Unable to connect to gateway keycloak

[aonsystematic]

This issue is a duplicate of the discussion in https://github.com/trifork/klg-docs/pull/36 when connecting to the gateway keycloak I get the error: {"error":"unknown_error"} with code 500

with assertion

    <Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://saml.adgangsstyring.eksterntest-stoettesystemerne.dk</Issuer>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_cc63a2c7-86a2-4927-aa04-72f14e90dc3d">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>fPRzcc/NMKNh3dPwTw++zcG18DZIeC+v684Eqz4hZLE=</DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>REDACTED</SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>MIIGHTCCBQWgAwIBAgIEXgiTCTANBgkqhkiG9w0BAQsFADBAMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MR0wGwYDVQQDDBRUUlVTVDI0MDggT0NFUyBDQSBJVjAeFw0yMTA2MDgwNzA3MDNaFw0yNDA2MDgwNzA2MzVaMIGQMQswCQYDVQQGEwJESzEjMCEGA1UECgwaS09NQklUIEEvUyAvLyBDVlI6MTk0MzUwNzUxXDAgBgNVBAUTGUNWUjoxOTQzNTA3NS1GSUQ6NjA0OTI3ODgwOAYDVQQDDDF0ZXN0LWVrc3Rlcm4tYWRnYW5nc3N0eXJpbmcgKGZ1bmt0aW9uc2NlcnRpZmlrYXQpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnEbT2230TEC+ZnAgOWwAaBtoSjOszdaMBxcl1WCCfv8Rc5NFMp1FT68rexN9/k1GcTNWREPLSjEh9RUtQ5QHrEDUYDv3g/lL2YSKaVuY7YiqMn+Ei81tgKWO9N5P1UNdeLW0+5DjNSO++CC33B0AElXXVI9YhQFnSR6qTZsYPQnsD/J6FA41RMyizfk5MFmFurYn06nw9CkW3CtY5T3+FU4q55gIOiwSGplHm5emeFEyxMkXtQBaoRXpgOeSqJJ1r2GYkK3gk/1DGk/s2CKc1wPlhhU9vJOV0cNyyJ/wvUscWjjrgT5UgLX2OK3lZUiQ72W7DMgExOcKTxbvKjP+YwIDAQABo4ICzDCCAsgwDgYDVR0PAQH/BAQDAgO4MIGJBggrBgEFBQcBAQR9MHswNQYIKwYBBQUHMAGGKWh0dHA6Ly9vY3NwLmljYTA0LnRydXN0MjQwOC5jb20vcmVzcG9uZGVyMEIGCCsGAQUFBzAChjZodHRwOi8vZi5haWEuaWNhMDQudHJ1c3QyNDA4LmNvbS9vY2VzLWlzc3VpbmcwNC1jYS5jZXIwggFDBgNVHSAEggE6MIIBNjCCATIGCiqBUIEpAQEBBAMwggEiMC8GCCsGAQUFBwIBFiNodHRwOi8vd3d3LnRydXN0MjQwOC5jb20vcmVwb3NpdG9yeTCB7gYIKwYBBQUHAgIwgeEwEBYJVFJVU1QyNDA4MAMCAQEagcxGb3IgYW52ZW5kZWxzZSBhZiBjZXJ0aWZpa2F0ZXQgZ+ZsZGVyIE9DRVMgdmlsa+VyLCBDUFMgb2cgT0NFUyBDUCwgZGVyIGthbiBoZW50ZXMgZnJhIHd3dy50cnVzdDI0MDguY29tL3JlcG9zaXRvcnkuIEJlbeZyaywgYXQgVFJVU1QyNDA4IGVmdGVyIHZpbGvlcmVuZSBoYXIgZXQgYmVncuZuc2V0IGFuc3ZhciBpZnQuIHByb2Zlc3Npb25lbGxlIHBhcnRlci4wgZcGA1UdHwSBjzCBjDAuoCygKoYoaHR0cDovL2NybC5pY2EwNC50cnVzdDI0MDguY29tL2ljYTA0LmNybDBaoFigVqRUMFIxCzAJBgNVBAYTAkRLMRIwEAYDVQQKDAlUUlVTVDI0MDgxHTAbBgNVBAMMFFRSVVNUMjQwOCBPQ0VTIENBIElWMRAwDgYDVQQDDAdDUkwzMDgzMB8GA1UdIwQYMBaAFFy7dWIWMpmqNqC4mvtvpwxf8ArVMB0GA1UdDgQWBBR2bXVUcWt5i4zO9J9kpBrq5fJufDAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQBQ015R55ZZ+83w+eR/CNfZx9ykOKHqf70bOpM9yu7UxG2teAAE+4xA8Zt/F/SPbtLbxAZLkSBevmX4oVVYtNn6C0HrS8V/Gt65rS7VxEI/vBttD0EOOvwxJPW61wM4f5EXY84XZPzL9UY3ErjhDvz3W6trxYNp5wS1V4x85SI8WCesNXjryMHphPakK252IOTXvuybGNjyVwQL3DGI9i/DcOxzIPi0CaBlBEVUTvggR9E7v4P/YpxvQyrerqtEfy8PIJ/a2lysCyoMeeg0TTq5A51BK25SlWzo0muyJ7tbKuRLkPfGtuSq8uGfBBVyouNl4/nH0QDoU9mHDP17gSZZ</X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
    <Subject>
        <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">SERIALNUMBER=CVR:78834412-FID:93554192 + CN=Columna Cura Aalborg Uddannelse (funktionscertifikat), O=SYSTEMATIC A/S // CVR:78834412, C=DK</NameID>
        <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
            <SubjectConfirmationData xmlns:a="http://www.w3.org/2001/XMLSchema-instance" NotBefore="2022-05-23T08:02:22.134Z" NotOnOrAfter="2022-05-23T16:02:22.134Z" Recipient="http://ehealth.sundhed.dk/service/CareGateway/1" a:type="KeyInfoConfirmationDataType">
                <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                    <X509Data>
                        <X509Certificate>MIIGJTCCBQ2gAwIBAgIEXl36YDANBgkqhkiG9w0BAQsFADBAMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MR0wGwYDVQQDDBRUUlVTVDI0MDggT0NFUyBDQSBJVjAeFw0yMjA1MDYwOTI4MDFaFw0yNTA1MDYwOTI3MDlaMIGYMQswCQYDVQQGEwJESzEnMCUGA1UECgweU1lTVEVNQVRJQyBBL1MgLy8gQ1ZSOjc4ODM0NDEyMWAwIAYDVQQFExlDVlI6Nzg4MzQ0MTItRklEOjkzNTU0MTkyMDwGA1UEAww1Q29sdW1uYSBDdXJhIEFhbGJvcmcgVWRkYW5uZWxzZSAoZnVua3Rpb25zY2VydGlmaWthdCkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCFuzhnWzMF74WPNIomwFTDmLq5gWwWT1XUHqYC5KYl5Ju7oJlgG8gZTYslWX4moZrQPL6G1sXI3o9xRQPlq8Sw7b2ettdUAQZcaMH6t1L4FpGA5hoy6IRsI1OZoaX9z29wRUfrpEXmMODuanwHnNyVVmx1fVQV9NkoqxdzXPdFv6vp3419yg1Zvwdcq5CDdXW3WVw5iWPb/6jznHpNI6+behvoZF6oeOMFIX8pAOYeMltpQrTdY1EDyIle50MWlyhsItYFO3Ja6NSVwB8jbgnUaFm6Ix/ANC+NqXdypZ1CWVsFvTqYQvKIrEQdtQshD4fHfpsnLzo2+1B+r6VQAgeZAgMBAAGjggLMMIICyDAOBgNVHQ8BAf8EBAMCA7gwgYkGCCsGAQUFBwEBBH0wezA1BggrBgEFBQcwAYYpaHR0cDovL29jc3AuaWNhMDQudHJ1c3QyNDA4LmNvbS9yZXNwb25kZXIwQgYIKwYBBQUHMAKGNmh0dHA6Ly9mLmFpYS5pY2EwNC50cnVzdDI0MDguY29tL29jZXMtaXNzdWluZzA0LWNhLmNlcjCCAUMGA1UdIASCATowggE2MIIBMgYKKoFQgSkBAQEEAzCCASIwLwYIKwYBBQUHAgEWI2h0dHA6Ly93d3cudHJ1c3QyNDA4LmNvbS9yZXBvc2l0b3J5MIHuBggrBgEFBQcCAjCB4TAQFglUUlVTVDI0MDgwAwIBARqBzEZvciBhbnZlbmRlbHNlIGFmIGNlcnRpZmlrYXRldCBn5mxkZXIgT0NFUyB2aWxr5XIsIENQUyBvZyBPQ0VTIENQLCBkZXIga2FuIGhlbnRlcyBmcmEgd3d3LnRydXN0MjQwOC5jb20vcmVwb3NpdG9yeS4gQmVt5nJrLCBhdCBUUlVTVDI0MDggZWZ0ZXIgdmlsa+VyZW5lIGhhciBldCBiZWdy5m5zZXQgYW5zdmFyIGlmdC4gcHJvZmVzc2lvbmVsbGUgcGFydGVyLjCBlwYDVR0fBIGPMIGMMC6gLKAqhihodHRwOi8vY3JsLmljYTA0LnRydXN0MjQwOC5jb20vaWNhMDQuY3JsMFqgWKBWpFQwUjELMAkGA1UEBhMCREsxEjAQBgNVBAoMCVRSVVNUMjQwODEdMBsGA1UEAwwUVFJVU1QyNDA4IE9DRVMgQ0EgSVYxEDAOBgNVBAMMB0NSTDY4MDIwHwYDVR0jBBgwFoAUXLt1YhYymao2oLia+2+nDF/wCtUwHQYDVR0OBBYEFBTtUctEIgLEIaYeP5dwe4tt4AP1MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAK3FNLf0N4V53L2gaULh4a2pGaEIMgFzTPPZampcgRh/8tawh8pg0n8E/7I9TL1TBnNsy1SxtqjVLSaLo32eqd0nG/msVoOsCWSQnplbdg8n9pXrxsLpgD2pChQ4e7fDf63VU6nAny2is/Xpag3o9WN77qVf8Le9MqqT2e4GwlyG3Pn3vLVDfe3BccasazPSaOOOaWN7ZIuuNSx0gViwShwFtT73CrMSdIg1oWJsFhZ9o6Tuh514GmWDSrfd/7qI4mK1BML4+hgopXquqifTjr9jbb6c8LtP1veHCXOaEZ01cRyyoChzU2Q3CYEKcG+5qpuXOpXTP8dcGXB4M2QKHaI=</X509Certificate>
                    </X509Data>
                </KeyInfo>
            </SubjectConfirmationData>
        </SubjectConfirmation>
    </Subject>
    <Conditions NotBefore="2022-05-23T08:02:22.134Z" NotOnOrAfter="2022-05-23T16:02:22.134Z">
        <AudienceRestriction>
            <Audience>http://ehealth.sundhed.dk/service/CareGateway/1</Audience>
        </AudienceRestriction>
    </Conditions>
    <AttributeStatement>
        <Attribute Name="dk:gov:saml:attribute:CvrNumberIdentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <AttributeValue>29189420</AttributeValue>
        </Attribute>
        <Attribute Name="dk:gov:saml:attribute:AssuranceLevel" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <AttributeValue>3</AttributeValue>
        </Attribute>
        <Attribute Name="dk:gov:saml:attribute:SpecVer" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <AttributeValue>DK-SAML-2.0</AttributeValue>
        </Attribute>
        <Attribute Name="dk:gov:saml:attribute:KombitSpecVer" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <AttributeValue>1.0</AttributeValue>
        </Attribute>
        <Attribute Name="dk:gov:saml:attribute:Privileges_intermediate" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <AttributeValue>PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48YnBwOlByaXZpbGVnZUxpc3QgeG1sbnM6YnBwPSJodHRwOi8vaXRzdC5kay9vaW9zYW1sL2Jhc2ljX3ByaXZpbGVnZV9wcm9maWxlIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIj48UHJpdmlsZWdlR3JvdXAgU2NvcGU9InVybjpkazpnb3Y6c2FtbDpjdnJOdW1iZXJJZGVudGlmaWVyOjI5MTg5NDIwIj48UHJpdmlsZWdlPmh0dHA6Ly9laGVhbHRoLnN1bmRoZWQuZGsvcm9sZXMvc2VydmljZXN5c3RlbXJvbGUvY2FyZV9kZWxpdmVyeV9yZXBvcnRlcl9zeXN0ZW0vMTwvUHJpdmlsZWdlPjwvUHJpdmlsZWdlR3JvdXA+PC9icHA6UHJpdmlsZWdlTGlzdD4=</AttributeValue>
        </Attribute>
    </AttributeStatement>
    <AuthnStatement AuthnInstant="2022-05-23T08:02:22.134Z">
        <AuthnContext>
            <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:X509</AuthnContextClassRef>
        </AuthnContext>
    </AuthnStatement>
</Assertion>

and request:

• client_id: cura_aalborg_udd
• client_assertion_type: urn:ietf:params:oauth:client-assertion-type:jwt-bearer
• client_assertion: eyJraWQiOiItcy1lR0tOdnFHZkJQQzhJb3ltQ2tzanQ1U2FrMU0tU2QtcGw4ZE05cHRRIiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJjdXJhX2FhbGJvcmdfdWRkIiwiYXVkIjoiaHR0cHM6Ly9zYW1sLnRlc3QwMDEuZWhlYWx0aC5zdW5kaGVkLmRrL2F1dGgvcmVhbG1zL2VoZWFsdGgiLCJuYmYiOjE2NTMzMDQ5ODMsImlzcyI6ImN1cmFfYWFsYm9yZ191ZGQiLCJleHAiOjE2NTMzMDUyODMsImlhdCI6MTY1MzMwNDk4MywianRpIjoiNjE4MDUzY2QtZDVlNi00YzU1LWExM2EtNjJlODBjZTY2MzJkIn0.PkNsAZ93l5hQ_Y5i2KzOrWVdYDR8YGWQc5luE6GwJF1cv0mXZVvP6W0Wv4JKiJrn3BYTkaFtKdy6DY221qww0esSSBIZCvg352wiP_rltbcjKglUUGL-zL9trJuARsK_ow3DJbGX3P7BkXyCEqs-EMliTv2m1Mvv5fejfoS76KPpGkPmj_Q4eiVWjOs6AxYDOaIfGozrksFU4AM_JlkNVgu8eRWcMhdYEUb4xmL2XiH4dog8yegFMMMUrh7MniimCxSW90-XcINGDkDTEFrEW72ue4b_zWc1wJutxZOjFjJrjcfGf52zpsJ0ltRQtZ_gqfxsQG6X_V4Wy6qxK_1G8g
• subject_issuer: kombit-sts
• subject_token_type: urn:ietf:params:oauth:token-type:saml2
• subject_token: base64 url encoded string from previous post
• grant_type: urn:ietf:params:oauth:grant-type:token-exchange

The same implementation can however work if we use our other client id (and matching certificate)

[aonsystematic]

did something on the keycloak server change? I'm able to get a token now

[nigtrifork]

@aonsystematic No, but the keycloak instances were restarted in order to increase the logging level. This must have somehow resolved the issue.

Can we close this issue?