[midPoint] MIDPOINT 4.8.3 - KEYCLOAK AUTHENTICATION

Carlos Ferreira carlos18619 at gmail.com
Fri Jun 14 20:27:29 CEST 2024 

Hi, everyone

1. I am trying to configure Midpoint 4.8.3 to authenticate using Keycloak
19.0.3;
2. I have created a client "midpoint48localhost" on Keycloak with the
following configuration:

Client Protocol : openid-connect
Access Type: public
Root URL : http://10.3.180.15:8080/midpoint
Valid Redirect URIs: http://10.3.180.15:8080/midpoint/*

3. On Midpoint, the Security Policy is configured as:











































*<securitypolicy>(...)       <modules>            <loginForm id="1">
        <identifier>loginForm</identifier>            </loginForm>
  <httpBasic id="2">                <identifier>httpBasic</identifier>
      </httpBasic>            <oidc id="18">
<identifier>gui-oidc</identifier>                <client id="19">
          <registrationId>oidc-registration</registrationId>
    <clientId>midpoint48localhost</clientId>
<openIdProvider>
<authorizationUri>https://keycloak-hom.trt3.jus.br/auth/realms/trt3/protocol/openid-connect/auth
<https://keycloak-hom.trt3.jus.br/auth/realms/trt3/protocol/openid-connect/auth></authorizationUri>

<tokenUri>https://keycloak-hom.trt3.jus.br/auth/realms/trt3/protocol/openid-connect/token
<https://keycloak-hom.trt3.jus.br/auth/realms/trt3/protocol/openid-connect/token></tokenUri>

<userInfoUri>https://keycloak-hom.trt3.jus.br/auth/realms/trt3/protocol/openid-connect/userinfo
<https://keycloak-hom.trt3.jus.br/auth/realms/trt3/protocol/openid-connect/userinfo></userInfoUri>

<jwkSetUri>https://keycloak-hom.trt3.jus.br/auth/realms/trt3/protocol/openid-connect/certs
<https://keycloak-hom.trt3.jus.br/auth/realms/trt3/protocol/openid-connect/certs></jwkSetUri>

<issuerUri>https://keycloak-hom.trt3.jus.br/auth/realms/trt3
<https://keycloak-hom.trt3.jus.br/auth/realms/trt3></issuerUri>

<endSessionUri>https://keycloak-hom.trt3.jus.br/auth/realms/trt3/protocol/openid-connect/logout
<https://keycloak-hom.trt3.jus.br/auth/realms/trt3/protocol/openid-connect/logout></endSessionUri>
                  </openIdProvider>                </client>
</oidc>            (...)                    <sequence id="16">
<identifier>gui-oidc</identifier>            <channel>
<channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user
<http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user></channelId>
              <default>true</default>
<urlSuffix>gui-oidc</urlSuffix>            </channel>            <module
id="17">                <identifier>gui-oidc</identifier>
<order>10</order>                <necessity>sufficient</necessity>
  </module>        </sequence>         (...)        </securitypolicy>*

4. When I try to authenticate on Midpoint using keycloak, I am presented
with a form (from keycloak) and succeed on logging in. As a proof, a
session is registered:


  IP Address         Started                             Last Access
                 Clients
10.3.180.15 Jun 14, 2024 11:57:46 AM Jun 14, 2024 11:57:46 AM
midpoint48localhost
10.3.180.15 Jun 14, 2024 11:51:59 AM Jun 14, 2024 11:51:40 AM
midpoint48localhost


5. Yet, when redirecting to Midpoint, I receive the following error:


* Currently we are unable to process your request. Kindly try again later.*
6. And an error is registered on the midpoint.log file:


*2024-06-14 14:57:13,677 [REPOSITORY] [http-nio-8080-exec-3] INFO
(com.evolveum.midpoint.audit.log): 2024-06-14T14:57:13.677+0000
eid=1718377033677-42516-2, et=CREATE_SESSION, es=REQUEST,
sid=C13E267CCD89C262F2E7CBCCA336466F, rid=null, tid=1718377033677-42516-1,
toid=null, hid=50cacb4119c3, nid=DefaultNode, raddr=10.3.180.15, I=null,
EP=null, epm=null, T=null, TO=null, D=[],
ch=http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user
<http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user>,
o=FATAL_ERROR, p=null, m=[invalid_token_response] An error occurred while
attempting to retrieve the OAuth 2.0 Access Token Response: I/O error on
POST request for
"https://keycloak-hom.trt3.jus.br/auth/realms/trt3/protocol/openid-connect/token
<https://keycloak-hom.trt3.jus.br/auth/realms/trt3/protocol/openid-connect/token>":
Unexpected error: java.security.InvalidAlgorithmParameterException: the
trustAnchors parameter must be non-empty*

*2024-06-14 14:57:13,680 [REPOSITORY] [http-nio-8080-exec-3] INFO
(com.evolveum.midpoint.audit.log): 2024-06-14T14:57:13.679+0000
eid=1718377033679-42516-2, et=CREATE_SESSION, es=REQUEST,
sid=C13E267CCD89C262F2E7CBCCA336466F, rid=null, tid=1718377033679-42516-1,
toid=null, hid=50cacb4119c3, nid=DefaultNode, raddr=10.3.180.15, I=null,
EP=null, epm=null, T=null, TO=null, D=[],
ch=http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user
<http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user>,
o=FATAL_ERROR, p=unknown user, m=OIDC authentication module:
web.security.provider.unavailable*


Has anybody succeeded in the integration?

Thks,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20240614/2ed9b801/attachment.htm>

More information about the midPoint mailing list