Hello,
I am testing the upgrade from 1.7 to 1.8.
For configuring the node I am using https://github.com/OSC/puppet-module-openondemand/blob/v1.5.0/ (latest version compatible with 1.8.X).
And this is my yaml configuration related to OIDC:
openondemand::oidc_client_id: 'openondemand-dev'
openondemand::oidc_client_secret: 'secret'
openondemand::ondemand_package_ensure: '1.8.20-1.el7'
openondemand::mod_auth_openidc_ensure: "2.4.4.1-1.el7"
openondemand::repo_release: '1.8'
openondemand::oidc_remote_user_claim: 'preferred_username'
openondemand::oidc_uri: '/oidc'
openondemand::user_map_match: '.*'
openondemand::oidc_provider_metadata_url: 'https://keycloak.server/auth/realms/BBP/.well-known/openid-configuration'
openondemand::oidc_settings:
OIDCPassIDTokenAs: 'serialized'
OIDCPassRefreshToken: 'On'
OIDCPassClaimsAs: environment
OIDCStripCookies: 'mod_auth_openidc_session mod_auth_openidc_session_chunks mod_auth_openidc_session_0 mod_auth_openidc_session_1'
Puppet ran with no issues and ondemand1.8 is running perfectly BUT if I don’t have a valid token when accesing the site, keycloak crashes with the following trace:
May 21 16:51:07 keycloak.server standalone.sh[26316]: 16:51:07,468 WARN [org.keycloak.services] (default task-214) KC-SERVICES0013: Failed authentication: org.keycloak.storage.ReadOnlyException
May 21 16:51:07 keycloak.server standalone.sh[26316]: at org.keycloak.models.utils.ReadOnlyUserModelDelegate.addRequiredAction(ReadOnlyUserModelDelegate.java:62)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at org.keycloak.models.utils.UserModelDelegate.addRequiredAction(UserModelDelegate.java:104)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at org.keycloak.models.utils.UserModelDelegate.addRequiredAction(UserModelDelegate.java:104)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at org.keycloak.models.utils.UserModelDelegate.addRequiredAction(UserModelDelegate.java:104)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at org.keycloak.models.cache.infinispan.UserAdapter.addRequiredAction(UserAdapter.java:196)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at org.keycloak.authentication.authenticators.browser.OTPFormAuthenticator.setRequiredActions(OTPFormAuthenticator.java:133)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at org.keycloak.authentication.DefaultAuthenticationFlow.processSingleFlowExecutionModel(DefaultAuthenticationFlow.java:430)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:247)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at org.keycloak.authentication.DefaultAuthenticationFlow.processSingleFlowExecutionModel(DefaultAuthenticationFlow.java:381)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:247)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at org.keycloak.authentication.DefaultAuthenticationFlow.processSingleFlowExecutionModel(DefaultAuthenticationFlow.java:381)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at org.keycloak.authentication.DefaultAuthenticationFlow.continueAuthenticationAfterSuccessfulAction(DefaultAuthenticationFlow.java:180)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:158)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:936)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:311)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:282)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:266)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:339)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at sun.reflect.GeneratedMethodAccessor575.invoke(Unknown Source)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at java.lang.reflect.Method.invoke(Method.java:498)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:138)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:535)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:424)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:385)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:356)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:387)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:356)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:150)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:104)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:440)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:229)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:135)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:356)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:138)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:215)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at javax.servlet.http.HttpServlet.service(HttpServlet.java:590)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:91)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:269)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:78)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:133)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:130)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1541)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1541)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1541)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1541)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:249)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:78)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:99)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at io.undertow.server.Connectors.executeRootHandler(Connectors.java:370)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
May 21 16:51:07 keycloak.server standalone.sh[26316]: at java.lang.Thread.run(Thread.java:748)
And error=invalid_user_credentials:
May 21 16:51:07 keycloak.server standalone.sh[26316]: 16:51:07,478 WARN [org.keycloak.events] (default task-214) type=LOGIN_ERROR, realmId=BBP, clientId=openondemand-dev, userId=null, ipAddress=XXX.YYY.255.29, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, redirect_uri=https://ondemand.server/oidc, code_id=73d3673f-e67f-4029-8b4c-50a2054707f2, username=danielfr, authSessionParentId=73d3673f-e67f-4029-8b4c-50a2054707f2, authSessionTabId=bRgTTXiblwU
On the other hand, If I have a valid OIDC session already, I can access ondemand 1.8 and use it with no issues. The problem is at login.
I am using keycloak 10.0.2, might this be a problem realted to this old version of Keycloak??
Same OIDC client/keycloak configuration was working fine with Ondemand 1.7.
Thank you very much,
Daniel.