Problems with token exchange about alfresco-keycloak HOT 10 CLOSED

@howkymike The client not allowed to exchange to audience error in your own setup (before importing my test realm) has to do with the "Authorization" configuration in the realm-management application. In my WIP docs I wrote that various permissions include a <idOfRepositoryClient> fragment - this is meant as a placeholder for the client ID. Now, there can be some confusion, which I should probably make an effort to clear up in the docs, that this "client ID" does not mean the "Client ID" as displayed in the Keycloak UI, but the actual, technical DB ID of the client in the Keycloak database. This is one aspect where I think Keycloak UI really sucks - in order to get to that ID, I have not found any other way than to inspect the JSON response from Keycloak when loading the list of clients, and extract the ID from there. In all other contexts that is not "Permission", the "idOfXYZClient" actually means the Client ID as displayed in the UI. In the Permissions section, that name convention is based on how Keycloak internally performs lookups / checks during token exchange, and is something I had to figure out by looking at Keycloak source code, as it is not really documented.
There is another optional feature of Keycloak that could be enabled via the profile configuration file, which provides a simplified authorization config experience, but I found that it clashed with some other use cases that I had, so I typically never enable that (it simplified too much in my case, removing some expert configuration options I needed).

from alfresco-keycloak.

thank you @howkymike and @AFaust
I have successfully logged into Alfresco Share using Keycloak SSO!!!!

from alfresco-keycloak.

The IP does not really matter. The message clearly states an issue with the validation of the subject token, meaning the token Share received for the authenticated user and is now trying to exchange for a token for the same user towards the backend. I must admit I can't remember encountering this error in my own use / tests so far, so don't have an immediate idea as to the cause. I'll have a think about it and re-check the config files ZIP when I have some more time...

from alfresco-keycloak.

No, I did not try import existing Alfresco users into Keycloak. The use cases I had so far either dealt with adding Keycloak quite early, when only a few users existed and could easily be recreated manually in Keycloak, or an external sources (AD-like) was used, so importing via LDAP or simply "as-people-log-in" was sufficient.

from alfresco-keycloak.

Hi Michal,

just to make sure: Did you work out the configuration on your own or did you notice/find the work-in-progress documentation? Unfortunately regular work is keeping me busy, so I have not had a chance to continue work on that documentation for a while now.

For the initial HTTP 400 error, I would ask that you check in Keycloak with enabled event logging for the CODE_TO_TOKEN / CODE_TO_TOKEN_ERROR, as well as with enabled debug in the Keycloak logs, what specifically Keycloak complains about. My initial guess would be that you have not (yet) set up your Keycloak instance to support token exchange between Share and Repository for the 100% "proper" authentication delegation between the two applications.
The directAuthHost is not required when the auth-server-url can be properly resolved from the Repository / Share host itself. It only exists for those rare cases, where you might configure a URL with a host name that is externally resolveable, but not internally (e.g. different domain names for access from outside the network / DMZ than within), or you want to avoid the extra roundtrip via the (public) proxy and go straight to Keycloak (or use a different, internal proxy on a different host).
Your second / additional attempts with the configuration changes actually failed way before the point where the initial one failed, so they are definitely not the way to go. With the configuration for the first attempt, you have two ways to move forward:

1. enable / set up token exchange in Keycloak
2. set <perform-token-exchange>false</perform-token-exchange> in the <keycloak-auth-config> section in share-config-custom.xml to disable its use for delegation between Share and Repository. You likely also will have to disable keycloak.adapter.verify-token-audience in the Repository, but to be honest, since adding token exchange as the default (proper) method of delegation, I have not tested the simple "token passthru" all that much.

from alfresco-keycloak.

Thank you for the immediate response and the right directions. I had followed your documentation (or at least tried to) and configured token-exchange.
After setting verify-token-audience and perform-token-exchange to false it is finally working.

But why the token exchange does not work?
I enabled token_exachnage feature, and in the realm-management client configured Authorization.
In the Keycloak I can see following error:
20:38:50,570 WARN [org.keycloak.events] (default task-9) type=TOKEN_EXCHANGE_ERROR, realmId=alfresco, clientId=alfresco-share, userId=null, ipAddress=my.domain.com/auth, error=invalid_token, reason='subject_token validation failure', auth_method=token_exchange, grant_type=urn:ietf:params:oauth:grant-type:token-exchange, client_auth_method=client-secret
(the ipAddres is my.domain.com/auth but keycloak is bound to 0.0.0.0, could that be an issue?)

from alfresco-keycloak.

Well.. I played with Keyclock and now I have another errror:
20:59:10,546 WARN [org.keycloak.events] (default task-91) type=TOKEN_EXCHANGE_ERROR, realmId=alfresco, clientId=alfresco-share, userId=null, ipAddress=my.domain.com/auth, error=not_allowed, reason='client not allowed to exchange to audience', auth_method=token_exchange, grant_type=urn:ietf:params:oauth:grant-type:token-exchange, client_auth_method=client-secret

But then I also imported your test realm and it works, so it must be a problem with my realm's config.

from alfresco-keycloak.

Dear @howkymike
Because I am facing similar issues, when you say that you have used @AFaust test realm, do you mean this one: https://github.com/Acosix/alfresco-keycloak/blob/master/share/src/test/docker/test-realm.json?
Did you changed it to match your instance?

When I try to import this test realm from the Keycloak UI I get an error:

This is my Keycloak server details:

from alfresco-keycloak.

Hi @ayian2004,
yes indeed, I only changed the URLs.
I guess you can't import because you did not change the variables to valid values (i.e. ${docker.tests.repositoryPort} -> 8080).

from alfresco-keycloak.

@AFaust oh... why would anyone program it to use an internal DB ID? Thank you very much - it worked on the first attempt.
For future readers, you can easily obtain client's ID using:

1. REST API
   curl -H 'Accept: application/json' -H "Authorization: Bearer ${TOKEN}" --location --request GET 'https://my.domain.com/auth/admin/realms/alfresco/clients'
2. By clicking Export action in the Clients tab

One more thing, did you try to import existing Alfresco users (or those who are created via Alfresco Admin console) to Keycloak? I see Keycloak supports importing users via json.

from alfresco-keycloak.