I have implemented a custom REST endpoint in KeyCloak 9.0.3. This endpoint will be invoked by an external UI layer to complete the entire registration flow including creating the user and sending the verification flow.
In the SPI code, I am invoking the Admin REST client to create the user and send the verification email.
I get an error when I invoke this service.
ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-42) Uncaught server error: java.lang.NoClassDefFoundError: org/keycloak/admin/client/KeycloakBuilder
My POM file has the dependency included -
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-admin-client</artifactId>
</dependency>
Any ideas on what I am missing here? Or is there a problem with accessing the Admin REST API from within a custom SPI?
Related
we just started using keycloak x quarkus distribution, and we have made a user storage and user federation spi.
they problem we are facing now is that we are unable to configure our spi in keycloak.properties to set up rest client to send request to an external quarkus api.
before moving to keycloak x we used to use unirest to send http rest requests, but since we moved to the quarkus distribution we started to use quarkus-rest-client dependency (which we use in all of our quarkus applications)
when we startup the keycloak x locally we get the following log
Unrecognized configuration key "quarkus.rest-client."path-to-rest-client-class".url" was provided; it will be ignored; verify that the dependency extension for this configuration is set or that you did not make a typo
which indicate to that keycloak x is unable to use the following dependency:
<dependency>
<groupId>io.quarkus</groupId>
<artifactId>quarkus-rest-client</artifactId>
</dependency>
and unable to convert the following property in keycloak.properties quarkus.rest-client."path-to-rest-client-class".url to a property in keycloak behind the scene.
we have look at the following Keycloak.X Server Configuration which explain in details about the rules we should follow in order to write configurations in keycloak.properties, and its says that keycloak should have a custom config property for each quarkus property unless it was considered an advanced usage and not supported configuration
so is there an equivalent config property for that? and what is the best way to send a http request from quarkus based user storage spi to an external api?
I have a SPA (Vue.js) that communicates via REST with a Quarkus Resource API .
I am using my own Keycloak for Authentication/Authorization.
In Keycloak I have two clients in my realm:
Client ID: frontend-client
Access Type: public
Standard Flow enabled
Client ID: backend-client
Access Type: bearer-only
Secret: mySecret
My application.properties for my Quarkus API:
quarkus.oidc.auth-server-url=https://localhost:8082/auth/realms/myrealm
#quarkus.oidc.client-id=backend-service
#quarkus.oidc.credentials.secret=mySecret
My SPA uses the Standard Flow to authenticate with Keycloak and then redirects to my app ✅
Then I can make requests to my API and everything works despite quarkus.oidc.client-id and quarkus.oidc.credentials.secret being commented out ! Why is that? It also works when those lines are not commented out but with false values. 😳
Why is Quarkus ignoring those lines, and, more importantly, why does it work?
UPDATE
Adding the dependency
<dependency>
<groupId>io.quarkus</groupId>
<artifactId>quarkus-keycloak-authorization</artifactId>
</dependency>
Allows me to add this to application.properties:
quarkus.keycloak.policy-enforcer.enable=true
It now leads to this error:
{"error":"invalid_client","error_description":"Bearer-only not allowed"}
But at least now the secret is not being ignored, and providing a wrong secret leads to the correct error.
Follow-up question: Why is bearer-only not allowed?
I'm guessing that because your Quarkus application use a bearer only client, it will only check the authenticity of the bearer token using the signature.
Since it will not make any call to Keycloak for additional verifications, it will not use the client id and client secret in your properties.
You need to change the type of the client to confidential if you want quarkus to use that.
By the way, in the quarkus quickstart for protecting service applications : the keycloak client use a confidential client, and bearer only is set to false : https://github.com/quarkusio/quarkus-quickstarts/blob/main/security-openid-connect-quickstart/config/quarkus-realm.json#L395
I am studying jBPM (KIE Server and Business Central) and Keycloak. In isolation, I managed to run all this software with success. However, when I try to integrate between them, the authentication of users on the website works (Keycloak login page to access the Business Central site), however it seems that the authentication of the REST services call, both from the KIE Server and from the Business Central, stops working (unauthorized) and the KIE Server is unable to synchronize with its Controller (Business Central).
Below are more details on the subject.
I have been searching for a few days for a solution to the problem but without success.
Although I have already consulted this excellent site, this is my first question and I do not have much reference on which file is recommended to attach to the question. If you see a specific file, please sign that I will attach it.
I appreciate any help.
Notes (useful information) about the environment and problems encountered:
Only 1 Wildfly 20.0.1 environment (server) hosting KIE Server 7.43.1.Final, Business Central 7.43.1.Final and Keycloak 11.0.2, with the Keycloak adapter installed, on Windows 10.
In Keycloak, Realm was created with the name VHLLEmpresaRealm and 2 clients (applications):
VHLLEmpresaKIEServer: with public access.
VHLLEmpresaBusinessCentral: with confidential access.
In the Keycloak, the user kieserver with password kieserver1! was created and assigned to various roles (both Realm and Clients), among them: admin, rest-all, kie-server, kiemgmt and user.
Authentication with kieserver User and your Password on the Business Central website working properly integrated with Keycloak (Keycloak login page). Authentication with Google (social login) working properly.
Business Central configured to show and manage the users registered in the Keycloak.
Problems observed:
When starting the Wildfly server, the KIE Server is unable to synchronize with the Controller Business Central (see the Startup Log - Doc 06). The attempt below is repeated at startup several times without success, followed by NullPointerException with lines copied below:
17:13:30,057 INFO [org.kie.server.controller.websocket.client.WebSocketKieServerControllerImpl] (KieServer-ControllerConnect) Kie Server points to non Web Socket controller 'http://localhost:8080/business-central/rest/controller', using default REST mechanism
17:13:30,214 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-6) Uncaught server error: java.lang.NullPointerException
at org.keycloak.storage.StorageId.isLocalStorage(StorageId.java:77)
at org.keycloak.credential.UserCredentialStoreManager.getStoreForUser(UserCredentialStoreManager.java:54)
...
17:13:30,214 WARN [org.kie.server.services.impl.controller.DefaultRestControllerImpl] (KieServer-ControllerConnect) Exception encountered while syncing with controller at http://localhost:8080/business-central/rest/controller/server/wildfly-kieserver error Error while sending PUT request to http://localhost:8080/business-central/rest/controller/server/wildfly-kieserver response code 401
Link to complete file:
https://drive.google.com/file/d/1kr47ap9frsCQB8oyQE2dEm2gfl7__s0G/view?usp=sharing
On the Business Central website, on the Deployments page (which shows the Servers too), the KIE Server server does not appear as available (see Doc 07).
Link to complete file:
https://drive.google.com/file/d/1lKiCZdOp7yRvHibfgJ8ZOE_dZIAnkE6U/view?usp=sharing
In the CURL command to access the Business Central REST services, even if the kieserver user and password are passed, the answer is NOT authorized (see Doc 08).
COMMAND: curl -X GET http://kieserver:kieserver1!#localhost:8080/business-central/rest/repositories -v
RESPONSE: ErrorUnauthorized
Link to complete file:
https://drive.google.com/file/d/1V_CH_hiTkhLh-AtgRvP0YkZ3afwBc4tZ/view?usp=sharing
Other Files:
Wildfly Settings - STANDALONE-FULL.XML
https://drive.google.com/file/d/1f0xvRDPiId1RymZkMGIUaIMB_EuGpbud/view?usp=sharing
I'm not sure if this is the correct way to solve the problem, but after continuing my studies and research for a few more days, using the CURL command to call a Business Central service (below), I obtained the Access Token and through the website jwt.io, I noticed in the content of this Token that the audience (aud) field was not filled in with the Keycloak Client ID that requested the Token.
curl -d "grant_type=password" -d "client_id=VHLLEmpresaBusinessCentral" -d "client_secret=020c8841-50ee-437e-af16-XXXXXXXX" -d "username=kieserver" -d "password=kieserverXXXXX" -d "scope=VHLLEmpresaEscopo" http://localhost:8180/auth/realms/VHLLEmpresaRealm/protocol/openid-connect/token
So, I created a Client Scope, I created a Mapper for the Audience to add the Client's own ID and associated this Client Scope to the corresponding Client.
The second change that was necessary was to override the Direct Grant Flow with the "direct grant" value for each Client involved.
With the two changes above, the synchronization between KIE Server and Business Central has returned to work.
Using wso2 api manager. I cannot publish an existing SOAP service that has a basic auth (in the back end). The publisher interface let you insert the wsdl location, but obviously it requires a basic auth (in fact i have a 401 error in the log).
I tried to put username and password in the url like https://username:pwd#server... but it does not work.
Thank you
What could be the possible reason behind the error:
No strong authentication method found for the request.
Stack:
Encountered error during federation passive request.
Protocol Name:
Saml
Relying Party:
http://testfs/adfs/services/trust
Exception details:
Microsoft.IdentityServer.RequestFailedException: No strong authentication method found for the request from http://testfs/adfs/services/trust.
at Microsoft.IdentityServer.Web.PassiveProtocolListener.CheckAuthenticationOptionsForMethods(ProtocolContext context, List`1 authMethods)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
ADFS is properly setup with Global authentication method as follows:
Extranet: Forms Authentication
Intranet: Windows Authentication
The error comes while accessing the following url:
https://testfs/adfs/ls/IdpInitiatedSignon.aspx
Note: This happens with Multi-factor authentication is enabled. The MFA module is custom made by https://adfsmfa.codeplex.com
Any sort of help will be much appreciated.
The issue happened in constructor, create event source need special permission, the services account for ADFS do not have this permission.
if (!EventLog.SourceExists(this.EventLogSource))
EventLog.CreateEventSource(this.EventLogSource, this.EventLogGroup);
I remove this 2 line and create event source in separate application. (think about at install)