Upgrade Keycloak to 2.3+

solsson commented 7 years ago

Time to try the new (and improved?) Keycloak.

solsson commented 7 years ago

First attempt. With same apache conf and same realm files imported as in 1.9.8, you get an error page and logs say:

openidc_1         | 172.27.0.1 - - [26/Oct/2016:11:47:57 +0000] "GET /protected HTTP/1.1" 302 481 "http://openidc/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0"
openidc_1         | 172.27.0.1 - - [26/Oct/2016:11:48:01 +0000] "GET /protected/redirect_uri?state=uuSMXPdvoNpwoJrmNeA_kS8Mg5c&code=DnkfFUaKOf4Qwdo7zek-aVa5LgWa64yKwOzoNVsqaCM.1c59b4c2-e27e-4031-992f-d6ca6d372649 HTTP/1.1" 200 335 "http://keycloak:8080/auth/realms/Testrealm/protocol/openid-connect/auth?response_type=code&scope=openid%20email&client_id=testclient&state=uuSMXPdvoNpwoJrmNeA_kS8Mg5c&redirect_uri=http%3A%2F%2Fopenidc%2Fprotected%2Fredirect_uri&nonce=pQh_OzbTLAQ_tFEN9vVYFYzehjqZETgKFMOlZoU81_Y" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0"
openidc_1         | [Wed Oct 26 11:48:01.749069 2016] [auth_openidc:error] [pid 8:tid 140259422025472] [client 172.27.0.1:56364] oidc_proto_token_endpoint_request: no private keys have been configured to use for private_key_jwt client authentication (OIDCPrivateKeyFiles), referer: http://keycloak:8080/auth/realms/Testrealm/protocol/openid-connect/auth?response_type=code&scope=openid%20email&client_id=testclient&state=uuSMXPdvoNpwoJrmNeA_kS8Mg5c&redirect_uri=http%3A%2F%2Fopenidc%2Fprotected%2Fredirect_uri&nonce=pQh_OzbTLAQ_tFEN9vVYFYzehjqZETgKFMOlZoU81_Y
openidc_1         | [Wed Oct 26 11:48:01.749107 2016] [auth_openidc:error] [pid 8:tid 140259422025472] [client 172.27.0.1:56364] oidc_proto_resolve_code_and_validate_response: failed to resolve the code, referer: http://keycloak:8080/auth/realms/Testrealm/protocol/openid-connect/auth?response_type=code&scope=openid%20email&client_id=testclient&state=uuSMXPdvoNpwoJrmNeA_kS8Mg5c&redirect_uri=http%3A%2F%2Fopenidc%2Fprotected%2Fredirect_uri&nonce=pQh_OzbTLAQ_tFEN9vVYFYzehjqZETgKFMOlZoU81_Y
openidc_1         | 172.27.0.1 - - [26/Oct/2016:11:49:06 +0000] "GET /protected/ HTTP/1.1" 302 481 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0"
openidc_1         | [Wed Oct 26 11:49:06.853038 2016] [auth_openidc:error] [pid 11:tid 140259447203584] [client 172.27.0.1:56370] oidc_proto_token_endpoint_request: no private keys have been configured to use for private_key_jwt client authentication (OIDCPrivateKeyFiles)
openidc_1         | [Wed Oct 26 11:49:06.853096 2016] [auth_openidc:error] [pid 11:tid 140259447203584] [client 172.27.0.1:56370] oidc_proto_resolve_code_and_validate_response: failed to resolve the code
openidc_1         | 172.27.0.1 - - [26/Oct/2016:11:49:06 +0000] "GET /protected/redirect_uri?state=H_aW1yJaj9-Dssra5Bei98uRs20&code=s_41U0lDMu6qYUHJTGKVHUJRNF-o7-c_VobeSdvDUgM.1e044022-99f5-4a7a-b031-154e17c451c7 HTTP/1.1" 200 335 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0"
openidc_1         | [Wed Oct 26 11:49:08.740707 2016] [auth_openidc:error] [pid 11:tid 140259438810880] [client 172.27.0.1:56370] oidc_restore_proto_state: no "mod_auth_openidc_state_H_aW1yJaj9-Dssra5Bei98uRs20" state cookie found
openidc_1         | [Wed Oct 26 11:49:08.740834 2016] [auth_openidc:error] [pid 11:tid 140259438810880] [client 172.27.0.1:56370] oidc_unsolicited_proto_state: could not parse JWT from state: invalid unsolicited response: [src/jose.c:723: oidc_jwt_parse]: cjose_jws_import failed: invalid argument [file: jws.c, function: cjose_jws_import, line: 864]\n\n
openidc_1         | [Wed Oct 26 11:49:08.740861 2016] [auth_openidc:error] [pid 11:tid 140259438810880] [client 172.27.0.1:56370] oidc_authorization_response_match_state: unable to restore state
openidc_1         | [Wed Oct 26 11:49:08.740909 2016] [auth_openidc:error] [pid 11:tid 140259438810880] [client 172.27.0.1:56370] oidc_handle_authorization_response: invalid authorization response state and no default SSO URL is set, sending an error...
openidc_1         | 172.27.0.1 - - [26/Oct/2016:11:49:08 +0000] "GET /protected/redirect_uri?state=H_aW1yJaj9-Dssra5Bei98uRs20&code=s_41U0lDMu6qYUHJTGKVHUJRNF-o7-c_VobeSdvDUgM.1e044022-99f5-4a7a-b031-154e17c451c7 HTTP/1.1" 500 532 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0"

solsson commented 7 years ago

Logs from all containers, with keycloak database kept (and upgraded) from 1.9.8:

keycloak_1        | 12:07:45,134 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Keycloak 2.3.0.Final (WildFly Core 2.0.10.Final) started in 12758ms - Started 427 of 801 services (542 services are lazy, passive or on-demand)
keycloak_1        | 12:07:52,877 WARN  [org.keycloak.keys.DefaultKeyManager] (default task-10) KID is null, can't find public key
postgres_1        | ERROR:  duplicate key value violates unique constraint "constraint_4a"
postgres_1        | DETAIL:  Key (id)=(Testrealm) already exists.
postgres_1        | STATEMENT:  insert into REALM (ACCESS_CODE_LIFESPAN, LOGIN_LIFESPAN, USER_ACTION_LIFESPAN, ACCESS_TOKEN_LIFESPAN, ACCESS_TOKEN_LIFE_IMPLICIT, ACCOUNT_THEME, ADMIN_EVENTS_DETAILS_ENABLED, ADMIN_EVENTS_ENABLED, ADMIN_THEME, BROWSER_FLOW, CLIENT_AUTH_FLOW, DEFAULT_LOCALE, DIRECT_GRANT_FLOW, EDIT_USERNAME_ALLOWED, EMAIL_THEME, ENABLED, EVENTS_ENABLED, EVENTS_EXPIRATION, INTERNATIONALIZATION_ENABLED, LOGIN_THEME, MASTER_ADMIN_CLIENT, NAME, NOT_BEFORE, OFFLINE_SESSION_IDLE_TIMEOUT, OTP_POLICY_ALG, OTP_POLICY_DIGITS, OTP_POLICY_COUNTER, OTP_POLICY_WINDOW, OTP_POLICY_PERIOD, OTP_POLICY_TYPE, PASSWORD_POLICY, REGISTRATION_ALLOWED, REG_EMAIL_AS_USERNAME, REGISTRATION_FLOW, REMEMBER_ME, RESET_CREDENTIALS_FLOW, RESET_PASSWORD_ALLOWED, REVOKE_REFRESH_TOKEN, SSL_REQUIRED, SSO_IDLE_TIMEOUT, SSO_MAX_LIFESPAN, VERIFY_EMAIL, ID) values ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17, $18, $19, $20, $21, $22, $23, $24, $25, $26, $27, $28, $29, $30, $31, $32, $33, $34, $35, $36, $37, $38, $39, $40, $41, $42, $43)
keycloak_1        | 12:08:13,761 WARN  [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-25) SQL Error: 0, SQLState: 23505
keycloak_1        | 12:08:13,762 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-25) ERROR: duplicate key value violates unique constraint "constraint_4a"
keycloak_1        |   Detail: Key (id)=(Testrealm) already exists.
keycloak_1        | 12:08:13,763 INFO  [org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl] (default task-25) HHH000010: On release of batch it still contained JDBC statements
openidc_1         | 172.27.0.1 - - [26/Oct/2016:12:08:32 +0000] "GET / HTTP/1.1" 304 - "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0"
openidc_1         | 172.27.0.1 - - [26/Oct/2016:12:08:32 +0000] "GET /style.css HTTP/1.1" 304 - "http://openidc/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0"
openidc_1         | 172.27.0.1 - - [26/Oct/2016:12:08:34 +0000] "GET / HTTP/1.1" 304 - "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0"
openidc_1         | 172.27.0.1 - - [26/Oct/2016:12:08:34 +0000] "GET /style.css HTTP/1.1" 304 - "http://openidc/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0"
openidc_1         | 172.27.0.1 - - [26/Oct/2016:12:08:50 +0000] "GET / HTTP/1.1" 304 - "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0"
openidc_1         | 172.27.0.1 - - [26/Oct/2016:12:08:50 +0000] "GET /style.css HTTP/1.1" 304 - "http://openidc/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0"
openidc_1         | 172.27.0.1 - - [26/Oct/2016:12:09:17 +0000] "GET /protected/ HTTP/1.1" 302 481 "http://openidc/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0"
keycloak_1        | 12:09:17,230 WARN  [org.keycloak.keys.DefaultKeyManager] (default task-59) KID is null, can't find public key
openidc_1         | [Wed Oct 26 12:09:21.638849 2016] [auth_openidc:error] [pid 13:tid 140647688300288] [client 172.27.0.1:56570] oidc_proto_token_endpoint_request: no private keys have been configured to use for private_key_jwt client authentication (OIDCPrivateKeyFiles), referer: http://keycloak:8080/auth/realms/Testrealm/protocol/openid-connect/auth?response_type=code&scope=openid%20email&client_id=testclient&state=B11RKf0gORpomuQFxkJTjJCzgZE&redirect_uri=http%3A%2F%2Fopenidc%2Fprotected%2Fredirect_uri&nonce=ihM54vkRJuLE9XhssQzfgy_s01pouZiYmJDWeUJcxdQ
openidc_1         | [Wed Oct 26 12:09:21.638974 2016] [auth_openidc:error] [pid 13:tid 140647688300288] [client 172.27.0.1:56570] oidc_proto_resolve_code_and_validate_response: failed to resolve the code, referer: http://keycloak:8080/auth/realms/Testrealm/protocol/openid-connect/auth?response_type=code&scope=openid%20email&client_id=testclient&state=B11RKf0gORpomuQFxkJTjJCzgZE&redirect_uri=http%3A%2F%2Fopenidc%2Fprotected%2Fredirect_uri&nonce=ihM54vkRJuLE9XhssQzfgy_s01pouZiYmJDWeUJcxdQ
openidc_1         | 172.27.0.1 - - [26/Oct/2016:12:09:21 +0000] "GET /protected/redirect_uri?state=B11RKf0gORpomuQFxkJTjJCzgZE&code=W4jiXXFCI5AoO-8jNpr9tr7-u7DL-KJDS4L1X8fohh8.33cc729d-a266-49fa-9ee8-47c8346ddb1b HTTP/1.1" 200 335 "http://keycloak:8080/auth/realms/Testrealm/protocol/openid-connect/auth?response_type=code&scope=openid%20email&client_id=testclient&state=B11RKf0gORpomuQFxkJTjJCzgZE&redirect_uri=http%3A%2F%2Fopenidc%2Fprotected%2Fredirect_uri&nonce=ihM54vkRJuLE9XhssQzfgy_s01pouZiYmJDWeUJcxdQ" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0"

after error page reload

openidc_1         | [Wed Oct 26 12:10:41.062192 2016] [auth_openidc:error] [pid 9:tid 140647798814464] [client 172.27.0.1:56574] oidc_restore_proto_state: no "mod_auth_openidc_state_H_aW1yJaj9-Dssra5Bei98uRs20" state cookie found
openidc_1         | [Wed Oct 26 12:10:41.062601 2016] [auth_openidc:error] [pid 9:tid 140647798814464] [client 172.27.0.1:56574] oidc_unsolicited_proto_state: could not parse JWT from state: invalid unsolicited response: [src/jose.c:723: oidc_jwt_parse]: cjose_jws_import failed: invalid argument [file: jws.c, function: cjose_jws_import, line: 864]\n\n
openidc_1         | [Wed Oct 26 12:10:41.062635 2016] [auth_openidc:error] [pid 9:tid 140647798814464] [client 172.27.0.1:56574] oidc_authorization_response_match_state: unable to restore state
openidc_1         | [Wed Oct 26 12:10:41.062641 2016] [auth_openidc:error] [pid 9:tid 140647798814464] [client 172.27.0.1:56574] oidc_handle_authorization_response: invalid authorization response state and no default SSO URL is set, sending an error...
openidc_1         | 172.27.0.1 - - [26/Oct/2016:12:10:41 +0000] "GET /protected/redirect_uri?state=H_aW1yJaj9-Dssra5Bei98uRs20&code=s_41U0lDMu6qYUHJTGKVHUJRNF-o7-c_VobeSdvDUgM.1e044022-99f5-4a7a-b031-154e17c451c7 HTTP/1.1" 500 532 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0"

solsson commented 7 years ago

Endpoint in 1.9.8:

$ curl -s http://keycloak:8080/auth/realms/Testrealm/.well-known/openid-configuration | json_pp
{
   "subject_types_supported" : [
      "public"
   ],
   "grant_types_supported" : [
      "authorization_code",
      "implicit",
      "refresh_token",
      "password",
      "client_credentials"
   ],
   "userinfo_endpoint" : "http://keycloak:8080/auth/realms/Testrealm/protocol/openid-connect/userinfo",
   "token_introspection_endpoint" : "http://keycloak:8080/auth/realms/Testrealm/protocol/openid-connect/token/introspect",
   "token_endpoint" : "http://keycloak:8080/auth/realms/Testrealm/protocol/openid-connect/token",
   "id_token_signing_alg_values_supported" : [
      "RS256"
   ],
   "issuer" : "http://keycloak:8080/auth/realms/Testrealm",
   "response_modes_supported" : [
      "query",
      "fragment",
      "form_post"
   ],
   "authorization_endpoint" : "http://keycloak:8080/auth/realms/Testrealm/protocol/openid-connect/auth",
   "jwks_uri" : "http://keycloak:8080/auth/realms/Testrealm/protocol/openid-connect/certs",
   "registration_endpoint" : "http://keycloak:8080/auth/realms/Testrealm/clients-registrations/openid-connect",
   "end_session_endpoint" : "http://keycloak:8080/auth/realms/Testrealm/protocol/openid-connect/logout",
   "response_types_supported" : [
      "code",
      "none",
      "id_token",
      "token",
      "id_token token",
      "code id_token",
      "code token",
      "code id_token token"
   ]
}

In 2.3.0:

curl -s http://keycloak:8080/auth/realms/Testrealm/.well-known/openid-configuration | json_pp
{
   "grant_types_supported" : [
      "authorization_code",
      "implicit",
      "refresh_token",
      "password",
      "client_credentials"
   ],
   "userinfo_endpoint" : "http://keycloak:8080/auth/realms/Testrealm/protocol/openid-connect/userinfo",
   "registration_endpoint" : "http://keycloak:8080/auth/realms/Testrealm/clients-registrations/openid-connect",
   "response_modes_supported" : [
      "query",
      "fragment",
      "form_post"
   ],
   "subject_types_supported" : [
      "public",
      "pairwise"
   ],
   "authorization_endpoint" : "http://keycloak:8080/auth/realms/Testrealm/protocol/openid-connect/auth",
   "claims_supported" : [
      "sub",
      "iss",
      "auth_time",
      "name",
      "given_name",
      "family_name",
      "preferred_username",
      "email"
   ],
   "issuer" : "http://keycloak:8080/auth/realms/Testrealm",
   "end_session_endpoint" : "http://keycloak:8080/auth/realms/Testrealm/protocol/openid-connect/logout",
   "request_parameter_supported" : true,
   "request_uri_parameter_supported" : true,
   "jwks_uri" : "http://keycloak:8080/auth/realms/Testrealm/protocol/openid-connect/certs",
   "token_endpoint_auth_methods_supported" : [
      "private_key_jwt",
      "client_secret_basic",
      "client_secret_post"
   ],
   "id_token_signing_alg_values_supported" : [
      "RS256"
   ],
   "scopes_supported" : [
      "openid",
      "offline_access"
   ],
   "claims_parameter_supported" : false,
   "request_object_signing_alg_values_supported" : [
      "none",
      "RS256"
   ],
   "response_types_supported" : [
      "code",
      "none",
      "id_token",
      "token",
      "id_token token",
      "code id_token",
      "code token",
      "code id_token token"
   ],
   "check_session_iframe" : "http://keycloak:8080/auth/realms/Testrealm/protocol/openid-connect/login-status-iframe.html",
   "token_endpoint_auth_signing_alg_values_supported" : [
      "RS256"
   ],
   "token_endpoint" : "http://keycloak:8080/auth/realms/Testrealm/protocol/openid-connect/token",
   "claim_types_supported" : [
      "normal"
   ],
   "token_introspection_endpoint" : "http://keycloak:8080/auth/realms/Testrealm/protocol/openid-connect/token/introspect",
   "userinfo_signing_alg_values_supported" : [
      "RS256"
   ]
}

solsson commented 7 years ago

Created a fresh minimal (maybe too minimal?) Testrealm config in https://github.com/Reposoft/openidc-keycloak-test/tree/keycloak-2.3.0-testrealm-export-fresh, but still getting oidc_proto_token_endpoint_request: no private keys have been configured to use for private_key_jwt client authentication (OIDCPrivateKeyFiles) and oidc_proto_resolve_code_and_validate_response: failed to resolve the code. Now .well-known/openid-configuration is:

{
   "registration_endpoint" : "http://keycloak:8080/auth/realms/Testrealm/clients-registrations/openid-connect",
   "authorization_endpoint" : "http://keycloak:8080/auth/realms/Testrealm/protocol/openid-connect/auth",
   "response_modes_supported" : [
      "query",
      "fragment",
      "form_post"
   ],
   "request_uri_parameter_supported" : true,
   "subject_types_supported" : [
      "public",
      "pairwise"
   ],
   "token_introspection_endpoint" : "http://keycloak:8080/auth/realms/Testrealm/protocol/openid-connect/token/introspect",
   "request_parameter_supported" : true,
   "end_session_endpoint" : "http://keycloak:8080/auth/realms/Testrealm/protocol/openid-connect/logout",
   "claims_parameter_supported" : false,
   "userinfo_endpoint" : "http://keycloak:8080/auth/realms/Testrealm/protocol/openid-connect/userinfo",
   "jwks_uri" : "http://keycloak:8080/auth/realms/Testrealm/protocol/openid-connect/certs",
   "request_object_signing_alg_values_supported" : [
      "none",
      "RS256"
   ],
   "claims_supported" : [
      "sub",
      "iss",
      "auth_time",
      "name",
      "given_name",
      "family_name",
      "preferred_username",
      "email"
   ],
   "id_token_signing_alg_values_supported" : [
      "RS256"
   ],
   "response_types_supported" : [
      "code",
      "none",
      "id_token",
      "token",
      "id_token token",
      "code id_token",
      "code token",
      "code id_token token"
   ],
   "userinfo_signing_alg_values_supported" : [
      "RS256"
   ],
   "scopes_supported" : [
      "openid",
      "offline_access"
   ],
   "token_endpoint" : "http://keycloak:8080/auth/realms/Testrealm/protocol/openid-connect/token",
   "grant_types_supported" : [
      "authorization_code",
      "implicit",
      "refresh_token",
      "password",
      "client_credentials"
   ],
   "issuer" : "http://keycloak:8080/auth/realms/Testrealm",
   "token_endpoint_auth_signing_alg_values_supported" : [
      "RS256"
   ],
   "check_session_iframe" : "http://keycloak:8080/auth/realms/Testrealm/protocol/openid-connect/login-status-iframe.html",
   "token_endpoint_auth_methods_supported" : [
      "private_key_jwt",
      "client_secret_basic",
      "client_secret_post"
   ],
   "claim_types_supported" : [
      "normal"
   ]
}

solsson commented 7 years ago

Just noticed that the link https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/mod-auth-openidc.html has been added to https://github.com/pingidentity/mod_auth_openidc/wiki/Useful-Links.

solsson commented 7 years ago

Notable in the endpoint JSON was that Keycloak 2+ has added "token_endpoint_auth_methods_supported" which lists private_key_jwt first. I guess that's why mod_auth_openidc tried that, but without a cert+key it fails.

See https://github.com/pingidentity/mod_auth_openidc/blob/v2.0.0/auth_openidc.conf#L79

zandbelt commented 7 years ago

I would consider this an issue with mod_auth_openidc as it should skip to the next available token endpoint authentication method if no private keys have been configured. I opened issue https://github.com/pingidentity/mod_auth_openidc/issues/189.

solsson commented 7 years ago

The big diff is due to a fresh realm setup, but once mod_auth_openidc 2.0.1 is released the only actual changes needed to the setup is to use that version along with Keycloak 2.3.0+.

Reposoft / openidc-keycloak-test

Upgrade Keycloak to 2.3+ #6