Comments (10)
@howkymike The client not allowed to exchange to audience
error in your own setup (before importing my test realm) has to do with the "Authorization" configuration in the realm-management
application. In my WIP docs I wrote that various permissions include a <idOfRepositoryClient>
fragment - this is meant as a placeholder for the client ID. Now, there can be some confusion, which I should probably make an effort to clear up in the docs, that this "client ID" does not mean the "Client ID" as displayed in the Keycloak UI, but the actual, technical DB ID of the client in the Keycloak database. This is one aspect where I think Keycloak UI really sucks - in order to get to that ID, I have not found any other way than to inspect the JSON response from Keycloak when loading the list of clients, and extract the ID from there. In all other contexts that is not "Permission", the "idOfXYZClient" actually means the Client ID as displayed in the UI. In the Permissions section, that name convention is based on how Keycloak internally performs lookups / checks during token exchange, and is something I had to figure out by looking at Keycloak source code, as it is not really documented.
There is another optional feature of Keycloak that could be enabled via the profile configuration file, which provides a simplified authorization config experience, but I found that it clashed with some other use cases that I had, so I typically never enable that (it simplified too much in my case, removing some expert configuration options I needed).
from alfresco-keycloak.
thank you @howkymike and @AFaust
I have successfully logged into Alfresco Share using Keycloak SSO!!!!
from alfresco-keycloak.
The IP does not really matter. The message clearly states an issue with the validation of the subject token, meaning the token Share received for the authenticated user and is now trying to exchange for a token for the same user towards the backend. I must admit I can't remember encountering this error in my own use / tests so far, so don't have an immediate idea as to the cause. I'll have a think about it and re-check the config files ZIP when I have some more time...
from alfresco-keycloak.
No, I did not try import existing Alfresco users into Keycloak. The use cases I had so far either dealt with adding Keycloak quite early, when only a few users existed and could easily be recreated manually in Keycloak, or an external sources (AD-like) was used, so importing via LDAP or simply "as-people-log-in" was sufficient.
from alfresco-keycloak.
Hi Michal,
just to make sure: Did you work out the configuration on your own or did you notice/find the work-in-progress documentation? Unfortunately regular work is keeping me busy, so I have not had a chance to continue work on that documentation for a while now.
For the initial HTTP 400 error, I would ask that you check in Keycloak with enabled event logging for the CODE_TO_TOKEN / CODE_TO_TOKEN_ERROR, as well as with enabled debug in the Keycloak logs, what specifically Keycloak complains about. My initial guess would be that you have not (yet) set up your Keycloak instance to support token exchange between Share and Repository for the 100% "proper" authentication delegation between the two applications.
The directAuthHost
is not required when the auth-server-url can be properly resolved from the Repository / Share host itself. It only exists for those rare cases, where you might configure a URL with a host name that is externally resolveable, but not internally (e.g. different domain names for access from outside the network / DMZ than within), or you want to avoid the extra roundtrip via the (public) proxy and go straight to Keycloak (or use a different, internal proxy on a different host).
Your second / additional attempts with the configuration changes actually failed way before the point where the initial one failed, so they are definitely not the way to go. With the configuration for the first attempt, you have two ways to move forward:
- enable / set up token exchange in Keycloak
- set
<perform-token-exchange>false</perform-token-exchange>
in the<keycloak-auth-config>
section in share-config-custom.xml to disable its use for delegation between Share and Repository. You likely also will have to disablekeycloak.adapter.verify-token-audience
in the Repository, but to be honest, since adding token exchange as the default (proper) method of delegation, I have not tested the simple "token passthru" all that much.
from alfresco-keycloak.
Thank you for the immediate response and the right directions. I had followed your documentation (or at least tried to) and configured token-exchange.
After setting verify-token-audience and perform-token-exchange to false
it is finally working.
But why the token exchange does not work?
I enabled token_exachnage feature, and in the realm-management
client configured Authorization.
In the Keycloak I can see following error:
20:38:50,570 WARN [org.keycloak.events] (default task-9) type=TOKEN_EXCHANGE_ERROR, realmId=alfresco, clientId=alfresco-share, userId=null, ipAddress=my.domain.com/auth, error=invalid_token, reason='subject_token validation failure', auth_method=token_exchange, grant_type=urn:ietf:params:oauth:grant-type:token-exchange, client_auth_method=client-secret
(the ipAddres is my.domain.com/auth but keycloak is bound to 0.0.0.0, could that be an issue?)
from alfresco-keycloak.
Well.. I played with Keyclock and now I have another errror:
20:59:10,546 WARN [org.keycloak.events] (default task-91) type=TOKEN_EXCHANGE_ERROR, realmId=alfresco, clientId=alfresco-share, userId=null, ipAddress=my.domain.com/auth, error=not_allowed, reason='client not allowed to exchange to audience', auth_method=token_exchange, grant_type=urn:ietf:params:oauth:grant-type:token-exchange, client_auth_method=client-secret
But then I also imported your test
realm and it works, so it must be a problem with my realm's config.
from alfresco-keycloak.
Dear @howkymike
Because I am facing similar issues, when you say that you have used @AFaust test realm, do you mean this one: https://github.com/Acosix/alfresco-keycloak/blob/master/share/src/test/docker/test-realm.json?
Did you changed it to match your instance?
When I try to import this test realm from the Keycloak UI I get an error:
This is my Keycloak server details:
from alfresco-keycloak.
Hi @ayian2004,
yes indeed, I only changed the URLs.
I guess you can't import because you did not change the variables to valid values (i.e. ${docker.tests.repositoryPort} -> 8080).
from alfresco-keycloak.
@AFaust oh... why would anyone program it to use an internal DB ID? Thank you very much - it worked on the first attempt.
For future readers, you can easily obtain client's ID using:
- REST API
curl -H 'Accept: application/json' -H "Authorization: Bearer ${TOKEN}" --location --request GET 'https://my.domain.com/auth/admin/realms/alfresco/clients'
- By clicking Export action in the Clients tab
One more thing, did you try to import existing Alfresco users (or those who are created via Alfresco Admin console) to Keycloak? I see Keycloak supports importing users via json.
from alfresco-keycloak.
Related Issues (20)
- Synchronisation questions HOT 7
- Keycloak logout hook HOT 3
- Sync users problem HOT 10
- Alfresco - Keycloak ..later Sync HOT 6
- Problem with redirecting to requested URL HOT 5
- NewBie , Naive Question ! HOT 2
- Make repository project compatible with the acisix.utility latest version HOT 2
- Help me!,I can't configure HOT 1
- Repository IdP authentication HOT 5
- Create person using a client_credential token
- [BUG] Skipping processKeycloakAuthenticationAndActions as login page was explicitly requested HOT 3
- sso.originalRequestUrlHeaderName vurnerability? HOT 1
- Retrieve current user token in custom services HOT 5
- Help with configuration and debugging HOT 2
- failed verification of token: Token is not active HOT 6
- Incompatible with ACS 7.4
- Keycloak SSO Share startup logs HOT 2
- Incompatible with 23.1.0 HOT 3
- Upgrade Keycloak v24 HOT 4
- Support fot Alfresco 23.x? HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from alfresco-keycloak.