spring boot saml security with keycloak as IDP

[gs-offcl]

Hi, I'm trying to integrate this spring boot saml plugin with keycloak as IDP. Below is the error i get on keycloak console.

[org.keycloak.events] (default task-26) type=LOGIN_ERROR, realmId=myrealm, clientId=null, userId=null, ipAddress=127.0.0.1, error=invalid_token

I have followed as per documentation and not sure whats wrong here... Any help would really appreciate.

Thanks

[gs-offcl]

Dear ulisesbocchio,

I have used your example for one of my spring boot app ( zuul gateway ) and trying to enable SSO with keycloak IDP.

I have generated the self signed certificate key pairs(as mentioned in example) for my spring-boot app and trying to authenticate with keycloak IDP. I have uploaded the localhost.pem/localhost.cert file for the client i have configured at Keycloak IDP.

when i try to authenticate with IDP from my spring-boot app, i get the this error

13:56:21,236 WARN [org.keycloak.events] (default task-44) type=LOGIN_ERROR, realmId=test, clientId=null, userId=null, ipAddress=127.0.0.1, error=invalid_token

Can you help me on this.?

[ulisesbocchio]

yes, but I'm gonna need some more details. What does the SAML Request and SAML Response look like when you try to authenticate? You should be able to log those out with a filter on the http layer or enabling:

logging.level.org.springframework.security.saml= DEBUG

[mdraees]

I am facing same issue. below are the logs

**_2018-06-21 12:12:53.717 INFO 2808 --- [nio-8082-exec-2] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring FrameworkServlet 'dispatcherServlet' 2018-06-21 12:12:53.717 INFO 2808 --- [nio-8082-exec-2] o.s.web.servlet.DispatcherServlet : FrameworkServlet 'dispatcherServlet': initialization started 2018-06-21 12:12:53.760 INFO 2808 --- [nio-8082-exec-2] o.s.web.servlet.DispatcherServlet : FrameworkServlet 'dispatcherServlet': initialization completed in 41 ms 2018-06-21 12:12:53.778 INFO 2808 --- [nio-8082-exec-2] o.s.s.s.m.MetadataGeneratorFilter : No default metadata configured, generating with default values, please pre-configure metadata for production use 2018-06-21 12:12:53.779 WARN 2808 --- [nio-8082-exec-2] o.s.s.s.m.MetadataGeneratorFilter : Generated default entity base URL http://localhost:8082 based on values in the first server request. Please set property entityBaseURL on MetadataGenerator bean to fixate the value. 2018-06-21 12:12:53.798 INFO 2808 --- [nio-8082-exec-2] o.s.s.s.m.MetadataGeneratorFilter : Created default metadata for system with entityID: nwdash 2018-06-21 12:12:53.799 DEBUG 2808 --- [nio-8082-exec-2] o.s.s.saml.metadata.MetadataManager : Clearing metadata cache 2018-06-21 12:12:53.799 DEBUG 2808 --- [nio-8082-exec-2] o.s.s.saml.metadata.MetadataManager : Reloading metadata 2018-06-21 12:12:53.800 DEBUG 2808 --- [nio-8082-exec-2] o.s.s.saml.metadata.MetadataManager : Refreshing metadata provider org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider@40b01718 2018-06-21 12:12:53.800 DEBUG 2808 --- [nio-8082-exec-2] o.s.s.saml.metadata.MetadataManager : Metadata provider was already initialized, signature filter initialization will be skipped 2018-06-21 12:12:53.800 DEBUG 2808 --- [nio-8082-exec-2] o.s.s.saml.metadata.MetadataManager : Initializing extendedMetadataDelegate org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider@40b01718 2018-06-21 12:12:53.800 DEBUG 2808 --- [nio-8082-exec-2] o.s.s.s.m.ExtendedMetadataDelegate : Initializing delegate 2018-06-21 12:12:53.801 DEBUG 2808 --- [nio-8082-exec-2] o.s.s.saml.metadata.MetadataManager : Initializing provider data org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider@40b01718 2018-06-21 12:12:53.801 DEBUG 2808 --- [nio-8082-exec-2] o.s.s.saml.metadata.MetadataManager : Found metadata EntityDescriptor with ID 2018-06-21 12:12:53.801 DEBUG 2808 --- [nio-8082-exec-2] o.s.s.saml.metadata.MetadataManager : Remote entity http://localhost:8080/auth/realms/UIoTRealm available 2018-06-21 12:12:53.801 DEBUG 2808 --- [nio-8082-exec-2] o.s.s.saml.metadata.MetadataManager : Metadata provider was initialized org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider@40b01718 2018-06-21 12:12:53.802 DEBUG 2808 --- [nio-8082-exec-2] o.s.s.saml.metadata.MetadataManager : Refreshing metadata provider org.springframework.security.saml.metadata.MetadataMemoryProvider@33bf0231 2018-06-21 12:12:53.805 DEBUG 2808 --- [nio-8082-exec-2] o.s.s.saml.metadata.MetadataManager : Setting trust verification for metadata provider org.springframework.security.saml.metadata.MetadataMemoryProvider@33bf0231 2018-06-21 12:12:53.806 DEBUG 2808 --- [nio-8082-exec-2] o.s.s.saml.metadata.MetadataManager : Revocation checking not forced 2018-06-21 12:12:53.809 DEBUG 2808 --- [nio-8082-exec-2] o.s.s.saml.metadata.MetadataManager : Adding PKIX trust anchor localhost for metadata verification of provider org.springframework.security.saml.metadata.MetadataMemoryProvider@33bf0231 2018-06-21 12:12:53.811 DEBUG 2808 --- [nio-8082-exec-2] o.s.s.saml.metadata.MetadataManager : Created new trust manager for metadata provider org.springframework.security.saml.metadata.MetadataMemoryProvider@33bf0231 2018-06-21 12:12:53.811 DEBUG 2808 --- [nio-8082-exec-2] o.s.s.saml.metadata.MetadataManager : Adding signature filter 2018-06-21 12:12:53.811 DEBUG 2808 --- [nio-8082-exec-2] o.s.s.saml.metadata.MetadataManager : Initializing extendedMetadataDelegate org.springframework.security.saml.metadata.MetadataMemoryProvider@33bf0231 2018-06-21 12:12:53.812 DEBUG 2808 --- [nio-8082-exec-2] o.s.s.s.m.ExtendedMetadataDelegate : Initializing delegate 2018-06-21 12:12:53.812 DEBUG 2808 --- [nio-8082-exec-2] o.s.s.saml.metadata.MetadataManager : Initializing provider data org.springframework.security.saml.metadata.MetadataMemoryProvider@33bf0231 2018-06-21 12:12:53.812 DEBUG 2808 --- [nio-8082-exec-2] o.s.s.saml.metadata.MetadataManager : Found metadata EntityDescriptor with ID 2018-06-21 12:12:53.812 DEBUG 2808 --- [nio-8082-exec-2] o.s.s.saml.metadata.MetadataManager : Local entity nwdash doesn't have an alias 2018-06-21 12:12:53.812 DEBUG 2808 --- [nio-8082-exec-2] o.s.s.saml.metadata.MetadataManager : Metadata provider was initialized org.springframework.security.saml.metadata.MetadataMemoryProvider@33bf0231 2018-06-21 12:12:53.813 DEBUG 2808 --- [nio-8082-exec-2] o.s.s.saml.metadata.MetadataManager : Reloading metadata was finished 2018-06-21 12:12:53.877 DEBUG 2808 --- [nio-8082-exec-2] o.s.s.s.context.SAMLContextProviderImpl : No IDP specified, using default http://localhost:8080/auth/realms/UIoTRealm 2018-06-21 12:12:53.878 DEBUG 2808 --- [nio-8082-exec-2] o.s.security.saml.util.SAMLUtil : Index for AssertionConsumerService not specified, returning default 2018-06-21 12:12:53.879 DEBUG 2808 --- [nio-8082-exec-2] o.s.security.saml.SAMLEntryPoint : Processing SSO using WebSSO profile 2018-06-21 12:12:53.880 DEBUG 2808 --- [nio-8082-exec-2] o.s.s.saml.websso.WebSSOProfileImpl : Using default consumer service with binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST 2018-06-21 12:12:54.074 DEBUG 2808 --- [nio-8082-exec-2] PROTOCOL_MESSAGE : <?xml version="1.0" encoding="UTF-8"?>

nwdash 39z7eOhDFvDxhqXYPxGdQ6q+H+A= o/IsQWt5LxujS/IyDwUxd3mbbxB1HoF28J+qoLrwNXw2NJwrTHwjy0V2TMMTLAIpCgthoTC1dweGqujXBi+59l3RCFTX3xz+ypdz3tWg8RuabOzuGirFjL5i6tOvXPXx3QRw3ysPjPx4odjwi4VRgcHfyFNvE1uZICpNgzejwyy9nyXiFL/LWJy818XfnoFGKHeY8zd11xV9JFbyiavrIOS+rQgh3m81VouuHhiNGzRRJHcU7GUXGqELM6WRky6tcbuEJmHBPHdoTHhbqu3NSmm7Pn+1LBXS1LuXKD5MRNZbC0UVMxnMuz0LrP3Ux6C4rYtQtalfDZ3a/BuojpQGSw== MIIDljCCAn4CCQCbtmUXs8E8TTANBgkqhkiG9w0BAQUFADCBjDEQMA4GA1UEAwwHaHBlLmNvbTEM MAoGA1UECgwDSFBFMQwwCgYDVQQLDANDTVMxEjAQBgNVBAcMCUJhbmdhbG9yZTESMBAGA1UECAwJ S2FybmF0YWthMQswCQYDVQQGEwJJTjEnMCUGCSqGSIb3DQEJARYYbW9oYW1lZC5way5yYWVlc0Bo cGUuY29tMB4XDTE4MDYyMTA1NTk0N1oXDTE5MDYyMTA1NTk0N1owgYwxEDAOBgNVBAMMB2hwZS5j b20xDDAKBgNVBAoMA0hQRTEMMAoGA1UECwwDQ01TMRIwEAYDVQQHDAlCYW5nYWxvcmUxEjAQBgNV BAgMCUthcm5hdGFrYTELMAkGA1UEBhMCSU4xJzAlBgkqhkiG9w0BCQEWGG1vaGFtZWQucGsucmFl ZXNAaHBlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMgBO9DPWg51vEXxCEP8 Kbboz4hNOPJdioW15uARRUkcc7+6K/RrJxZSlOsuIGjU5MYm5Nhuvz6kVKYE1PNbWecJiFC5NMgK FDCmJhCc1zkACiqNE4VCw/4B7eQ/caUCTtNoqCs/kp5FKELNDnAWCT3wCOjbTQx32625kNvzCQmo y6lF9lP+5LViyti5D5ZlDIIlqZGA2wNRdv5BzrDlQbmCpg3VwDadQHwjXvcNRob00VBxsIhudTss uVbcSTs8qdZ4aNCsWywh5Ef0qHyCINe1mtrei+8YIoSMq99oJLDEbBR8CYNwagnKCbnRkpo/DZQU ciuQf3W9pfjywrGRtPMCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAgE4uRFBlnGmVLLPyfw+NOgr/ d7vVgNtbTJxb4PFCWEbGIlYf+/fcU6h46XL4rkIQ1NcaYwM6M1/czB3fgOkEavV1a5l7W367eBR1 rHXvgi3od8/5mqYkmZxoxB526UeYGfmaF/8eM1a2xkedfEeAnZbeCjnhPF1MgwUtsJH4fSe6Qomq Q1Uz+lGWVV/qax/upc22r7pjJHPLAnuxNEmlR28kNiNXdlprkf6yjnGlySt2KltjZpKqA/Wd1FnQ sSzKqZOqcwHCnHcVAwsxtO1LKhQlvJ/UkK4Rvr4g1SrtAPzn44VgNGDxnij1IhN3Ss0GkOZTXh4P 0NwFuKHIBgHdqg== 2018-06-21 12:12:54.075 DEBUG 2808 --- [nio-8082-exec-2] o.s.s.saml.storage.HttpSessionStorage : Storing message a3jbd066097ii084i1b7987g1bf3hg to session C1872C95751FF7AE3F85EE3D9E1D425A 2018-06-21 12:12:54.079 INFO 2808 --- [nio-8082-exec-2] o.s.security.saml.log.SAMLDefaultLogger : AuthNRequest;SUCCESS;0:0:0:0:0:0:0:1;nwdash;http://localhost:8080/auth/realms/UIoTRealm;;;_** And logs from keycloak 12:12:54,573 ERROR [org.keycloak.saml.common] (default task-16) Error in base64 decoding saml message: java.lang.RuntimeException: PL00064: Parser: Unknown Start Element: Scoping::location=org.codehau s.stax2.XMLStreamLocation2$1@2726fbb3 12:12:54,574 WARN [org.keycloak.events] (default task-16) type=LOGIN_ERROR, realmId=UIoTRealm, clientId=null, userId=null, ipAddress=127.0.0.1, error=invalid_token ` Can you please help on this ?

[ulisesbocchio]

The error seems to be on the key cloak side. I’m not sure what does it refer to with invalid_token. It seems to be something keycloak specific. I can see though that you haven’t configured your saml metadata in the application since it’s bootstrapping based on the first request. You may wanna look into initializing all the config properly before chasing this error.