<!DOCTYPE html><html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<div class="moz-cite-prefix">This is likely your problem:<br>
<br>
java.security.InvalidAlgorithmParameterException: the trustAnchors
parameter must be non-empty</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">What keystore are you using? This kinda
sounds like an empty keystore. Or at least one that doesn't have a
path for your Keycloak cert. If you have a keystore specifically
for midPoint (which I think is the recommendation), you need to
import the CA cert for your Keycloak path. And make sure Keycloak
is sending the intermediate.<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">On 6/14/24 13:27, Carlos Ferreira via
midPoint wrote:<br>
</div>
<blockquote type="cite" cite="mid:CAJHEg66La62088=T98wS3XNmnn9jJREoiqZ5h9txCWzbkCGgvw@mail.gmail.com">
<div dir="ltr">Hi, everyone<br>
<br>
1. I am trying to configure Midpoint 4.8.3 to authenticate using
Keycloak 19.0.3;<br>
2. I have created a client "midpoint48localhost" on Keycloak
with the following configuration:<br>
<br>
Client Protocol : openid-connect<br>
Access Type: public<br>
Root URL : <a href="http://10.3.180.15:8080/midpoint" moz-do-not-send="true" class="moz-txt-link-freetext">http://10.3.180.15:8080/midpoint</a><br>
Valid Redirect URIs: <a href="http://10.3.180.15:8080/midpoint/*" moz-do-not-send="true" class="moz-txt-link-freetext">http://10.3.180.15:8080/midpoint/*</a><br>
<br>
3. On Midpoint, the Security Policy is configured as:<br>
<br>
<i><font color="#ff0000"><securitypolicy><br>
<br>
(...)<br>
<modules><br>
<loginForm id="1"><br>
<identifier>loginForm</identifier><br>
</loginForm><br>
<httpBasic id="2"><br>
<identifier>httpBasic</identifier><br>
</httpBasic><br>
<oidc id="18"><br>
<identifier>gui-oidc</identifier><br>
<client id="19"><br>
<registrationId>oidc-registration</registrationId><br>
<clientId>midpoint48localhost</clientId><br>
<openIdProvider><br>
<authorizationUri><a href="https://keycloak-hom.trt3.jus.br/auth/realms/trt3/protocol/openid-connect/auth" moz-do-not-send="true" class="moz-txt-link-freetext">https://keycloak-hom.trt3.jus.br/auth/realms/trt3/protocol/openid-connect/auth</a></authorizationUri><br>
<tokenUri><a href="https://keycloak-hom.trt3.jus.br/auth/realms/trt3/protocol/openid-connect/token" moz-do-not-send="true" class="moz-txt-link-freetext">https://keycloak-hom.trt3.jus.br/auth/realms/trt3/protocol/openid-connect/token</a></tokenUri><br>
<userInfoUri><a href="https://keycloak-hom.trt3.jus.br/auth/realms/trt3/protocol/openid-connect/userinfo" moz-do-not-send="true" class="moz-txt-link-freetext">https://keycloak-hom.trt3.jus.br/auth/realms/trt3/protocol/openid-connect/userinfo</a></userInfoUri><br>
<jwkSetUri><a href="https://keycloak-hom.trt3.jus.br/auth/realms/trt3/protocol/openid-connect/certs" moz-do-not-send="true" class="moz-txt-link-freetext">https://keycloak-hom.trt3.jus.br/auth/realms/trt3/protocol/openid-connect/certs</a></jwkSetUri><br>
<issuerUri><a href="https://keycloak-hom.trt3.jus.br/auth/realms/trt3" moz-do-not-send="true" class="moz-txt-link-freetext">https://keycloak-hom.trt3.jus.br/auth/realms/trt3</a></issuerUri><br>
<endSessionUri><a href="https://keycloak-hom.trt3.jus.br/auth/realms/trt3/protocol/openid-connect/logout" moz-do-not-send="true" class="moz-txt-link-freetext">https://keycloak-hom.trt3.jus.br/auth/realms/trt3/protocol/openid-connect/logout</a></endSessionUri><br>
</openIdProvider><br>
</client><br>
</oidc><br>
<br>
(...) <br>
<sequence id="16"><br>
<identifier>gui-oidc</identifier><br>
<channel><br>
<channelId><a href="http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user" moz-do-not-send="true" class="moz-txt-link-freetext">http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</a></channelId><br>
<default>true</default><br>
<urlSuffix>gui-oidc</urlSuffix><br>
</channel><br>
<module id="17"><br>
<identifier>gui-oidc</identifier><br>
<order>10</order><br>
<necessity>sufficient</necessity><br>
</module><br>
</sequence> <br>
<br>
(...) <br>
</securitypolicy></font></i><br>
<br>
4. When I try to authenticate on Midpoint using keycloak, I am
presented with a form (from keycloak) and succeed on logging in.
As a proof, a session is registered:<br>
<br>
<br>
IP Address Started Last
Access Clients <br>
10.3.180.15 Jun 14, 2024 11:57:46 AM Jun 14, 2024 11:57:46 AM
midpoint48localhost<br>
10.3.180.15 Jun 14, 2024 11:51:59 AM Jun 14, 2024 11:51:40 AM
midpoint48localhost<br>
<br>
<br>
5. Yet, when redirecting to Midpoint, I receive the following
error:<br>
<br>
<i> Currently we are unable to process your request. Kindly try
again later.<br>
</i><br>
6. And an error is registered on the midpoint.log file:<br>
<br>
<br>
<i>2024-06-14 14:57:13,677 [REPOSITORY] [http-nio-8080-exec-3]
INFO (com.evolveum.midpoint.audit.log):
2024-06-14T14:57:13.677+0000 eid=1718377033677-42516-2,
et=CREATE_SESSION, es=REQUEST,
sid=C13E267CCD89C262F2E7CBCCA336466F, rid=null,
tid=1718377033677-42516-1, toid=null, hid=50cacb4119c3,
nid=DefaultNode, raddr=10.3.180.15, I=null, EP=null, epm=null,
T=null, TO=null, D=[], ch=<a href="http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user" moz-do-not-send="true" class="moz-txt-link-freetext">http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</a>,
o=FATAL_ERROR, p=null, m=[invalid_token_response] An error
occurred while attempting to retrieve the OAuth 2.0 Access
Token Response: I/O error on POST request for "<a href="https://keycloak-hom.trt3.jus.br/auth/realms/trt3/protocol/openid-connect/token" moz-do-not-send="true" class="moz-txt-link-freetext">https://keycloak-hom.trt3.jus.br/auth/realms/trt3/protocol/openid-connect/token</a>":
Unexpected error:
java.security.InvalidAlgorithmParameterException: the
trustAnchors parameter must be non-empty</i>
<div><i><br>
2024-06-14 14:57:13,680 [REPOSITORY] [http-nio-8080-exec-3]
INFO (com.evolveum.midpoint.audit.log):
2024-06-14T14:57:13.679+0000 eid=1718377033679-42516-2,
et=CREATE_SESSION, es=REQUEST,
sid=C13E267CCD89C262F2E7CBCCA336466F, rid=null,
tid=1718377033679-42516-1, toid=null, hid=50cacb4119c3,
nid=DefaultNode, raddr=10.3.180.15, I=null, EP=null,
epm=null, T=null, TO=null, D=[], ch=<a href="http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user" moz-do-not-send="true" class="moz-txt-link-freetext">http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</a>,
o=FATAL_ERROR, p=unknown user, m=OIDC authentication module:
web.security.provider.unavailable</i><br>
<br>
<br>
Has anybody succeeded in the integration? <br>
<br>
Thks,</div>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="https://lists.evolveum.com/mailman/listinfo/midpoint">https://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<p><br>
</p>
</body>
</html>