I'm attempting to use a JWKS endpoint to supply a public key for verifying a JWT signature. In my application.properties, I've set the following:
mp.jwt.verify.publickey.location = http://localhost:1080/jwks
It appears that this is indeed being used:
2019-08-17 18:02:28,593 DEBUG [io.sma.jwt.con.JWTAuthContextInfoProvider] (executor-thread-1) init, mpJwtPublicKey=NONE, mpJwtIssuer=NONE, mpJwtLocation=http://localhost:1080/jwks
2019-08-17 18:02:28,599 DEBUG [io.sma.jwt.aut.AbstractBearerTokenExtractor] (executor-thread-1) tokenHeaderName = Authorization
2019-08-17 18:02:28,643 DEBUG [io.qua.sma.jwt.run.aut.JwtIdentityManager] (executor-thread-1) verify, id=null, credential=io.quarkus.smallrye.jwt.runtime.auth.JWTCredential#780ca7ed
2019-08-17 18:02:28,719 DEBUG [io.sma.jwt.aut.pri.KeyLocationResolver] (executor-thread-1) Trying location as JWK(S)...
When attempting a request to an endpoint in this app, it crashes with:
2019-08-17 18:02:29,048 WARN [io.sma.jwt.aut.pri.DefaultJWTTokenParser] (executor-thread-1) Token is invalid: JWT (claims->{"identityType":"user","authorities":[],"accountId":"0812081208","userId":"ybx8912jq59","iat":1566086374,"exp":1566089974}) rejected due to invalid claims. Additional details: [[17] Unexpected exception thrown from validator org.jose4j.jwt.consumer.IssValidator: java.lang.NullPointerException at org.jose4j.jwt.consumer.IssValidator.expectedValue(IssValidator.java:72); org.jose4j.jwt.consumer.IssValidator.validate(IssValidator.java:59); ...omitted...]
2019-08-17 18:02:29,050 DEBUG [io.qua.sma.jwt.run.aut.JwtIdentityManager] (executor-thread-1) failed, id=null, credential=io.quarkus.smallrye.jwt.runtime.auth.JWTCredential#780ca7ed: org.wildfly.security.auth.server.RealmUnavailableException: Failed to verify token
at io.quarkus.smallrye.jwt.runtime.auth.MpJwtValidator.validateClaimsSet(MpJwtValidator.java:44)
The best I can understand from this stack trace, id=null might be a problem? I have nothing else to really go on here as I can confirm that this JWT is valid as I'm the one who generated it, and it can be validated via other apps.
I do not have access to add other fields/values to this JWT as I don't own the auth system. Is there any way I can get around this?
The NPE from IssValidator suggests you are probably running into this https://bitbucket.org/b_c/jose4j/issues/135/issvalidator-throws-nullpointerexception which means your token needs an issuer iss claim or the JWT consumer needs to not be set to require an iss claim via not using any of the setExpectedIssuer[s] methods on the builder.
Related
I am running keycloak 19.0.2 in dev mode. When trying to login to microsoft from keycloak (SSO) using the oauth2 flow, I get 502 error in the browser on the callback to keycloak. The code param has a strange value also.
I believe it has something to do with user permissions, but I can clearly see I have defined them.
The callback to the keycloak server throws a 502 error and has strange values in the code params.
The keycloak server errors with the following logs:
2022-10-17 13:08:46,517 ERROR
[org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (executor-thread-42)
Failed to make identity provider oauth callback:
org.keycloak.broker.provider.IdentityBrokerException: Could not obtain user profile
from Microsoft Graph
2022-10-17 13:08:46,542 WARN [org.keycloak.events] (executor-thread-42)
type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=8ca06b23-d544-4464-a3bf-448be5308802,
clientId=recruit-api, userId=null, ipAddress=127.0.0.1,
error=identity_provider_login_failure, code_id=62aaf7bf-9c08-4c88-a7c3-e6f7af282de1,
authSessionParentId=62aaf7bf-9c08-4c88-a7c3-e6f7af282de1,
authSessionTabId=WjArYJ99WyM
I have enabled jwt auth on my dev vault instance
vault auth enable jwt
Success! Enabled jwt auth method at: jwt/
However, when I try to configure the jwks_url for the jwt auth I get the following error
➜ vault write auth/jwt/config jwks_url="<jwks_url>"
Error writing data to auth/jwt/config: Error making API request.
URL: PUT http://127.0.0.1:8200/v1/auth/jwt/config
Code: 400. Errors:
* error checking jwks URL: fetching keys oidc: get keys failed: 400 Bad Request Accept header is missing
Any idea what might I be doing wrong?
I have two Keycloak instances, A is an IdP for B. From the login screen of B, this works as it should.
However, I can’t get IDP Initiated SSO from A to B to work. I filled the "IDP Initiated SSO URL Name” field with a name (say “bbbbb”) in A.
When I try to navigate to: http://aaaaa/auth/realms/his/protocol/saml/clients/bbbbb
I always end up with the following logging:
22:42:02,993 DEBUG [org.keycloak.services] (default task-23) Authorization code is not valid. Code: null
22:42:02,994 WARN [org.keycloak.events] (default task-23) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=127.0.0.1, error=staleCodeMessage
22:42:02,994 ERROR [org.keycloak.services] (default task-23) staleCodeMessage
Which in itself is not surprising, because indeed, there is no Authorization code in play here, but that’s the whole idea of IDP Initiated SSO, no?
What must I do to get this to work?
Thanks in advance!
I faced the same issue, this happens if you use the same realm name in both Keycloak instances.
We are trying to integrate KeyCloak and external IDP using SAML protocol.
After the Keycloak and saml configuration, we tried to test. Keycloak is able to initiate a call to IDP and IDP is returning successful SAML response with requested nameId. But, Keycloak is throwing invalid destination error. Can anyone please help here?
19:13:30,964 WARN [org.keycloak.events] (default task-2) type=IDENTITY_PROVIDER_RESPONSE_ERROR, realmId=XXX, clientId=null, userId=null, ipAddress=XXXX, error=invalid_saml_response, reason=invalid_destination
After I invoke single-log-out (SLO), by calling 'GET' on https://[PingFederate Server Instance]:[Port]/sp/startSLO.ping, my PingFederate server begins making requests to my SP logout services. [I know this because I can see it happening in Fiddler.]
But when one my SPs invokes “https://<PingFederate DNS>:XXXX” + request.getParameter(“resume”); (per #Scott T.'s answer here), I get an error message:
Error - Single Logout Nonsuccess Response status:
urn:oasis:names:tc:SAML:2.0:status:Requester Status Message: Invalid
signature Your Single Logout request did not complete successfully. To
logout out of your Identity Provider and each Service Provider, close
all your browser windows. Partner: XXXX:IDP Target Resource:
http://<domain>/<default SLO endpoint>
My Questions:
What is this error message referring to?
How can I resolve this error condition?
This error is likely due to a mismatch in configuration between IdP and SP. The signing keys/certificate for SAML messages used at one end, must match the verification certificate at the other end. Check your Credentials configuration on your connection for both IdP and SP. See this section in the PingFederate Administration Guide for some details.