Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-10452

Java Keycloak Adapter 6 + Wildfly 16 returning 401

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Blocker
    • Resolution: Explained
    • Affects Version/s: 6.0.1
    • Fix Version/s: 4.8.3.Final
    • Labels:
      None
    • Environment:

      Wilfly 16.0.0.Final
      Linux Mint 19
      Java adapter 6.0.1
      OpenJDK 11
      Frontend Angular 7
      Keycloak 4.8.3 / 6.0.1

    • Steps to Reproduce:
      Hide

      download wildfly 16.0.0.Final;
      download and install keycloak-wildfly-adapter-dist-6.0.1 according to keycloak online docs;

      web.xml config:
      <web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
      version="3.0">
      ...
      <security-constraint>
      <web-resource-collection>
      <web-resource-name>my-module-api</web-resource-name>
      <url-pattern>/rest/external/secure/*</url-pattern>
      <url-pattern>/rest/internal/secure/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
      <role-name>*</role-name>
      </auth-constraint>
      <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
      </user-data-constraint>
      </security-constraint>

      <security-constraint>
      <web-resource-collection>
      <web-resource-name>public</web-resource-name>
      <url-pattern>/*</url-pattern>
      </web-resource-collection>
      <!-- OMIT auth-constraint -->
      </security-constraint>

      <login-config>
      <auth-method>KEYCLOAK</auth-method>
      <realm-name>my-realm</realm-name>
      </login-config>
      <security-role>
      <role-name>*</role-name>
      </security-role>

      </web-app>

      Show
      download wildfly 16.0.0.Final; download and install keycloak-wildfly-adapter-dist-6.0.1 according to keycloak online docs; web.xml config: <web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd " version="3.0"> ... <security-constraint> <web-resource-collection> <web-resource-name>my-module-api</web-resource-name> <url-pattern>/rest/external/secure/*</url-pattern> <url-pattern>/rest/internal/secure/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>public</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <!-- OMIT auth-constraint --> </security-constraint> <login-config> <auth-method>KEYCLOAK</auth-method> <realm-name>my-realm</realm-name> </login-config> <security-role> <role-name>*</role-name> </security-role> </web-app>
    • Release Notes Text:
      Starting with 4.5 the Access Token Signature Algorithm and ID Token Signature Algorithm are not default to RSA256 anymore. That means you have to set the algorithms in your client.
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      Frontend redirects to login and negotiates successfully.... the obtained token isn't valid to backend, accordingly with java adapter.

      request:
      curl 'http://localhost:8080/my-api/rest/internal/secure/my-method?id=207e89ec-6ee6-4b34-b2cc-7a34b12095fc' -H 'Accept: application/json, text/plain, /' -H 'Referer: http://localhost:4200/' -H 'Origin: http://localhost:4200' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36' -H 'Authorization: Bearer eyJhbGciOiJSUzI...g3GRTw5ArIUZyrtnIQSeYjMsDrQ' --compressed

      and the response:
      <html><head><title>Error</title></head><body>Unauthorized</body></html>

      PS: Importing the same realm in a 4.4 Keycloak, using the same wildfly 16 + adapter 6, it works perfetcly. Also, if I use the token against the sso api directly, it also works just fine. The problem seams to occurs when I use an installation after Keycloak 4.4 (tested with 4.8.3 and 6.0.1).

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                alexgv Alex Vasconcelos
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: