Keycloak invalid_token Didn't find publicKey for specified kid - load-balancing

I am using keycloak to secure my rest service and I am able to get the token , but when I am using this token for to get my rest service response, getting following error:
HTTP/1.1 401 Unauthorized
Cache-Control: no-cache, no-store, must-revalidate, private
X-Powered-By: Undertow/1
X-XSS-Protection: 1; mode=block
Server: WildFly/11
X-Frame-Options: SAMEORIGIN
Date: Wed, 30 Jan 2019 07:42:45 GMT
Connection: keep-alive
WWW-Authenticate: Bearer realm="demorealm", error="invalid_token", error_description="Didn't find publicKey for specified kid"
X-Content-Type-Options: nosniff
Content-Type: text/html;charset=UTF-8
Content-Length: 71
<html><head><title>Error</title></head><body>Unauthorized</body></html>
I followed below links but didn't get any output to solve this problem.
keycloak bearer token error - Didn't find publicKey for specified kid
Didn't find publicKey for kid ,Keycloak?
Edit 1 -
As per the detail token is properly generating with following command
curl -X POST -k -H 'Content-Type: application/x-www-form-urlencoded' -i 'https://<IP-ADDRESS>/auth/realms/apirealm/protocol/openid-connect/token' --data 'username=cwlcadmin&password=password#123&client_id=api-client-id&grant_type=password&client_secret=a682049d-587c-4c38-a594-814f08b0ca76'a#123&client_id=api-client-id
But when using this token hitting to rest-api,above declare exception is coming
curl -X GET -k -H 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJpeVlweXZtQU9Sc2RtNXlibWNqWUVSRUxJTnVFR2RNOThDeFVMSmdUTHFvIn0.eyJqdGkiOiJkZWQ4YzAzNC02NDM2LTRmNDAtYjZlNC0zYTI3MzcyNDJkODYiLCJleHAiOjE1NDg4NDUzMTQsIm5iZiI6MCwiaWF0IjoxNTQ4ODQzNTE0LCJpc3MiOiJodHRwczovLzEwLjUzLjIwMS4yMDcvYXV0aC9yZWFsbXMvYXBpcmVhbG0iLCJhdWQiOiJhcGktY2xpZW50LWlkIiwic3ViIjoiZjo4OWYzMDE0MC1kNTBjLTQ4ZjMtODIyYi02YmM1YTFkYjM3Yzg6MSIsInR5cCI6IkJlYXJlciIsImF6cCI6ImFwaS1jbGllbnQtaWQiLCJhdXRoX3RpbWUiOjAsInNlc3Npb25fc3RhdGUiOiI0MWY4ZDU0MS1iZWQxLTQ4MjktOTM4ZC0xNjUxYmZlNzFkZTYiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHBzOi8vMTAuNTMuMjAxLjIwNyJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfSwiYXBpLWNsaWVudC1pZCI6eyJyb2xlcyI6WyJyZXN0Il19fSwic2NvcGUiOiJlbWFpbCBwcm9maWxlIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJuYW1lIjoicHEvSmJRPT0gaEp6b1J5QT0iLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJjd2xjYWRtaW4iLCJnaXZlbl9uYW1lIjoicHEvSmJRPT0iLCJmYW1pbHlfbmFtZSI6ImhKem9SeUE9IiwiZW1haWwiOiJ0NWZxV2c3TjF3aUVWaGIxVlEwPSJ9.mPVPVdoRpwXU5Im9E8tlLz3DMrM8NrJ-oRiRZL0hceaszU0H58ca2HKhrtncY2WzCxidcuPPxb1fIh3XNR7C-Q-ifOS4VaIbAbH3pAehmhuBqu0gq3LAfVw8vBWVClVP1iKtPOz4cGeKqGQpKRRO1f8epSihVnRe3NWk1WVaD63jexc0EqawZpY-DqH1VDf5xpz8BY4UUqAAfAq0X6kZ7kBoqoiHFofS5eZJHx1mbN-N6qiCwGSwXP-V6JucoBygmqVDkoNCS9Ebx9DyQlXHStSd_KGbCLeIgMlYVPB8vsUy55IcrZGNJWVFsWcvudqTXwW2Tg8BBq-tsFkVuABs5w' -H 'Content-Type: application/json' -i 'https://<IP-ADDRESS>/api/v2/0/zones'
FYI - Using Wildfly and Load-balancer also which is provided by Wildfly

At last after couple of days struggle we are able to resolve the issue and issue with the Subsystem added in Wildfly server ,it should be like this
<subsystem xmlns="urn:jboss:domain:keycloak:1.1">
<secure-deployment name="sure-admin-web.war">
<realm>Realm_Name</realm>
<resource>CLIENT_APP</resource>
<use-resource-role-mappings>true</use-resource-role-mappings>
<auth-server-url>https://<KEYCLOAK-IP>:8666/auth/</auth-server-url>
<ssl-required>NONE</ssl-required>
<credential name="secret">7df18c0d-d4c7-47b1-b959-af972684dab0</credential>
</secure-deployment>
</subsystem>
in our case we missed <ssl-required>NONE</ssl-required> and in <auth-server-url> we added wrong load-balancer url while it should be Keycloak URL.
FYI - Load-Balancer in working on HTTPS while keycloak running on http

I had similar problem. My back end app was in spring boot.
Turns out application.properties needed keycloak.realm-key to be set.
Refer to
https://github.com/keycloak/keycloak-documentation/blob/master/securing_apps/topics/oidc/java/java-adapter-config.adoc

Related

How to Validate an Access Token for OAuth2 + PCKE flow

According to this document
https://developers.onelogin.com/openid-connect/guides/auth-flow-pkce
Token Endpoint for PCKE flow is None (not Basic or POST)
So, how can I use the validation token API https://developers.onelogin.com/openid-connect/api/validate-session because it supports Basic authentication or POST but not for None (PCKE) I can't find any information relate to this.
NOTE: I have tried to request with Basic authentication and without + client_id, client_secret as a parameter but not working.
response 401 Unauthorized
{
"error": "invalid_client",
"error_description": "client authentication failed"
}
I'm using OIDC with PKCE, and I managed to call the https://openid-connect.onelogin.com/oidc/token/introspection endpoint with a token retrieved via the authorization code flow:
$ curl -i -d "token=...&token_type_hint=access_token&client_id=..." https://openid-connect.onelogin.com/oidc/token/introspection
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Content-Length: 304
Content-Type: application/json; charset=utf-8
Date: Thu, 25 Apr 2019 23:37:42 GMT
Pragma: no-cache
X-Powered-By: Express
Set-Cookie: ol_oidc_canary_040819=false; path=/; domain=.onelogin.com
{"active":true,"sub":"...","client_id":"...","exp":1558819177,"iat":1556227177,"sid":"...","iss":"https://openid-connect.onelogin.com/oidc","jti":"...","scope":"openid profile email"}
Both the access_token and refresh_token returned from the auth code flow https://developers.onelogin.com/openid-connect/api/authorization-code-grant worked, and the access_token only returned {"active":false} after it expired.
Make sure you are not setting the Authorization header, and only set your client_id in the payload.
Use client_id and code_verify in the POST body. That will authenticate the request on that endpoint.

Docker Hub API v2 token authentication issue

Currently, I'm working on a very light version of Docker containers orchestrator and I have to be able to get image digest from public Docker Hub registry. I want to use Docker Registry API v2 for this purposes.
I'm trying to get authorization token using following API call:
curl https://auth.docker.io/token?service=index.docker.io&scope=repository:alpine:pull
... and I get a response like following:
{"token":"eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlDTHpDQ0FkU2dBd0lCQWdJQkFEQUtCZ2dxaGtqT1BRUURBakJHTVVRd1FnWURWUVFERXp0Uk5Gb3pPa2RYTjBrNldGUlFSRHBJVFRSUk9rOVVWRmc2TmtGRlF6cFNUVE5ET2tGU01rTTZUMFkzTnpwQ1ZrVkJPa2xHUlVrNlExazFTekFlRncweE5qQTFNekV5TXpVNE5UZGFGdzB4TnpBMU16RXlNelU0TlRkYU1FWXhSREJDQmdOVkJBTVRPMUV6UzFRNlFqSkpNenBhUjFoT09qSlhXRTA2UTBWWFF6cFVNMHhPT2tvMlYxWTZNbGsyVHpwWlFWbEpPbGhQVTBRNlZFUlJTVG8wVWtwRE1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRVo0NkVLV3VKSXhxOThuUC9GWEU3U3VyOXlkZ3c3K2FkcndxeGlxN004VHFUa0N0dzBQZm1SS2VLdExwaXNTRFU4LzZseWZ3QUFwZWh6SHdtWmxZR2dxT0JzakNCcnpBT0JnTlZIUThCQWY4RUJBTUNCNEF3RHdZRFZSMGxCQWd3QmdZRVZSMGxBREJFQmdOVkhRNEVQUVE3VVROTFZEcENNa2t6T2xwSFdFNDZNbGRZVFRwRFJWZERPbFF6VEU0NlNqWlhWam95V1RaUE9sbEJXVWs2V0U5VFJEcFVSRkZKT2pSU1NrTXdSZ1lEVlIwakJEOHdQWUE3VVRSYU16cEhWemRKT2xoVVVFUTZTRTAwVVRwUFZGUllPalpCUlVNNlVrMHpRenBCVWpKRE9rOUdOemM2UWxaRlFUcEpSa1ZKT2tOWk5Vc3dDZ1lJS29aSXpqMEVBd0lEU1FBd1JnSWhBTzYxSWloN1FUcHNTMFFIYUNwTDFZTWNMMnZXZlNydlhHbHpSRDEwN2NRUEFpRUFtZXduelNYRHplRGxqcDc4T1NsTFFzbnROYWM5eHRyYW0xU0kxY0ZXQ2tJPSJdfQ.eyJhY2Nlc3MiOltdLCJhdWQiOiJpbmRleC5kb2NrZXIuaW8iLCJleHAiOjE0NzQ1NDcyODMsImlhdCI6MTQ3NDU0Njk4MywiaXNzIjoiYXV0aC5kb2NrZXIuaW8iLCJqdGkiOiIzVTdCazF4dm9CLVA0MGJWVF9JSiIsIm5iZiI6MTQ3NDU0Njk4Mywic3ViIjoiIn0.516fS692WGHNi5Sc44iB8OFSLairrM6n1zNvVo5KXAxlsxsP4rE7VDmW5d0YqvTYeKfZAYIi9yEptx4xJlQ6DA"}
It seems that everything is okay and I'm trying to use obtained token for my next API call:
curl -i -H "Authorization: Bearer eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlDTHpDQ0FkU2dBd0lCQWdJQkFEQUtCZ2dxaGtqT1BRUURBakJHTVVRd1FnWURWUVFERXp0Uk5Gb3pPa2RYTjBrNldGUlFSRHBJVFRSUk9rOVVWRmc2TmtGRlF6cFNUVE5ET2tGU01rTTZUMFkzTnpwQ1ZrVkJPa2xHUlVrNlExazFTekFlRncweE5qQTFNekV5TXpVNE5UZGFGdzB4TnpBMU16RXlNelU0TlRkYU1FWXhSREJDQmdOVkJBTVRPMUV6UzFRNlFqSkpNenBhUjFoT09qSlhXRTA2UTBWWFF6cFVNMHhPT2tvMlYxWTZNbGsyVHpwWlFWbEpPbGhQVTBRNlZFUlJTVG8wVWtwRE1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRVo0NkVLV3VKSXhxOThuUC9GWEU3U3VyOXlkZ3c3K2FkcndxeGlxN004VHFUa0N0dzBQZm1SS2VLdExwaXNTRFU4LzZseWZ3QUFwZWh6SHdtWmxZR2dxT0JzakNCcnpBT0JnTlZIUThCQWY4RUJBTUNCNEF3RHdZRFZSMGxCQWd3QmdZRVZSMGxBREJFQmdOVkhRNEVQUVE3VVROTFZEcENNa2t6T2xwSFdFNDZNbGRZVFRwRFJWZERPbFF6VEU0NlNqWlhWam95V1RaUE9sbEJXVWs2V0U5VFJEcFVSRkZKT2pSU1NrTXdSZ1lEVlIwakJEOHdQWUE3VVRSYU16cEhWemRKT2xoVVVFUTZTRTAwVVRwUFZGUllPalpCUlVNNlVrMHpRenBCVWpKRE9rOUdOemM2UWxaRlFUcEpSa1ZKT2tOWk5Vc3dDZ1lJS29aSXpqMEVBd0lEU1FBd1JnSWhBTzYxSWloN1FUcHNTMFFIYUNwTDFZTWNMMnZXZlNydlhHbHpSRDEwN2NRUEFpRUFtZXduelNYRHplRGxqcDc4T1NsTFFzbnROYWM5eHRyYW0xU0kxY0ZXQ2tJPSJdfQ.eyJhY2Nlc3MiOltdLCJhdWQiOiJpbmRleC5kb2NrZXIuaW8iLCJleHAiOjE0NzQ1NDcyODMsImlhdCI6MTQ3NDU0Njk4MywiaXNzIjoiYXV0aC5kb2NrZXIuaW8iLCJqdGkiOiIzVTdCazF4dm9CLVA0MGJWVF9JSiIsIm5iZiI6MTQ3NDU0Njk4Mywic3ViIjoiIn0.516fS692WGHNi5Sc44iB8OFSLairrM6n1zNvVo5KXAxlsxsP4rE7VDmW5d0YqvTYeKfZAYIi9yEptx4xJlQ6DA" https://index.docker.io/v2/alpine/manifests/latest
... and here what I've got:
HTTP/1.1 401 Unauthorized
Content-Type: application/json; charset=utf-8
Docker-Distribution-Api-Version: registry/2.0
Www-Authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io",scope="repository:alpine:pull",error="invalid_token"
Date: Thu, 22 Sep 2016 12:27:54 GMT
Content-Length: 138
Strict-Transport-Security: max-age=31536000
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Name":"alpine","Action":"pull"}]}]}
Does anybody have ideas why token aouthentication fails for such simple flow?
The response in the Www-Authenticate header is trying to tell you what you need, although it could be more helpful.
First thing: the service you want is registry.docker.io.
Second thing: the repository name in the scope is incomplete. Official repositories only have a single-part name like alpine for the CLI, but in the registry it's properly called library/alpine.
So your token request should be:
curl "https://auth.docker.io/token?service=registry.docker.io&scope=repository:library/alpine:pull"
And then your image request is:
curl --header "Authorization: Bearer eyJh..." https://index.docker.io/v2/library/alpine/manifests/latest
And then you'll get the response.

Kong responds 404 when accessed vi Postman

I have set up an API and Kong. I have successfully installed Kong. In fact, i can access my APIs via curl on cli. However, when I use Postman, which I use all of the time, I get the response
{
"request_path": "/api/v1/",
"message": "API not found with these values",
"request_host": [
"192.168.33.13"
]
}
Ps. Im new to kong so please bear with me.
$ kong start
[INFO] Kong 0.7.0
[INFO] Using configuration: /etc/kong/kong.yml
[INFO] Setting working directory to /usr/local/kong
[INFO] database...........cassandra keyspace=kong ssl=verify=false enabled=false replication_factor=1 contact_points=127.0.0.1:9042 replication_strategy=SimpleStrategy timeout=5000 data_centers=
[INFO] dnsmasq............address=127.0.0.1:8053 dnsmasq=true port=8053
[INFO] serf ..............-profile=wan -rpc-addr=127.0.0.1:7373 -event-handler=member-join,member-leave,member-failed,member-update,member-reap,user:kong=/usr/local/kong/serf_event.sh -bind=0.0.0.0:7946 -node=precise64_0.0.0.0:7946 -log-level=err
[INFO] Trying to auto-join Kong nodes, please wait..
[WARN] Cannot auto-join the cluster because no nodes were found
[WARN] ulimit is currently set to "1024". For better performance set it to at least "4096" using "ulimit -n"
[INFO] nginx .............admin_api_listen=0.0.0.0:8001 proxy_listen=0.0.0.0:8000 proxy_listen_ssl=0.0.0.0:8443
[OK] Started
$ curl -i -X POST --url http://localhost:8001/apis/ --data 'name=geospatial' --data 'upstream_url=http://192.168.33.10/' --data 'request_host=192.168.33.10'
HTTP/1.1 201 Created
Date: Fri, 08 Apr 2016 14:38:22 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.7.0
{"upstream_url":"http:\/\/192.168.33.10\/","id":"240e6cc6-626f-4629-9551-0d341a57adba","name":"geospatial","created_at":1460126302000,"request_host":"192.168.33.10"}
When I curl the api...
$ curl -i -X GET -H "Host: 192.168.33.10" "http://192.168.33.13:8000/api/v1/"
HTTP/1.1 200 OK
Date: Fri, 08 Apr 2016 14:56:04 GMT
Content-Type: application/json
Content-Length: 70
Connection: keep-alive
Server: Werkzeug/0.11.4 Python/2.7.6
X-Kong-Upstream-Latency: 4
X-Kong-Proxy-Latency: 0
Via: kong/0.7.0
{"status": 200, "message": 200, "data": "Hello World!", "error": null}
How ever when I try to use Postman, I get a 404 status response.
with this body
{
"request_path": "/api/v1/",
"message": "API not found with these values",
"request_host": [
"192.168.33.13"
]
}
Am I missing something?
Disclaimer:
I am using Postman because I am lazy and because my clients will mostly be using Postman as well. So dont tell me to to use curl instead :)
Just encountered the same problem.
In order to send to Kong you need to add Host header, but Postman has some restricted headers that are blocked and Host is one of them.
You need to download Chrome Inspector to send the Host header.
For more details -
https://www.getpostman.com/docs/requests
You need to setup the header parameter named "Host" in order to Kong find your API.
You can see that your curl command have this parameter
-H "Host: 192.168.33.10"

How to post JSON data using curl over basic http auth?

I want to post data using curl unix command what I got by googling is doing like below:
curl --dump-header - -H "Content-Type: application/json" -X POST --data '{"description": "This will prbbly be my lst post.", "transaction_id": "2011-05-22T00:46:38", "account": "another-post"}' http://127.0.0.1:8000/api/transaction/
But its is returning following response header like below:
curl: (6) Could not resolve host: POST; nodename nor servname provided, or not known
HTTP/1.0 401 UNAUTHORIZED
Date: Sat, 09 Jun 2012 18:50:37 GMT
Server: WSGIServer/0.1 Python/2.7.1
Content-Type: text/html; charset=utf-8
What I am doing wrong
You don't need to write "POST" to make curl(1) post - it will do that automatically if you give it a --data argument.
Instead, it is mistaking "POST" for the URL you want to send to, and failing as you might imagine. Drop that word and you should be good.

Authenticate an app and get the access token in flattr api v2

I am a bit stuck in authenticating my app and get an access token, when following this instructions: http://developers.flattr.net/v2/
Step 1, Authenticate works fine. I get back the code, and my app is listed in my Settings/Applications with the correct scope.
Then I try to get the access token via the following curl command:
curl -v --user MY_KEY:MY_SECRET -H "Content-Type: application/json"\
-X POST -d '{"grant_type": "authorization_code",\
"redirect_uri": "http://localhost/", "code": "MY_CODE"}'\
https://flattr.com/oauth/token
Unfortunately I always get "invalid_request"
< HTTP/1.1 400 Bad Request
< Strict-Transport-Security: max-age=500
< Set-Cookie: PHPSESSID=d9972s9r5a7t4p0ch4chc4dqh2; path=/; domain=.flattr.com; HttpOnly
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store
< Pragma: no-cache
< Content-Type: application/json; charset=utf-8
< Content-Length: 291
< Connection: close
< Date: Wed, 16 Nov 2011 22:38:30 GMT
< Server: lighttpd
<
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
{"error":"invalid_request","error_description":"The request is missing a required parameter, includes an unsupported parameter or parameter value, repeats a parameter, includes multiple credentials, utilizes more than one mechanism for authenticating the client, or is otherwise malformed."}
Thanks!
I found a bug in the process and it is now smashed. Should be working smooth if you try the request again!