYTcwNC0zYTdhLTQ3NjYtYTI1MS02OWQ5YWE4ZTc1ZmYiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhZG1pbi1jbGkiLCJhdXRoX3RpbWUiOjAsInNlc3Npb25fc3RhdGUiOiJjNjk4MzMxMi1mZTM1LTQwODQtYWQxMC1kZTQwOGY3NzQ1YzgiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbXSwicmVzb3VyY2VfYWNjZXNzIjp7fSwibmFtZSI6Ik1vYmlsZSBVc2VyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoibW9iaWxldXNlciIsImdpdmVuX25hbWUiOiJNb2JpbGUiLCJmYW1pbHlfbmFtZSI6IlVzZXIiLCJlbWFpbCI6InNoYXduLmZpcnRoQGdtYWlsLmNvbSJ9.HFCYIdW7Xyd0eKjXOouujVCUH5zjnxNDbOBLQOnjfOzEj4Ff4pHd6q6Ukl3unmWpvM9tU2FtzoPtsxQ-BqIu1ITBuq5_U-fk0OebTCOWtF566vW6BjJb3czRO8f3pB1hd5O7-xCT2KXSv-oEIi0s0ZweiLH0A1PeYy7wur_eCuhONgiu7wI6uR-gimcZVe7o3yhKsDnukrdR-N8xrp1T9PugQe5MZq20ER2Hvc-TW_npnTxRyCHa4tg59_p7-JBGA-BT03mFvOdd4vALeW8xkK3vtaVQevMSa8u3WZrpNGsAvoKpT6QTzm6W0TxAb3t_ptOjusxoLqqRacmP-C9OUg], Content-Type=[application/json], cookie=[JSESSIONID=E7uZRSGcR1FaiNDFCYmJcF7YnJaQof0yP3LxstT5.sfirth], Host=[localhost:8080]} response {Expires=[0], Cache-Control=[no-cache, no-store, must-revalidate], X-Powered-By=[Undertow/1], Server=[JBoss-EAP/7], Pragma=[no-cache]}}
2018-08-30 13:13:19,739 DEBUG [org.keycloak.adapters.BearerTokenRequestAuthenticator] (default task-4) Verifying access_token
2018-08-30 13:13:19,801 DEBUG [org.apache.http.impl.conn.tsccm.ThreadSafeClientConnManager] (default task-4) Get connection: {}->localhost:8180, timeout = 0
2018-08-30 13:13:19,802 DEBUG [org.apache.http.impl.conn.tsccm.ConnPoolByRoute] (default task-4) [{}->localhost:8180] total kept alive: 0, total issued: 0, total allocated: 0 out of 20
2018-08-30 13:13:19,802 DEBUG [org.apache.http.impl.conn.tsccm.ConnPoolByRoute] (default task-4) No free connections [{}->localhost:8180][null]
2018-08-30 13:13:19,802 DEBUG [org.apache.http.impl.conn.tsccm.ConnPoolByRoute] (default task-4) Available capacity: 20 out of 20 [{}->localhost:8180][null]
2018-08-30 13:13:19,802 DEBUG [org.apache.http.impl.conn.tsccm.ConnPoolByRoute] (default task-4) Creating new connection [{}->localhost:8180]
2018-08-30 13:13:19,809 DEBUG [org.apache.http.impl.conn.DefaultClientConnectionOperator] (default task-4) Connecting to localhost:8180
2018-08-30 13:13:19,820 DEBUG [org.apache.http.client.protocol.RequestAddCookies] (default task-4) CookieSpec selected: compatibility
2018-08-30 13:13:19,820 DEBUG [org.apache.http.client.protocol.RequestAuthCache] (default task-4) Auth cache not set in the context
2018-08-30 13:13:19,821 DEBUG [org.apache.http.client.protocol.RequestTargetAuthentication] (default task-4) Target auth state: UNCHALLENGED
2018-08-30 13:13:19,821 DEBUG [org.apache.http.client.protocol.RequestProxyAuthentication] (default task-4) Proxy auth state: UNCHALLENGED
2018-08-30 13:13:19,821 DEBUG [org.apache.http.impl.client.DefaultHttpClient] (default task-4) Attempt 1 to execute request
2018-08-30 13:13:19,821 DEBUG [org.apache.http.impl.conn.DefaultClientConnection] (default task-4) Sending request: GET /auth/realms/mobilerealm/protocol/openid-connect/certs HTTP/1.1
2018-08-30 13:13:19,821 DEBUG [org.apache.http.wire] (default task-4) >> "GET /auth/realms/mobilerealm/protocol/openid-connect/certs HTTP/1.1[\r][\n]"
2018-08-30 13:13:19,822 DEBUG [org.apache.http.wire] (default task-4) >> "Host: localhost:8180[\r][\n]"
2018-08-30 13:13:19,822 DEBUG [org.apache.http.wire] (default task-4) >> "Connection: Keep-Alive[\r][\n]"
2018-08-30 13:13:19,822 DEBUG [org.apache.http.wire] (default task-4) >> "[\r][\n]"
2018-08-30 13:13:19,822 DEBUG [org.apache.http.headers] (default task-4) >> GET /auth/realms/mobilerealm/protocol/openid-connect/certs HTTP/1.1
2018-08-30 13:13:19,822 DEBUG [org.apache.http.headers] (default task-4) >> Host: localhost:8180
2018-08-30 13:13:19,822 DEBUG [org.apache.http.headers] (default task-4) >> Connection: Keep-Alive
2018-08-30 13:13:19,825 DEBUG [org.apache.http.wire] (default task-4) << "HTTP/1.1 200 OK[\r][\n]"
2018-08-30 13:13:19,826 DEBUG [org.apache.http.wire] (default task-4) << "Connection: keep-alive[\r][\n]"
2018-08-30 13:13:19,826 DEBUG [org.apache.http.wire] (default task-4) << "Cache-Control: no-cache[\r][\n]"
2018-08-30 13:13:19,826 DEBUG [org.apache.http.wire] (default task-4) << "Content-Type: application/json[\r][\n]"
2018-08-30 13:13:19,826 DEBUG [org.apache.http.wire] (default task-4) << "Content-Length: 462[\r][\n]"
2018-08-30 13:13:19,826 DEBUG [org.apache.http.wire] (default task-4) << "Date: Thu, 30 Aug 2018 17:13:19 GMT[\r][\n]"
2018-08-30 13:13:19,826 DEBUG [org.apache.http.wire] (default task-4) << "[\r][\n]"
2018-08-30 13:13:19,826 DEBUG [org.apache.http.impl.conn.DefaultClientConnection] (default task-4) Receiving response: HTTP/1.1 200 OK
2018-08-30 13:13:19,826 DEBUG [org.apache.http.headers] (default task-4) << HTTP/1.1 200 OK
2018-08-30 13:13:19,826 DEBUG [org.apache.http.headers] (default task-4) << Connection: keep-alive
2018-08-30 13:13:19,826 DEBUG [org.apache.http.headers] (default task-4) << Cache-Control: no-cache
2018-08-30 13:13:19,826 DEBUG [org.apache.http.headers] (default task-4) << Content-Type: application/json
2018-08-30 13:13:19,826 DEBUG [org.apache.http.headers] (default task-4) << Content-Length: 462
2018-08-30 13:13:19,826 DEBUG [org.apache.http.headers] (default task-4) << Date: Thu, 30 Aug 2018 17:13:19 GMT
2018-08-30 13:13:19,829 DEBUG [org.apache.http.impl.client.DefaultHttpClient] (default task-4) Connection can be kept alive indefinitely
2018-08-30 13:13:19,833 DEBUG [org.apache.http.wire] (default task-4) << "{"keys":[{"kid":"qK2JZ52V1fSJJDo63HfdyIn62XDe_haIhE0eyevdBZ0","kty":"RSA","alg":"RS256","use":"sig","n":"5dKNlsMOu2W6WB0X1G27PcqUoBLPzPUDtfQmA7uf0BaPSkYu7CnbUPdShrs09RGQM6tWWL_6_qiacFi9jBgyEAhT9MhQ-rgkPe0YpdyQtVqznZH5CHkaAq9fTxwmEUXUZvRWuP4cAF7Pi5RfVgOIRflI-AgGyiH-ygdinRQx10nr-m7Us2seCM8QB5zjsKz3YLNdnk_bmvc6axhPpZAAlUCaAMM-j0Edc9CR7NDw09aUIKGED8wWdmxxdteqfPVjKiIlFjg1-QiroEH2PnNOqFTn2UKX6imOJmEc9XlJCsthlEHz-1Pqz23imiLkk-n2S3CJVyvnnI-OvUYaaOF6_w","e":"AQAB"}]}"
2018-08-30 13:13:19,836 DEBUG [org.apache.http.impl.conn.tsccm.ThreadSafeClientConnManager] (default task-4) Released connection is reusable.
2018-08-30 13:13:19,836 DEBUG [org.apache.http.impl.conn.tsccm.ConnPoolByRoute] (default task-4) Releasing connection [{}->localhost:8180][null]
2018-08-30 13:13:19,836 DEBUG [org.apache.http.impl.conn.tsccm.ConnPoolByRoute] (default task-4) Pooling connection [{}->localhost:8180][null]; keep alive indefinitely
2018-08-30 13:13:19,836 DEBUG [org.apache.http.impl.conn.tsccm.ConnPoolByRoute] (default task-4) Notifying no-one, there are no waiting threads
2018-08-30 13:13:19,838 DEBUG [org.keycloak.adapters.rotation.JWKPublicKeyLocator] (default task-4) Realm public keys successfully retrieved for client OurRestService. New kids: [qK2JZ52V1fSJJDo63HfdyIn62XDe_haIhE0eyevdBZ0]
2018-08-30 13:13:19,839 DEBUG [org.keycloak.adapters.BearerTokenRequestAuthenticator] (default task-4) successful authorized
2018-08-30 13:13:19,841 DEBUG [io.undertow.request.security] (default task-4) Authenticated as 218ea704-3a7a-4766-a251-69d9aa8e75ff, roles []
2018-08-30 13:13:19,849 DEBUG [org.keycloak.adapters.wildfly.WildflyRequestAuthenticator] (default task-4) propagate security context to wildfly
2018-08-30 13:13:19,849 DEBUG [org.keycloak.adapters.RequestAuthenticator] (default task-4) User '218ea704-3a7a-4766-a251-69d9aa8e75ff' invoking 'ourUrlToGetPastStackOverflow10URLlimit/contacts/' on client 'OurRestService'
2018-08-30 13:13:19,849 DEBUG [org.keycloak.adapters.RequestAuthenticator] (default task-4) Bearer AUTHENTICATED
2018-08-30 13:13:19,850 DEBUG [io.undertow.request.security] (default task-4) Authentication outcome was AUTHENTICATED with method org.keycloak.adapters.wildfly.WildflyAuthenticationMechanism#2d35f3f1 for HttpServerExchange{ GET /OurRestService/rest/contacts/ request {Postman-Token=[ba346ce6-995e-4c1c-859f-9d92c449b8c9], Accept=[*/*], cache-control=[no-cache], accept-encoding=[gzip, deflate], User-Agent=[PostmanRuntime/7.2.0], Connection=[keep-alive], Authorization=[Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJxSzJKWjUyVjFmU0pKRG82M0hmZHlJbjYyWERlX2hhSWhFMGV5ZXZkQlowIn0.eyJqdGkiOiI5YWM3MWUxMC1kMTYxLTRiYjYtYmE0OC1iMTRlZmJiZjRkZDEiLCJleHAiOjE1MzU2NDk0OTMsIm5iZiI6MCwiaWF0IjoxNTM1NjQ5MTkzLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvbW9iaWxlcmVhbG0iLCJhdWQiOiJhZG1pbi1jbGkiLCJzdWIiOiIyMThlYTcwNC0zYTdhLTQ3NjYtYTI1MS02OWQ5YWE4ZTc1ZmYiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhZG1pbi1jbGkiLCJhdXRoX3RpbWUiOjAsInNlc3Npb25fc3RhdGUiOiJjNjk4MzMxMi1mZTM1LTQwODQtYWQxMC1kZTQwOGY3NzQ1YzgiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbXSwicmVzb3VyY2VfYWNjZXNzIjp7fSwibmFtZSI6Ik1vYmlsZSBVc2VyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoibW9iaWxldXNlciIsImdpdmVuX25hbWUiOiJNb2JpbGUiLCJmYW1pbHlfbmFtZSI6IlVzZXIiLCJlbWFpbCI6InNoYXduLmZpcnRoQGdtYWlsLmNvbSJ9.HFCYIdW7Xyd0eKjXOouujVCUH5zjnxNDbOBLQOnjfOzEj4Ff4pHd6q6Ukl3unmWpvM9tU2FtzoPtsxQ-BqIu1ITBuq5_U-fk0OebTCOWtF566vW6BjJb3czRO8f3pB1hd5O7-xCT2KXSv-oEIi0s0ZweiLH0A1PeYy7wur_eCuhONgiu7wI6uR-gimcZVe7o3yhKsDnukrdR-N8xrp1T9PugQe5MZq20ER2Hvc-TW_npnTxRyCHa4tg59_p7-JBGA-BT03mFvOdd4vALeW8xkK3vtaVQevMSa8u3WZrpNGsAvoKpT6QTzm6W0TxAb3t_ptOjusxoLqqRacmP-C9OUg], Content-Type=[application/json], cookie=[JSESSIONID=E7uZRSGcR1FaiNDFCYmJcF7YnJaQof0yP3LxstT5.sfirth], Host=[localhost:8080]} response {Expires=[0], Cache-Control=[no-cache, no-store, must-revalidate], X-Powered-By=[Undertow/1], Server=[JBoss-EAP/7], Pragma=[no-cache]}}
2018-08-30 13:13:19,850 DEBUG [io.undertow.request.security] (default task-4) Authentication result was AUTHENTICATED for HttpServerExchange{ GET /OurRestService/rest/contacts/ request {Postman-Token=[ba346ce6-995e-4c1c-859f-9d92c449b8c9], Accept=[*/*], cache-control=[no-cache], accept-encoding=[gzip, deflate], User-Agent=[PostmanRuntime/7.2.0], Connection=[keep-alive], Authorization=[Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJxSzJKWjUyVjFmU0pKRG82M0hmZHlJbjYyWERlX2hhSWhFMGV5ZXZkQlowIn0.eyJqdGkiOiI5YWM3MWUxMC1kMTYxLTRiYjYtYmE0OC1iMTRlZmJiZjRkZDEiLCJleHAiOjE1MzU2NDk0OTMsIm5iZiI6MCwiaWF0IjoxNTM1NjQ5MTkzLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvbW9iaWxlcmVhbG0iLCJhdWQiOiJhZG1pbi1jbGkiLCJzdWIiOiIyMThlYTcwNC0zYTdhLTQ3NjYtYTI1MS02OWQ5YWE4ZTc1ZmYiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhZG1pbi1jbGkiLCJhdXRoX3RpbWUiOjAsInNlc3Npb25fc3RhdGUiOiJjNjk4MzMxMi1mZTM1LTQwODQtYWQxMC1kZTQwOGY3NzQ1YzgiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbXSwicmVzb3VyY2VfYWNjZXNzIjp7fSwibmFtZSI6Ik1vYmlsZSBVc2VyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoibW9iaWxldXNlciIsImdpdmVuX25hbWUiOiJNb2JpbGUiLCJmYW1pbHlfbmFtZSI6IlVzZXIiLCJlbWFpbCI6InNoYXduLmZpcnRoQGdtYWlsLmNvbSJ9.HFCYIdW7Xyd0eKjXOouujVCUH5zjnxNDbOBLQOnjfOzEj4Ff4pHd6q6Ukl3unmWpvM9tU2FtzoPtsxQ-BqIu1ITBuq5_U-fk0OebTCOWtF566vW6BjJb3czRO8f3pB1hd5O7-xCT2KXSv-oEIi0s0ZweiLH0A1PeYy7wur_eCuhONgiu7wI6uR-gimcZVe7o3yhKsDnukrdR-N8xrp1T9PugQe5MZq20ER2Hvc-TW_npnTxRyCHa4tg59_p7-JBGA-BT03mFvOdd4vALeW8xkK3vtaVQevMSa8u3WZrpNGsAvoKpT6QTzm6W0TxAb3t_ptOjusxoLqqRacmP-C9OUg], Content-Type=[application/json], cookie=[JSESSIONID=E7uZRSGcR1FaiNDFCYmJcF7YnJaQof0yP3LxstT5.sfirth], Host=[localhost:8080]} response {Expires=[0], Cache-Control=[no-cache, no-store, must-revalidate], X-Powered-By=[Undertow/1], Server=[JBoss-EAP/7], Pragma=[no-cache]}}
2018-08-30 13:13:19,851 DEBUG [org.keycloak.adapters.AuthenticatedActionsHandler] (default task-4) AuthenticatedActionsValve.invoke ourUrlToGetPastStackOverflow10URLlimit/contacts/
2018-08-30 13:13:19,851 DEBUG [org.keycloak.adapters.AuthenticatedActionsHandler] (default task-4) Policy enforcement is disabled.

Problem Solved!
What is not obvious from the Keycloak/SSO documentation is that on RH-SSO you need a Public client paired with your bearer-only client in order to get your authenticated token. So, the solution is to create a 2nd SSO client in your realm that is "public":
* Select `Clients` from the menu
* Click `Create`
* Add the following values:
* Client ID: RestAuth
* Client Protocol: `openid-connect`
* Click `Save`
You request your token from the public client, and that will give you access to your bearer-only rest API on JBoss.