[midPoint] MIDPOINT 4.8.3 - KEYCLOAK AUTHENTICATION
Markus Calmius
markus.calmius at proton.ch
Mon Jun 17 09:47:18 CEST 2024
Hi,
not using the same versions though[1], but the only configuration you need in midpoint for accessing keycloak is:
<issuerUri>HOST_NAME/realms/YOUR_REALM</issuerUri>
If you get errors, like "missing authorizationUri" midpoint cannot communicate with Keycloak. It is probably the problem that Richard is high-lighting in his response.
It is a good test though, remove everything except the issuerUri from the <openIdProvider> section and once the errors are gone, you're good to go.
[1]
midpoint: 4.8(.0)
Keycloak: 20.0.0 and 21.1.2
Kind regards,
Markus
On Friday, 14 June 2024 at 20:33, midpoint-request at lists.evolveum.com <midpoint-request at lists.evolveum.com> wrote:
> Send midPoint mailing list submissions to
> midpoint at lists.evolveum.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.evolveum.com/mailman/listinfo/midpoint
> or, via email, send a message with subject or body 'help' to
> midpoint-request at lists.evolveum.com
>
> You can reach the person managing the list at
> midpoint-owner at lists.evolveum.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of midPoint digest..."
>
>
> Today's Topics:
>
> 1. MIDPOINT 4.8.3 - KEYCLOAK AUTHENTICATION (Carlos Ferreira)
> 2. Re: MIDPOINT 4.8.3 - KEYCLOAK AUTHENTICATION (Richard Frovarp)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 14 Jun 2024 15:27:29 -0300
> From: Carlos Ferreira carlos18619 at gmail.com
>
> To: midPoint General Discussion midpoint at lists.evolveum.com
>
> Subject: [midPoint] MIDPOINT 4.8.3 - KEYCLOAK AUTHENTICATION
> Message-ID:
> CAJHEg66La62088=T98wS3XNmnn9jJREoiqZ5h9txCWzbkCGgvw at mail.gmail.com
>
> Content-Type: text/plain; charset="utf-8"
>
> Hi, everyone
>
> 1. I am trying to configure Midpoint 4.8.3 to authenticate using Keycloak
> 19.0.3;
> 2. I have created a client "midpoint48localhost" on Keycloak with the
> following configuration:
>
> Client Protocol : openid-connect
> Access Type: public
> Root URL : http://10.3.180.15:8080/midpoint
> Valid Redirect URIs: http://10.3.180.15:8080/midpoint/*
>
> 3. On Midpoint, the Security Policy is configured as:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *<securitypolicy>(...) <modules> <loginForm id="1">
>
> <identifier>loginForm</identifier> </loginForm>
>
> <httpBasic id="2"> <identifier>httpBasic</identifier>
>
> </httpBasic> <oidc id="18">
>
> <identifier>gui-oidc</identifier> <client id="19">
>
> <registrationId>oidc-registration</registrationId>
>
> <clientId>midpoint48localhost</clientId>
>
> <openIdProvider>
>
> <authorizationUri>https://keycloak-hom.trt3.jus.br/auth/realms/trt3/protocol/openid-connect/auth
>
> https://keycloak-hom.trt3.jus.br/auth/realms/trt3/protocol/openid-connect/auth</authorizationUri>
>
>
> <tokenUri>https://keycloak-hom.trt3.jus.br/auth/realms/trt3/protocol/openid-connect/token
>
> https://keycloak-hom.trt3.jus.br/auth/realms/trt3/protocol/openid-connect/token</tokenUri>
>
>
> <userInfoUri>https://keycloak-hom.trt3.jus.br/auth/realms/trt3/protocol/openid-connect/userinfo
>
> https://keycloak-hom.trt3.jus.br/auth/realms/trt3/protocol/openid-connect/userinfo</userInfoUri>
>
>
> <jwkSetUri>https://keycloak-hom.trt3.jus.br/auth/realms/trt3/protocol/openid-connect/certs
>
> https://keycloak-hom.trt3.jus.br/auth/realms/trt3/protocol/openid-connect/certs</jwkSetUri>
>
>
> <issuerUri>https://keycloak-hom.trt3.jus.br/auth/realms/trt3
>
> https://keycloak-hom.trt3.jus.br/auth/realms/trt3</issuerUri>
>
>
> <endSessionUri>https://keycloak-hom.trt3.jus.br/auth/realms/trt3/protocol/openid-connect/logout
>
> https://keycloak-hom.trt3.jus.br/auth/realms/trt3/protocol/openid-connect/logout</endSessionUri>
>
> </openIdProvider> </client>
>
> </oidc> (...) <sequence id="16">
>
> <identifier>gui-oidc</identifier> <channel>
>
> <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user
>
> http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
>
> <default>true</default>
>
> <urlSuffix>gui-oidc</urlSuffix> </channel> <module
>
> id="17"> <identifier>gui-oidc</identifier>
>
> <order>10</order> <necessity>sufficient</necessity>
>
> </module> </sequence> (...) </securitypolicy>*
>
>
> 4. When I try to authenticate on Midpoint using keycloak, I am presented
> with a form (from keycloak) and succeed on logging in. As a proof, a
> session is registered:
>
>
> IP Address Started Last Access
> Clients
> 10.3.180.15 Jun 14, 2024 11:57:46 AM Jun 14, 2024 11:57:46 AM
> midpoint48localhost
> 10.3.180.15 Jun 14, 2024 11:51:59 AM Jun 14, 2024 11:51:40 AM
> midpoint48localhost
>
>
> 5. Yet, when redirecting to Midpoint, I receive the following error:
>
>
> * Currently we are unable to process your request. Kindly try again later.*
> 6. And an error is registered on the midpoint.log file:
>
>
> *2024-06-14 14:57:13,677 [REPOSITORY] [http-nio-8080-exec-3] INFO
> (com.evolveum.midpoint.audit.log): 2024-06-14T14:57:13.677+0000
> eid=1718377033677-42516-2, et=CREATE_SESSION, es=REQUEST,
> sid=C13E267CCD89C262F2E7CBCCA336466F, rid=null, tid=1718377033677-42516-1,
> toid=null, hid=50cacb4119c3, nid=DefaultNode, raddr=10.3.180.15, I=null,
> EP=null, epm=null, T=null, TO=null, D=[],
> ch=http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user
> http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user,
>
> o=FATAL_ERROR, p=null, m=[invalid_token_response] An error occurred while
> attempting to retrieve the OAuth 2.0 Access Token Response: I/O error on
> POST request for
> "https://keycloak-hom.trt3.jus.br/auth/realms/trt3/protocol/openid-connect/token
> https://keycloak-hom.trt3.jus.br/auth/realms/trt3/protocol/openid-connect/token":
>
> Unexpected error: java.security.InvalidAlgorithmParameterException: the
> trustAnchors parameter must be non-empty*
>
> *2024-06-14 14:57:13,680 [REPOSITORY] [http-nio-8080-exec-3] INFO
> (com.evolveum.midpoint.audit.log): 2024-06-14T14:57:13.679+0000
> eid=1718377033679-42516-2, et=CREATE_SESSION, es=REQUEST,
> sid=C13E267CCD89C262F2E7CBCCA336466F, rid=null, tid=1718377033679-42516-1,
> toid=null, hid=50cacb4119c3, nid=DefaultNode, raddr=10.3.180.15, I=null,
> EP=null, epm=null, T=null, TO=null, D=[],
> ch=http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user
> http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user,
>
> o=FATAL_ERROR, p=unknown user, m=OIDC authentication module:
> web.security.provider.unavailable*
>
>
> Has anybody succeeded in the integration?
>
> Thks,
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: https://lists.evolveum.com/pipermail/midpoint/attachments/20240614/2ed9b801/attachment-0001.htm
>
>
> ------------------------------
>
> Message: 2
> Date: Fri, 14 Jun 2024 13:33:38 -0500
> From: Richard Frovarp richard.frovarp at ndsu.edu
>
> To: midpoint at lists.evolveum.com
> Subject: Re: [midPoint] MIDPOINT 4.8.3 - KEYCLOAK AUTHENTICATION
> Message-ID: 03e9b7fe-62bd-4b30-9b25-2c32964afe3d at ndsu.edu
>
> Content-Type: text/plain; charset="utf-8"; Format="flowed"
>
> This is likely your problem:
>
> java.security.InvalidAlgorithmParameterException: the trustAnchors
> parameter must be non-empty
>
> What keystore are you using? This kinda sounds like an empty keystore.
> Or at least one that doesn't have a path for your Keycloak cert. If you
> have a keystore specifically for midPoint (which I think is the
> recommendation), you need to import the CA cert for your Keycloak path.
> And make sure Keycloak is sending the intermediate.
>
> On 6/14/24 13:27, Carlos Ferreira via midPoint wrote:
>
> > Hi, everyone
> >
> > 1. I am trying to configure Midpoint 4.8.3 to authenticate using
> > Keycloak 19.0.3;
> > 2. I have created a client "midpoint48localhost" on Keycloak with the
> > following configuration:
> >
> > Client Protocol : openid-connect
> > Access Type: public
> > Root URL : http://10.3.180.15:8080/midpoint
> > Valid Redirect URIs: http://10.3.180.15:8080/midpoint/*
> >
> > 3. On Midpoint, the Security Policy is configured as:
> >
> > /<securitypolicy>
> >
> > (...)
> > <modules>
> > <loginForm id="1">
> > <identifier>loginForm</identifier>
> > </loginForm>
> > <httpBasic id="2">
> > <identifier>httpBasic</identifier>
> > </httpBasic>
> > <oidc id="18">
> > <identifier>gui-oidc</identifier>
> > <client id="19">
> > <registrationId>oidc-registration</registrationId>
> > <clientId>midpoint48localhost</clientId>
> > <openIdProvider>
> >
> > <authorizationUri>https://keycloak-hom.trt3.jus.br/auth/realms/trt3/protocol/openid-connect/auth</authorizationUri>
> >
> > <tokenUri>https://keycloak-hom.trt3.jus.br/auth/realms/trt3/protocol/openid-connect/token</tokenUri>
> >
> > <userInfoUri>https://keycloak-hom.trt3.jus.br/auth/realms/trt3/protocol/openid-connect/userinfo</userInfoUri>
> >
> > <jwkSetUri>https://keycloak-hom.trt3.jus.br/auth/realms/trt3/protocol/openid-connect/certs</jwkSetUri>
> >
> > <issuerUri>https://keycloak-hom.trt3.jus.br/auth/realms/trt3</issuerUri>
> >
> > <endSessionUri>https://keycloak-hom.trt3.jus.br/auth/realms/trt3/protocol/openid-connect/logout</endSessionUri>
> > </openIdProvider>
> > </client>
> > </oidc>
> >
> > (...)
> > <sequence id="16">
> > <identifier>gui-oidc</identifier>
> > <channel>
> >
> > <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
> > <default>true</default>
> > <urlSuffix>gui-oidc</urlSuffix>
> > </channel>
> > <module id="17">
> > <identifier>gui-oidc</identifier>
> > <order>10</order>
> > <necessity>sufficient</necessity>
> > </module>
> > </sequence>
> >
> > (...)
> > </securitypolicy>/
> >
> > 4. When I try to authenticate on Midpoint using keycloak, I am
> > presented with a form (from keycloak) and succeed on logging in. As a
> > proof, a session is registered:
> >
> > IP Address Started Last Access
> > Clients
> > 10.3.180.15 Jun 14, 2024 11:57:46 AM Jun 14, 2024 11:57:46 AM
> > midpoint48localhost
> > 10.3.180.15 Jun 14, 2024 11:51:59 AM Jun 14, 2024 11:51:40 AM
> > midpoint48localhost
> >
> > 5. Yet, when redirecting to Midpoint, I receive the following error:
> >
> > /Currently we are unable to process your request. Kindly try again later.
> > /
> > 6. And an error is registered on the midpoint.log file:
> >
> > /2024-06-14 14:57:13,677 [REPOSITORY] [http-nio-8080-exec-3] INFO
> > (com.evolveum.midpoint.audit.log): 2024-06-14T14:57:13.677+0000
> > eid=1718377033677-42516-2, et=CREATE_SESSION, es=REQUEST,
> > sid=C13E267CCD89C262F2E7CBCCA336466F, rid=null,
> > tid=1718377033677-42516-1, toid=null, hid=50cacb4119c3,
> > nid=DefaultNode, raddr=10.3.180.15, I=null, EP=null, epm=null, T=null,
> > TO=null, D=[],
> > ch=http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user,
> > o=FATAL_ERROR, p=null, m=[invalid_token_response] An error occurred
> > while attempting to retrieve the OAuth 2.0 Access Token Response: I/O
> > error on POST request for
> > "https://keycloak-hom.trt3.jus.br/auth/realms/trt3/protocol/openid-connect/token":
> > Unexpected error: java.security.InvalidAlgorithmParameterException:
> > the trustAnchors parameter must be non-empty/
> > /
> > 2024-06-14 14:57:13,680 [REPOSITORY] [http-nio-8080-exec-3] INFO
> > (com.evolveum.midpoint.audit.log): 2024-06-14T14:57:13.679+0000
> > eid=1718377033679-42516-2, et=CREATE_SESSION, es=REQUEST,
> > sid=C13E267CCD89C262F2E7CBCCA336466F, rid=null,
> > tid=1718377033679-42516-1, toid=null, hid=50cacb4119c3,
> > nid=DefaultNode, raddr=10.3.180.15, I=null, EP=null, epm=null, T=null,
> > TO=null, D=[],
> > ch=http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user,
> > o=FATAL_ERROR, p=unknown user, m=OIDC authentication module:
> > web.security.provider.unavailable/
> >
> > Has anybody succeeded in the integration?
> >
> > Thks,
> >
> > _______________________________________________
> > midPoint mailing list
> > midPoint at lists.evolveum.com
> > https://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: https://lists.evolveum.com/pipermail/midpoint/attachments/20240614/19643a14/attachment.htm
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> ------------------------------
>
> End of midPoint Digest, Vol 146, Issue 8
> ****************************************
More information about the midPoint
mailing list