SSH Configure Caused "retrieve remote JWK set" Exception

[haiyunhzhang]

I followed the Article, "Securing Spring Applications With OAuth2"

With the default configuration inside the application.properties file, it works fine.

spring.security.oauth2.resourceserver.jwt.issuer-uri=http://localhost:8090/realms/demo spring.security.oauth2.resourceserver.jwt.jwk-set-uri=${spring.security.oauth2.resourceserver.jwt.issuer-uri}/protocol/openid-connect/certs

But after change the issuer-ui to secured https://192.168.100.12:8443/realms/demo, when try to access a resource server, I got the exception,

ERROR 17879 --- [nio-8081-exec-2] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception org.springframework.security.authentication.AuthenticationServiceException: An error occurred while attempting to decode the Jwt: Couldn't retrieve remote JWK set: org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://192.168.100.12:8443/realms/demo/protocol/openid-connect/certs": No subject alternative names present at org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider.getJwt(JwtAuthenticationProvider.java:106) ~[spring-security-oauth2-resource-server-6.1.2.jar!/:6.1.2] at org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider.authenticate(JwtAuthenticationProvider.java:88) ~[spring-security-oauth2-resource-server-6.1.2.jar!/:6.1.2] at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:182) ~[spring-security-core-6.1.2.jar!/:6.1.2] at org.springframework.security.oauth2.server.resource.web.authentication.BearerTokenAuthenticationFilter.doFilterInternal(BearerTokenAuthenticationFilter.java:137) ~[spring-security-oauth2-resource-server-6.1.2.jar!/:6.1.2]

May I ask whether configuration needs to change on Keycloak side for https access?

Thanks,

[ch4mpy]

Google is your friend. 1st result for No subject alternative names present: https://confluence.atlassian.com/stashkb/no-subject-alternative-names-693896719.html#:~:text=No%20subject%20alternative%20names%20present%20is%20caused%20when%20accessing%20an,matching%20IP%20address%20as%20an

No subject alternative names present is caused when accessing an application over HTTPS by using the IP address on the URL rather than the domain contained in the remote SSL certificate and the SSL certificate being fetched does not contain the Subject Alternative Name (SAN) parameter with the matching IP address as an alternative attribute

This is certainly not a bug in spring-addons-starter-oidc. What is the URL to the Securing Spring Applications With OAuth2 article you're talking about?

[haiyunhzhang]

It is https://github.com/ch4mpy/spring-addons/tree/master/samples/tutorials

[ch4mpy]

It points to https://github.com/ch4mpy/spring-addons/blob/master/samples/tutorials/keycloak.md which in turn points to https://github.com/ch4mpy/self-signed-certificate-generation with instructions to generate a certificate with your hostname(s). Use one of this hostnames in your configuration URIs (not an IP address).

[haiyunhzhang]

Those are the procedures that I followed before launched keycloak with the keys. Without the certificate, it had a different exception, saying something like unknow certificate.

[ch4mpy]

@haiyunhzhang see the updated comments above, but again, this is something not related to this repos, this is just how Java and SSL work.