search

instipod / DuoUniversalKeycloakAuthenticator

Keycloak Authenticator for Duo's new Universal Prompt
GNU General Public License v3.0
50 stars 15 forks source link

WebAuthN Fails when Duo Provider is added #26

Closed jrehmer closed 7 months ago

jrehmer commented 7 months ago

We are implementing hardware keys and are using an existing instance of Keycloak that is integrated with Duo using this authenticator. When we try to register or use existing WebAuthN key we receive an internal server error in the browser and the stack trace below.

Tested with Keycloak 22.0.5 and 23.0.5 and receive the same error. We have created new flows that do not include Duo and associated all of our clients with that flow, but the error is still present and prevents the WebAuthN completing. When we remove the Duo provider JAR WebAuthN works without issue.

Jan 31 12:05:28 host kc.sh[357014]: 2024-01-31 12:05:28,318 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-3) Uncaught server error: java.lang.NoSuchMethodError: 'com.fasterxml.jackson.core.io.ContentReference com.fasterxml.jackson.dataformat.cbor.CBORFactory._createContentReference(java.lang.Object, int, int)'
Jan 31 12:05:28 host kc.sh[357014]: #011at com.fasterxml.jackson.dataformat.cbor.CBORFactory.createParser(CBORFactory.java:336)
Jan 31 12:05:28 host kc.sh[357014]: #011at com.fasterxml.jackson.dataformat.cbor.CBORFactory.createParser(CBORFactory.java:330)
Jan 31 12:05:28 host kc.sh[357014]: #011at com.fasterxml.jackson.dataformat.cbor.CBORFactory.createParser(CBORFactory.java:27)
Jan 31 12:05:28 host kc.sh[357014]: #011at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3833)
Jan 31 12:05:28 host kc.sh[357014]: #011at com.webauthn4j.converter.util.CborConverter.readValue(CborConverter.java:55)
Jan 31 12:05:28 host kc.sh[357014]: #011at org.keycloak.credential.CredentialPublicKeyConverter.convertToEntityAttribute(CredentialPublicKeyConverter.java:38)
Jan 31 12:05:28 host kc.sh[357014]: #011at org.keycloak.credential.WebAuthnCredentialProvider.getCredentialInputFromCredentialModel(WebAuthnCredentialProvider.java:154)
Jan 31 12:05:28 host kc.sh[357014]: #011at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197)
Jan 31 12:05:28 host kc.sh[357014]: #011at java.base/java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:179)
Jan 31 12:05:28 host kc.sh[357014]: #011at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1625)
Jan 31 12:05:28 host kc.sh[357014]: #011at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509)
Jan 31 12:05:28 host kc.sh[357014]: #011at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
Jan 31 12:05:28 host kc.sh[357014]: #011at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:921)
Jan 31 12:05:28 host kc.sh[357014]: #011at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
Jan 31 12:05:28 host kc.sh[357014]: #011at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:682)
Jan 31 12:05:28 host kc.sh[357014]: #011at org.keycloak.credential.WebAuthnCredentialProvider.getWebAuthnCredentialModelList(WebAuthnCredentialProvider.java:278)
Jan 31 12:05:28 host kc.sh[357014]: #011at org.keycloak.credential.WebAuthnCredentialProvider.isValid(WebAuthnCredentialProvider.java:188)
Jan 31 12:05:28 host kc.sh[357014]: #011at org.keycloak.credential.LegacyUserCredentialManager.lambda$validate$11(LegacyUserCredentialManager.java:255)
Jan 31 12:05:28 host kc.sh[357014]: #011at java.base/java.util.Collection.removeIf(Collection.java:576)
Jan 31 12:05:28 host kc.sh[357014]: #011at org.keycloak.credential.LegacyUserCredentialManager.validate(LegacyUserCredentialManager.java:255)
Jan 31 12:05:28 host kc.sh[357014]: #011at org.keycloak.credential.LegacyUserCredentialManager.lambda$isValid$0(LegacyUserCredentialManager.java:76)
Jan 31 12:05:28 host kc.sh[357014]: #011at java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.accept(ForEachOps.java:183)
Jan 31 12:05:28 host kc.sh[357014]: #011at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197)
Jan 31 12:05:28 host kc.sh[357014]: #011at java.base/java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:179)
Jan 31 12:05:28 host kc.sh[357014]: #011at java.base/java.util.HashMap$ValueSpliterator.forEachRemaining(HashMap.java:1779)
Jan 31 12:05:28 host kc.sh[357014]: #011at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509)
Jan 31 12:05:28 host kc.sh[357014]: #011at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
Jan 31 12:05:28 host kc.sh[357014]: #011at java.base/java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:150)
Jan 31 12:05:28 host kc.sh[357014]: #011at java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:173)
Jan 31 12:05:28 host kc.sh[357014]: #011at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
Jan 31 12:05:28 host kc.sh[357014]: #011at java.base/java.util.stream.ReferencePipeline.forEach(ReferencePipeline.java:596)
Jan 31 12:05:28 host kc.sh[357014]: #011at org.keycloak.credential.LegacyUserCredentialManager.isValid(LegacyUserCredentialManager.java:76)
Jan 31 12:05:28 host kc.sh[357014]: #011at org.keycloak.models.SubjectCredentialManager.isValid(SubjectCredentialManager.java:45)
Jan 31 12:05:28 host kc.sh[357014]: #011at org.keycloak.authentication.authenticators.browser.WebAuthnAuthenticator.action(WebAuthnAuthenticator.java:217)
Jan 31 12:05:28 host kc.sh[357014]: #011at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:154)
Jan 31 12:05:28 host kc.sh[357014]: #011at org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:988)
Jan 31 12:05:28 host kc.sh[357014]: #011at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:362)
Jan 31 12:05:28 host kc.sh[357014]: #011at org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:333)
Jan 31 12:05:28 host kc.sh[357014]: #011at org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:325)
Jan 31 12:05:28 host kc.sh[357014]: #011at org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:390)
Jan 31 12:05:28 host kc.sh[357014]: #011at org.keycloak.services.resources.LoginActionsService$quarkusrestinvoker$authenticateForm_32b8e198ac3110abd1d5774e83a4cf87858129f4.invoke(Unknown Source)
Jan 31 12:05:28 host kc.sh[357014]: #011at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
Jan 31 12:05:28 host kc.sh[357014]: #011at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141)
Jan 31 12:05:28 host kc.sh[357014]: #011at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:145)
Jan 31 12:05:28 host kc.sh[357014]: #011at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:576)
Jan 31 12:05:28 host kc.sh[357014]: #011at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513)
Jan 31 12:05:28 host kc.sh[357014]: #011at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538)
Jan 31 12:05:28 host kc.sh[357014]: #011at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
Jan 31 12:05:28 host kc.sh[357014]: #011at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
Jan 31 12:05:28 host kc.sh[357014]: #011at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
Jan 31 12:05:28 host kc.sh[357014]: #011at java.base/java.lang.Thread.run(Thread.java:840)
jrehmer commented 7 months ago

Argh - my apologies - I see this was resolved in 1.0.8, we are on 1.0.7, should have read the closed issues before reporting!