Keycloak error : [org.pac4j.oidc.credentials.authenticator.OidcAuthenticator] - authentication

I have integrated the CAS server with Keycloak version 12.0.4. When I go to the CAS login page it redirects me to the keycloak login successfully.
After entering the valid credentials in the keycloak page, it provides an error in the cas logs which is mentioned below:
2021-05-12 08:51:41,865 WARN
[org.pac4j.oidc.credentials.authenticator.OidcAuthenticator] -
<Preferred token endpoint Authentication method: null not available.
Defaulting to: private_key_jwt
Can someone tell me if I'm missing any configuration?

Seems the CAS was not able to take the properties from the cas.properties. I changed the class OidcAuthenticator in the cas package to choose the method "client_secret_basic" manually. After doing this change it's working fine.

Related

Unable to issue redirect for OAuth 2.0 transaction - Auth0 login

I’ve just set up my login with Auth0 using Angular. I have created an application in Auth0 and connected it to a MongoDB database, I have tested this connection and it works fine.
When I click ‘Login’ in my angular application, I am presented with the Auth0 login interface. I entered login details to match credentials in my MongoDB database and was asked by Auth0 if my application could access my details, which I granted. After this, an error page appeared stating ‘Unable to issue redirect for OAuth 2.0 transaction’.
I’ve went back to look at my application settings and the allowed callback URLs, logged-out URLs and web origins have all been entered. I have no idea what could be causing this issue.
here is the context data:
“connection”: “MongoDB”,
“error”: {
“message”: “Unable to issue redirect for OAuth 2.0 transaction”,
“oauthError”: “server_error”,
“type”: “oauth-authorization”

Unable to login to keycloak using master realm credentials

I am using keycloak operator to install keycloak and i have configured keycloak to use external database (RDS instance). ==> (externalDatabase: true)
The keycloak instances are up and running without any issues.
When i tried to login to the keycloak UI with master realm credentials it is telling that the credentials are invalid, though the credentials are correct.
I am getting the credentials using the following command.
kubectl get secret credential-test -o go-template='{{range $k,$v := .data}}{{printf "%s: " $k}}{{if not $v}}{{$v}}{{else}}{{$v | base64decode}}{{end}}{{"\n"}}{{end}}'
The following is the log from the instance.
07:40:48,172 WARN [org.keycloak.events] (default task-1) type=LOGIN_ERROR, realmId=master, clientId=security-admin-console, userId=566f4e3e-c0f1-4304-bca2-686321d88b87, ipAddress=10.242.3.61, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, redirect_uri=https://test123.net/auth/admin/master/console/, code_id=5561bc9e-e2b9-41e3-836d-37add6e74c1c, username=admin, authSessionParentId=5561bc9e-e2b9-41e3-836d-37add6e74c1c, authSessionTabId=Oq-orhggRE4
Any advice or suggestion is highly appreciated.
I had this, or a similar issue as well when setting up the operator.
It appears that the external database that supposedly stores the admin username and password isn't updated when a new secret is generated if, say, the CRD for the Keycloak instance is deleted along with the secret. The steps I went through to fix it was to:
Delete the CRD.
Delete the database.
Recreate the database.
Recreate the CRD.
That way, the database should have no reason to accept the new credentials.
There is probably a better solution. But I could not find it in the docs so far.

Unable to redirect back to application page after keycloak login

I have deployed the OIDC provider-keycloak in a k8s cluster and it is exposed as a load balancer.
I'm using this along with Istio to redirect back to my application after successful login in keycloak.
The application is accessible at https://<istio-ingressgateway-ip>/hello
When I hit https://<istio-ingressgateway-ip>/hello, it is correctly re-directing me to Keycloak login page at https://<keycloak-ip>/auth/realms/<realm-name>/protocol/openid-connect/auth
However, after entering the username and password for the user, I'm not able to get the redirection back to my application at https://<istio-ingressgateway-ip>/hello.
I think the user set up is correct as I'm successfully able to login to the keycloak user console at
http://<keycloak-ip>/auth/realms/<realm-name>/account
I have configured the below values as the 'valid redirect URIs' in keycloak client:
https://<istio-ingressgateway-ip>
https://<istio-ingressgateway-ip>/hello/oauth/callback
https://<istio-ingressgateway-ip>/*
https://<keycloak-ip>/auth/realms/<realm-name>/protocol/openid-connect/auth/oauth/callback
https://<keycloak-ip>/auth/realms/<realm-name>/protocol/openid-connect/auth
Can please someone let me know what is missing here for the redirection.
Assuming you are using Authservice for the authentication and that your configuration is correct. I had the same issue and when I looked at the logs from the authservice container in my pod, I got to know that authservice failed to obtain the access token in exchange with the authorization code. The issue, as stated by Ryan from Authservice was:
When the Authservice tried to gracefully shutdown the TLS connection, and the server on the other side did not participate fully in the graceful shutdown.
This issue now has been fixed, and you can build a new docker image from the master branch to be able to fix it. More details about the issue and its resolution can be found on this github issue.
If in case this is not the issue, then there could be a problem with the flow from keycloak, you can use OpenID debugger to get the authorization code and then you can use that code to get the access token. This will help you identify if there is an issue on keycloak part.
If your configurations are correct and the above fix doesn't solve your issue, you should consider creating an issue on github with the logs from your authservice container.

Sharepoint: OpenSearch common forms/cookie authentication

I have an OpenSearch provider that I am trying to integrate with Sharepoint (Online). This provider is protected by authentication.
Sharepoint supports Cookie or Form authentication for OpenSearch. When I give a url with login page and click Enter Credentials it shows my page, I enter my credentials and it shows popup asking if authentication was successful. I clicked yes and then it gives the following error:
"An error occurred when communicating with the remote server. This may be because the URL provided was malformed or the site might be unavailable or it could not be reached within the specified timeout or the proxy settings are not configured."
I have tried multiple sites, including for example google:
https://accounts.google.com/ServiceLogin?hl=fr&continue=https://www.google.fr/%3Fgfe_rd%3Dcr%26ei%3D9j-lVdXLMYXF8AesrK-4Dg%26gws_rd%3Dssl#identifier
Do you know if there are some required configuration on the site?

WSO2 IS and API Manager SAML SSO - Login to store/publisher fail

I configure IS and AM with SAML SSO as described in official documentation.
SSO login for AM console function well, I can log in as admin using unique credendital as defined in IS.
When I try to login to publisher or store, login is redirected to IS SamlSSO page as expected, but when I insert uid/pwd, browser is redirected to publisher login page asking for user credentials. AM carbon log report this WARN and ERROR:
TID: [0] [AM] [2014-05-07 17:27:28,171] WARN {org.wso2.carbon.server.admin.module.handler.AuthenticationHandler} -
Illegal access attempt at [2014-05-07 17:27:28,0171] from IP address 192.168.50.60 :
Service is RemoteAuthorizationManagerService
{org.wso2.carbon.server.admin.module.handler.AuthenticationHandler}
TID: [0] [AM] [2014-05-07 17:27:28,172] ERROR {org.apache.axis2.engine.AxisEngine} -
Access Denied. Please login first. {org.apache.axis2.engine.AxisEngine} org.apache.axis2.AxisFault: Access Denied. Please login first.
at org.wso2.carbon.server.admin.module.handler.AuthenticationHandler.authenticate(AuthenticationHandler.java:97)
any suggestion on how to solve this?
Giovanni,
I made contact with WSO2 as I had the same problem and they directed me to https://wso2.org/jira/browse/APIMANAGER-2118
It appears that there maybe a bug in the priority of the SAMLSSOAuthentication and Basic Authentication. I followed the points in the above link and modified the APIMHOME/repository/conf/security/authenticators.xml and changed the priority for SAMLSSO from 10 to 0
I am now able to move between store/publisher and also carbon for API Manager, Identity Server also BAM.
Hope this helps
Carl.