stackoom
  简体   繁体   中英

Keycloak Bad token response, error=not_allowed when user doesn't have the offline_access role

 原文  2022-12-14 09:38:03       java/ tomcat/ keycloak/ openid-connect/ pac4j

Question

We have a JSF Application running on a tomcat 9 and we are using keycloak (v10.0.2) for login.

Because keycloak deprecated their tomcat-adapter we would like to switch from the keycloak tomcat-adapter to pac4j .

So I've created the following configuration.

import org.pac4j.core.client.Clients;
import org.pac4j.core.config.Config;
import org.pac4j.core.config.ConfigFactory;
import org.pac4j.oidc.client.KeycloakOidcClient;
import org.pac4j.oidc.config.KeycloakOidcConfiguration;

import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;

public class SecurityConfigFactory implements ConfigFactory {

  @Override
  public Config build(final Object... parameters) {
    System.out.print("Building Security configuration...\n");

    final KeycloakOidcConfiguration keycloak = new KeycloakOidcConfiguration();
    keycloak.setBaseUri("http://localhost:8180/auth");
    keycloak.setRealm("testRealm");
    keycloak.setClientId("local-test");
    keycloak.setSecret("abc-xyz");
    keycloak.setClientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
    keycloak.setLogoutUrl("http://localhost:8180/auth/realms/testRealm/protocol/openid-connect/logout");
    final KeycloakOidcClient keycloakClient = new KeycloakOidcClient(keycloak);
    keycloakClient.setName("keycloakClient");

    final String callbackUrl = "http://localhost:8080/callback";
    final Clients clients = new Clients(callbackUrl, keycloakClient/* , new AnonymousClient() */);

    final Config config = new Config(clients);
    return config;
  }

}

and added the following to my web.xml

<filter>
    <filter-name>callbackFilter</filter-name>
    <filter-class>org.pac4j.j2e.filter.CallbackFilter</filter-class>
    <init-param>
        <param-name>defaultUrl</param-name>
        <param-value>/</param-value>
    </init-param>
    <init-param>
        <param-name>renewSession</param-name>
        <param-value>false</param-value>
    </init-param>
    <init-param>
        <param-name>multiProfile</param-name>
        <param-value>false</param-value>
    </init-param>
    <init-param>
        <param-name>saveInSession</param-name>
        <param-value>true</param-value>
    </init-param>
</filter>
<filter-mapping>
    <filter-name>callbackFilter</filter-name>
    <url-pattern>/callback</url-pattern>
    <dispatcher>REQUEST</dispatcher>
</filter-mapping>


<filter>
    <filter-name>OidcFilter</filter-name>
    <filter-class>org.pac4j.j2e.filter.SecurityFilter</filter-class>
    <init-param>
        <param-name>configFactory</param-name>
        <param-value>abc.xyz.SecurityConfigFactory</param-value>
    </init-param>
    <init-param>
        <param-name>clients</param-name>
        <param-value>keycloakClient</param-value>
    </init-param>
    <init-param>
        <param-name>authorizers</param-name>
        <param-value>securityHeaders</param-value>
    </init-param>
</filter>
<filter-mapping>
    <filter-name>OidcFilter</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
    <dispatcher>FORWARD</dispatcher>
</filter-mapping>

So now my problem is that when a user has the offline_access role he is able to login into keycloak. But as soon as I remove the offline_access role I get this exception if I click the login button at keycloak.

2022-12-14 10:19:11,304 DEBUG [http-nio-8080-exec-10]  - authenticator.OidcAuthenticator.validate - Token response: status=400, content={"error":"not_allowed",
"error_description":"Offline tokens not allowed for the user or client"}
...
org.pac4j.core.exception.TechnicalException: Bad token response, error=not_allowed
    at org.pac4j.oidc.credentials.authenticator.OidcAuthenticator.validate(OidcAuthenticator.java:147)
    at org.pac4j.oidc.credentials.authenticator.OidcAuthenticator.validate(OidcAuthenticator.java:35)
    at org.pac4j.core.client.BaseClient.retrieveCredentials(BaseClient.java:71)
    at org.pac4j.core.client.IndirectClient.getCredentials(IndirectClient.java:140)
    at org.pac4j.core.engine.DefaultCallbackLogic.perform(DefaultCallbackLogic.java:89)
    at org.pac4j.j2e.filter.CallbackFilter.internalFilter(CallbackFilter.java:84)
    at org.pac4j.j2e.filter.AbstractConfigFilter.doFilter(AbstractConfigFilter.java:84)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:360)
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:399)
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:890)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1743)
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
    at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
    at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:745)

So I think that I have to tell the config to not use a offline token, or is their something obvious that I'm missing?

In keycloak I see the following events在此处输入图像描述

My Pom.xml includes (we are using Java 8 and I couldn't get a newer pac4j version to compile)

   <dependency>
        <groupId>org.pac4j</groupId>
        <artifactId>j2e-pac4j</artifactId>
        <version>4.1.0</version>
    </dependency>
    <dependency>
        <groupId>org.pac4j</groupId>
        <artifactId>pac4j-oidc</artifactId>
        <version>3.9.0</version>
    </dependency>

1 answers

solution1
 0 ACCPTED  2022-12-15 08:57:56

My problem was a keycloak misconfiguration in my keycloak test instance.

I had the "offline-access" Client Scope added to my Default Client Scopes.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question keycloak offline token with Java Java offline validation of JWT access token from Keycloak How to redirect if user doesn't have the correct Role? Spring Security Keycloak create user role keycloak error : Unrecognized field “access_token” Keycloak Access token Retrieve Keycloak user data using received access token CORS : Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request Cannot make a request with Access Token from Keycloak in Spring Boot Microservices (Rest Template Issue 405 Method Not Allowed) Can't access REST service with valid keycloak token after secure with keycloak
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM