[midPoint] MIDPOINT 4.8.3 - KEYCLOAK AUTHENTICATION

Richard Frovarp richard.frovarp at ndsu.edu
Fri Jun 14 20:33:38 CEST 2024 

This is likely your problem:

java.security.InvalidAlgorithmParameterException: the trustAnchors 
parameter must be non-empty

What keystore are you using? This kinda sounds like an empty keystore. 
Or at least one that doesn't have a path for your Keycloak cert. If you 
have a keystore specifically for midPoint (which I think is the 
recommendation), you need to import the CA cert for your Keycloak path. 
And make sure Keycloak is sending the intermediate.

On 6/14/24 13:27, Carlos Ferreira via midPoint wrote:
> Hi, everyone
>
> 1. I am trying to configure Midpoint 4.8.3 to authenticate using 
> Keycloak 19.0.3;
> 2. I have created a client "midpoint48localhost" on Keycloak with the 
> following configuration:
>
> Client Protocol : openid-connect
> Access Type: public
> Root URL : http://10.3.180.15:8080/midpoint
> Valid Redirect URIs: http://10.3.180.15:8080/midpoint/*
>
> 3. On Midpoint, the Security Policy is configured as:
>
> /<securitypolicy>
>
> (...)
>        <modules>
>             <loginForm id="1">
> <identifier>loginForm</identifier>
>             </loginForm>
>             <httpBasic id="2">
> <identifier>httpBasic</identifier>
>             </httpBasic>
>             <oidc id="18">
> <identifier>gui-oidc</identifier>
>                 <client id="19">
> <registrationId>oidc-registration</registrationId>
> <clientId>midpoint48localhost</clientId>
>                     <openIdProvider>
>                         
> <authorizationUri>https://keycloak-hom.trt3.jus.br/auth/realms/trt3/protocol/openid-connect/auth</authorizationUri>
>                         
> <tokenUri>https://keycloak-hom.trt3.jus.br/auth/realms/trt3/protocol/openid-connect/token</tokenUri>
>                         
> <userInfoUri>https://keycloak-hom.trt3.jus.br/auth/realms/trt3/protocol/openid-connect/userinfo</userInfoUri>
>                         
> <jwkSetUri>https://keycloak-hom.trt3.jus.br/auth/realms/trt3/protocol/openid-connect/certs</jwkSetUri>
>                         
> <issuerUri>https://keycloak-hom.trt3.jus.br/auth/realms/trt3</issuerUri>
>                         
> <endSessionUri>https://keycloak-hom.trt3.jus.br/auth/realms/trt3/protocol/openid-connect/logout</endSessionUri>
>                     </openIdProvider>
>                 </client>
>             </oidc>
>
> (...)
>         <sequence id="16">
>             <identifier>gui-oidc</identifier>
>             <channel>
>                 
> <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
>                 <default>true</default>
>                 <urlSuffix>gui-oidc</urlSuffix>
>             </channel>
>             <module id="17">
> <identifier>gui-oidc</identifier>
>                 <order>10</order>
> <necessity>sufficient</necessity>
>             </module>
>         </sequence>
>
> (...)
> </securitypolicy>/
>
> 4. When I try to authenticate on Midpoint using keycloak, I am 
> presented with a form (from keycloak) and succeed on logging in. As a 
> proof, a session is registered:
>
>
>   IP Address         Started                             Last Access  
>                        Clients
> 10.3.180.15 Jun 14, 2024 11:57:46 AM Jun 14, 2024 11:57:46 AM 
> midpoint48localhost
> 10.3.180.15 Jun 14, 2024 11:51:59 AM Jun 14, 2024 11:51:40 AM 
> midpoint48localhost
>
>
> 5. Yet, when redirecting to Midpoint, I receive the following error:
>
> /Currently we are unable to process your request. Kindly try again later.
> /
> 6. And an error is registered on the midpoint.log file:
>
>
> /2024-06-14 14:57:13,677 [REPOSITORY] [http-nio-8080-exec-3] INFO 
> (com.evolveum.midpoint.audit.log): 2024-06-14T14:57:13.677+0000 
> eid=1718377033677-42516-2, et=CREATE_SESSION, es=REQUEST, 
> sid=C13E267CCD89C262F2E7CBCCA336466F, rid=null, 
> tid=1718377033677-42516-1, toid=null, hid=50cacb4119c3, 
> nid=DefaultNode, raddr=10.3.180.15, I=null, EP=null, epm=null, T=null, 
> TO=null, D=[], 
> ch=http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user, 
> o=FATAL_ERROR, p=null, m=[invalid_token_response] An error occurred 
> while attempting to retrieve the OAuth 2.0 Access Token Response: I/O 
> error on POST request for 
> "https://keycloak-hom.trt3.jus.br/auth/realms/trt3/protocol/openid-connect/token": 
> Unexpected error: java.security.InvalidAlgorithmParameterException: 
> the trustAnchors parameter must be non-empty/
> /
> 2024-06-14 14:57:13,680 [REPOSITORY] [http-nio-8080-exec-3] INFO 
> (com.evolveum.midpoint.audit.log): 2024-06-14T14:57:13.679+0000 
> eid=1718377033679-42516-2, et=CREATE_SESSION, es=REQUEST, 
> sid=C13E267CCD89C262F2E7CBCCA336466F, rid=null, 
> tid=1718377033679-42516-1, toid=null, hid=50cacb4119c3, 
> nid=DefaultNode, raddr=10.3.180.15, I=null, EP=null, epm=null, T=null, 
> TO=null, D=[], 
> ch=http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user, 
> o=FATAL_ERROR, p=unknown user, m=OIDC authentication module: 
> web.security.provider.unavailable/
>
>
> Has anybody succeeded in the integration?
>
> Thks,
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20240614/19643a14/attachment-0001.htm>

More information about the midPoint mailing list