I'm trying to set up Keycloak to us CAS as an OIDC identity provider. I've had this working in the past but can't get it to work now. Keycloak is configured using the "/cas/oidc/.well-known/openid-configuration" endpoint and set the client ID and secret.
All standard stuff.
Keycloak redirects to CAS as expected, the user authenticates successfully against CAS and then is redirected back to Keycloak, but Keycloak then throws this error in the logs:
2020-12-07T14:34:03.706265042Z 14:34:03,616 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-1) Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: No access_token from server.
2020-12-07T14:34:03.706301844Z at org.keycloak.keycloak-services#10.0.2//org.keycloak.broker.oidc.OIDCIdentityProvider.verifyAccessToken(OIDCIdentityProvider.java:499)
2020-12-07T14:34:03.706308262Z at org.keycloak.keycloak-services#10.0.2//org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedIdentity(OIDCIdentityProvider.java:360)
2020-12-07T14:34:03.706313243Z at org.keycloak.keycloak-services#10.0.2//org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:472)
This is with logging at DEBUG level. Not clear what is really wrong.
The logs on the CAS side look OK.
Any ideas what might be wrong here and how to debug this?
This is with Keycloak 10.0.2
Related
Have Integrated a Java struts based server side application with a keycloak OIDC and Oauth provider.
Java servlet adapter mentioned in the https://access.redhat.com/documentation/en-us/red_hat_single_sign-on_continuous_delivery/3/html-single/securing_applications_and_services_guide/index#servlet_filter_adapter is used for the same implemetation.
The redirect_uri configured on the server is something like https://env.application.com/contextpath/
When the we application session timeouts and the user clicks on any link in the application the redirect_uri that goes as part of authorization code grant flow adds the URI of the link in addition to the redirect_uri configured in keycloak server. This will something like for example https://env.application.com/contextpath**/submenu?name=menu**
This will result in an invalid redirect_uri error from the keycloak server.
The keycloak server doesn't allow to configure a placeholder * to be configured for security reasons.
Could someone please let me know how to handle we application session timeouts with integrated with keycloak OIDC and OAUTH provider.
Is there any other best practise availble to handle session timeouts in webapplications integrated with keyclaok OIDC.
I have a keycloak Server running on my localhost with port 8081.
I'm trying to connect my Quarkus application with it to secure REST-Endpoints.
However I'm not able to Login to my Keycloak server.
I annotated an /test endpoint with #RolesAllowed("user"). Since then I can't access the endpoint but I get an Empty page with a 401 Unauthorized error in the Web console.
What I want is that I get redirected to the Keycloak default page so I can authorize myself. Any ideas why that is not happening?
Here is my application.properties Keycloak configuration:
quarkus.oidc.auth-server-url=http://localhost:8081/realms/TestRealm
quarkus.oidc.client-id=testclient
quarkus.oidc.credentials.secret=MYSECRET
quarkus.oidc.tls.verification=none
quarkus.keycloak.policy-enforcer.enable=false
logging.level.org.keycloak=DEBUG
resteasy.role.based.security=true
quarkus.http.cors=true
quarkus.http.port=8080
when I set policy enforcer to true I can't access any endpoint.
TestRealm has a Resource configured with a /test endpoint.
In the Quarkus documentation for keycloak they said that you don't need to setup your own Keycloak Server in Dev mode since Quarkus comes with one. Might that be the Problem? is my Quarkus Application not connecting to my Keycloak server? And if so, how can I force quarkus in dev mode to use my Keycloak server?
EDIT: I figured out that I have access to my endpoint if I send the request with the Bearer token, so I guess Quarkus is accessing my Keycloak instance.
Still, why don't I get forwarded to the default Keycloak login page when trying to access my Rest endpoint via my browser? Am I missing any configuration?
For anyone with the same issue I fixed it by adding:
quarkus.oidc.auth-mechanism=keycloak
quarkus.oidc.application-type=web-app
quarkus.http.auth.permission.authenticated.paths=/*
quarkus.http.auth.permission.authenticated.policy=authenticated
To the config
I have one SP and one IDP using Keycloak.
I'm using SAML protocol and I can successfully login and logout when the request is initiated by the SP.
But when connected as an admin in Keycloak I logout an user from his session no request are sent to the SP.
The session is indeed terminated on the IDP side but not on the SP side.
Because of that the user on the SP can still use the application.
I can't see any option in client configuration for that.
Has anyone made IDP initiated log out in SAML works with keycloak ?
Could you give me some directions ?
Thank you for your time.
After some other research this is not a feature of Keycloak.
https://www.keycloak.org/docs/2.5/server_admin/topics/sessions/administering.html
Quoting the docs
Only certain clients are notified of this logout event, specifically clients that are using the Keycloak OIDC client adapter. Other client types (i.e. SAML) will not receive a backchannel logout request.
I had the same issues using keycloak saml broker. It turned out that enabling back-channel logout (disabling front-channel logout) in keycloak client configuration solved my problem.
I am using 4.8.0.Final
I have a external openidconnect identity provider registered with Keycloak. When the client app tries to access the protected resource it gets redirected to KeyCloak login page. On the login page I have the external openidconnect provider buttons enabled. Once the user clicks on the button he is taken to the external identity provider (which is identityserver3 instance). The external provider does authenticate the user and send back a code.
Now the redirecturl for the registered client in the external identity provider is that of keycloak's. So after authentication is successful at the external IDP it send back the code(because it is Auth code flow) to keycloak at a redirect url:
http://localhost:5555/auth/realms/QA/broker/keycloak-client/endpoint?code=7bcf5157105199d50874e64eabf03858&state=wQhNIEKW0Ws6CotZg2EsvOorjDVQlWVvobcM2skPSXo.keycloak-client&session_state=rhgu-BXT8FniG9Z-UARKpp_f-V1nLN-VxFmSE3PSxDg.99b2d903367208e4261fefa475afb1eb
In the URL if you see it ends with endpoint. I don't think that's correct but I cannot change it in KeyCloak (it's disabled) and because of that in the external IDP client configuration.
KeyCloak does not understand above url and errors out with a message "unexpected error when authenticating with Identity Provider"
Isn't KeyCloak supposed to understand the code flow and make another request for token after receiving the code. Then the external IDP will respond with token and Keycloak will send back that token to client(will also store it for future use).
Can someone please share some knowledge on how Keycloak works with external openidconnect ID provider with code flow.
Usually the redirect URI for external identity providers take the form of {keycloak-host}/auth/realms/{realm}/broker/{provider}/endpoint. You have to specify this as the redirect URI when you register your client in the external identity provider. Once the user is authenticated through the external IdP, authorization code will be sent to this url, which in turn will redirect it to the redirect url of your client application (specified when registering the client in Keycloak).
Unexpected error when authenticating with Identity Provider is the general error message sent by Keycloak for several errors that occur during the OAuth flow. You won't be able to determine the actual cause without going through the stack trace or the logs in the prompt.
You are getting this error because keyclaok is unable to get token from identityserver3 by exchanging authorization code. Where did you hosted identityserver3? Does it have a real ca certificate or you are using self sign certificate? Have you configured client_id , secret, token endpoint properly in keycloak external IDP configuration? You can test manually my posting client_id, secret, code (that you received) in token endpoint of identityserver3.
We would like to implement such additional configuration for SSO in our organization:
Web application (with SpringSaml) --- WSO2 IS 5.0.0 --- SimpleSaml as IDP for WSO2 IS.
Our working SSO configuration is:
Other Services --> SimpleSaml
Almost all works OK. But if I login to WSO2 IS from my application and from other service I login to SimpleSaml and that other service send LogoutRequest to SimpleSaml, WSO2 IS receive LogoutRequest from SimpleSaml but don't answer and WSO2 IS produces error:
ERROR {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - Context does not exist. Probably due to invalidated cache
I think, it is due to absence of sessionDataKey parameter in the logout request from SimpleSaml.
In IDP metadata for SimpleSaml I set a SingleLogoutService as
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://<server>:9443/commonauth"/>
Maybe it is not right URL. But I don't find SingleLogout URL for our configuration.
Could somebody help to resolve this problem or it is not possible to use WSO2 IS in such configuration?
Many thanks in advance!for
P.S. I'm very sorry for my english
What I understood from your comments that you have the setup of SimpleSamlPHP as your IDP which has connected to multiple SPs.Even the SimpleSamlPHP connected to WSO2 IS too.One of the SP send the Logout request to your SimpleSAMLPHP and the SimpleSAMLPHP pass the Logout request to WSO2 IS.
Let me describe how the logout request works on SP initiated Logout request.
LogoutRequest issued by SP to IDP
IDP determines authenticated SPs for given user session. If there are no SPs, other than the SP who sends logout request, the profile proceeds with step 5. Otherwise, steps 3 and 4 are repeated for each SP
LogoutRequest issued by IDP to SP
SP issues LogoutResponse to IDP
IDP issues LogoutResponse to SP who sends logout request.
The Logout URL you can make your custom URL where you want the user to redirect.
Refer the below Url to configure the external IDP to WSO2 IDP.
http://pushpalankajaya.blogspot.com/2014/09/leveraging-federation-capabilities-of.html
If you are using /samlsso end point in WSO2IS, It means that your are using SAML2 SSO. Therefore, you must send a proper logout request to the /samlsso end point. If you need to get more idea about SSO logout with SAML2 SSO, Please go through the below URL.
http://xacmlinfo.org/2013/06/28/how-saml2-single-logout-works/