Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

There is no Keycloak login window #36

Closed
MarvinKern opened this issue Aug 14, 2020 · 9 comments
Closed

There is no Keycloak login window #36

MarvinKern opened this issue Aug 14, 2020 · 9 comments
Labels
kind/question Further information is requested

Comments

@MarvinKern
Copy link

Hi at all,
I tried to implement the Camunda Keycloak plugin in my Springboot application. I started my own Keycloak server and configured at as mentioned in the description.
However when I start the application, there is no Keycloak login window showing up. There is still the camunda login page.
Does anybody know why this could be?
I tripple checked now, I followed exactly the instructions from the plugin site...

I am thankful for each hint 👍
@VonDerBeck VonDerBeck added the kind/question Further information is requested label Aug 14, 2020
@VonDerBeck
Copy link
Collaborator

VonDerBeck commented Aug 14, 2020
edited
Loading

Hi @MarvinKern,

there is a difference between simply using this plugin as is - which means to keep the Camunda login page - and an integrated SSO solution.

  • The first one is the usage scenario "Centralized Managment Only".
  • The second one is a full SSO scenario.

For SSO you have do slightly more... See https://github.com/camunda/camunda-bpm-identity-keycloak/tree/master/examples/sso-kubernetes for more details on that.

@MarvinKern
Copy link
Author

MarvinKern commented Aug 17, 2020
edited
Loading

Hi @VonDerBeck ,

Thank you for the quick response.
I started to run the project sso-kubernetes locally, but I got the error message:
org.springframework.beans.factory.BeanDefinitionStoreException: Failed to parse configuration class [org.camunda.bpm.extension.keycloak.showcase.CamundaApplication]; nested exception is java.io.FileNotFoundException: class path resource [org/camunda/bpm/extension/keycloak/plugin/KeycloakIdentityProviderPlugin.class] cannot be opened because it does not exist
Caused by: java.io.FileNotFoundException: class path resource [org/camunda/bpm/extension/keycloak/plugin/KeycloakIdentityProviderPlugin.class] cannot be opened because it does not exist

And when I copy the classes and the application.yml from sso-kubernetes to my project I get the error message:

APPLICATION FAILED TO START

Description:

Binding to target org.springframework.boot.context.properties.bind.BindException: Failed to bind properties under 'rest.security' to de.gefa.legal.department.mandate.service.bootstrap.rest.RestApiSecurityConfigurationProperties failed:

Property: rest.security.requiredAudience
Value: null
Reason: darf nicht leer sein

Property: rest.security.jwkSetUrl
Value: null
Reason: darf nicht leer sein

Action:

Update your application's configuration

Do you have any ideas on this?
Thanks in advance 👍

@MarvinKern
Copy link
Author

@VonDerBeck ,
Some Update on this. I got a little bit further and the application starts now, but there is some problem with reaching the keycloak server. I triple checke the configuration and the links to the keycloak server in the applciation.yml should be correct.
I get following error message:

Caused by: org.camunda.bpm.engine.impl.identity.IdentityProviderException: Unable to get access token from Keycloak server
at org.camunda.bpm.extension.keycloak.KeycloakContextProvider.openAuthorizationContext(KeycloakContextProvider.java:69)
at org.camunda.bpm.extension.keycloak.KeycloakContextProvider.createApiRequestEntity(KeycloakContextProvider.java:120)
at org.camunda.bpm.extension.keycloak.KeycloakIdentityProviderSession.getKeycloakAdminGroupId(KeycloakIdentityProviderSession.java:1032)
at org.camunda.bpm.extension.keycloak.plugin.KeycloakIdentityProviderPlugin.postProcessEngineBuild(KeycloakIdentityProviderPlugin.java:85)
at org.camunda.bpm.engine.impl.cfg.CompositeProcessEnginePlugin.postProcessEngineBuild(CompositeProcessEnginePlugin.java:107)
at org.camunda.bpm.engine.impl.cfg.ProcessEngineConfigurationImpl.invokePostProcessEngineBuild(ProcessEngineConfigurationImpl.java:1151)
at org.camunda.bpm.engine.impl.cfg.ProcessEngineConfigurationImpl.buildProcessEngine(ProcessEngineConfigurationImpl.java:872)
at org.camunda.bpm.engine.spring.SpringTransactionsProcessEngineConfiguration.buildProcessEngine(SpringTransactionsProcessEngineConfiguration.java:63)
at org.camunda.bpm.engine.spring.ProcessEngineFactoryBean.getObject(ProcessEngineFactoryBean.java:55)
at org.camunda.bpm.engine.spring.ProcessEngineFactoryBean.getObject(ProcessEngineFactoryBean.java:34)
at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:171)
... 93 common frames omitted
Caused by: org.springframework.web.client.ResourceAccessException: I/O error on POST request for "http://localhost:8080/auth/realms/master/protocol/openid-connect/token": http protocol is not supported; nested exception is org.apache.http.conn.UnsupportedSchemeException: http protocol is not supported
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:748)
at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:674)
at org.springframework.web.client.RestTemplate.postForEntity(RestTemplate.java:449)
at org.camunda.bpm.extension.keycloak.KeycloakContextProvider.openAuthorizationContext(KeycloakContextProvider.java:54)
... 103 common frames omitted
Caused by: org.apache.http.conn.UnsupportedSchemeException: http protocol is not supported
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:109)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
at org.springframework.http.client.HttpComponentsClientHttpRequest.executeInternal(HttpComponentsClientHttpRequest.java:87)
at org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:48)
at org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:53)
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:739)
... 106 common frames omitted

@VonDerBeck
Copy link
Collaborator

VonDerBeck commented Aug 17, 2020
edited
Loading

Hi @MarvinKern,

you have a failing request to http://localhost:8080/auth/realms/master/protocol/openid-connect/token.

Are you running the complete local Kubernetes setup sample?

  • If yes, localhost:8080 will not connect to the Keycloak pod. A request to localhost will call the Camunda pod itself. Which comes from a wrong configuration. Please check k8s\deployment.yaml.

  • If no - meaning you run a local Keycloak server (manually or Docker) and you start a single Camunda instance, e.g. out of your development environment- this is a misconfiguration as well. If not configured otherwise, localhost:8080 will be your local Camunda instance. You will either have to choose another port for your Camunda instance or choose another port for Keycloak itself. Both on the same port won't work.

Does that help?

@MarvinKern
Copy link
Author

Hi @VonDerBeck,
Thanks a lot for your help. So I changed some things. My Keycloak server is now running on Port 8180 and my Camunda application is running on Port 8080. I also tried to copy the application.yml from the sso project as close as possible.
My Application.yml looks like this now:
server:
port: 8080
servlet.context-path: /camunda

Externalized Keycloak configuration

keycloak:

SSO Authentication requests. Send by application as redirect to the browser

url.auth: ${KEYCLOAK_URL_AUTH:http://localhost:8180}

SSO Token requests. Send from the application to Keycloak

url.token: ${KEYCLOAK_URL_TOKEN:http://localhost:8180}

Keycloak access for the Identity Provider plugin.

url.plugin: ${KEYCLOAK_URL_PLUGIN:https://localhost:8180}

Keycloak Camunda Identity Client

client.id: ${KEYCLOAK_CLIENT_ID:camunda-identity-service}
client.secret: ${KEYCLOAK_CLIENT_SECRET:XXXXXXXXXXXXXXXX}

Spring Boot SSO OAuth2 Security

security:
oauth2:
client:
client-id: ${keycloak.client.id}
client-secret: ${keycloak.client.secret}
accessTokenUri: ${keycloak.url.token}/auth/realms/master/protocol/openid-connect/token
userAuthorizationUri: ${keycloak.url.auth}/auth/realms/master/protocol/openid-connect/auth
scope: openid profile email
resource:
userInfoUri: ${keycloak.url.auth}/auth/realms/master/protocol/openid-connect/userinfo

logging.level.org.springframework.security: DEBUG

Camunda Rest API

rest.security:
enabled: true
jwk-set-url: ${keycloak.url.token}/auth/realms/master/protocol/openid-connect/certs
required-audience: camunda-rest-api

Camunda Keycloak Identity Provider Plugin

plugin.identity.keycloak:
keycloakIssuerUrl: ${keycloak.url.plugin}/auth/realms/master
keycloakAdminUrl: ${keycloak.url.plugin}/auth/admin/realms/master
clientId: ${keycloak.client.id}
clientSecret: ${keycloak.client.secret}
useEmailAsCamundaUserId: true
useUsernameAsCamundaUserId: false
useGroupPathAsCamundaGroupId: true
administratorGroupName: camunda-admin
disableSSLCertificateValidation: true

With this setup, I get the error message: Caused by: javax.net.ssl.SSLException: Unsupported or unrecognized SSL message

It seems that the application has some problem with the ${KEYCLOAK_URL_PLUGIN:https://localhost:8180} variable. I guess the https is throwing the problem.
When I change the https to http, the applcation says http protocol is not supported again.
In the sso kubernetes project, the KEYCLOAK_URL_PLUGIN variable is on another port then the rest of the keycloak links. Maybe that is the problem with my project. How can I start the Keycloak server so that the KEYCLOAK_URL_PLUGIN has its own port? Or dont you think this would help?

Thanks for your ideas 👍

@MarvinKern
Copy link
Author

Okay what a dumb mistake from my side. I configured the variable KEYCLOAK_URL_PLUGIN now like this:
url.plugin: ${KEYCLOAK_URL_PLUGIN:https://localhost:8543}

Now it is working :)
Thank you so much for your help.

For anybody who has the same trouble:
Make sure to copy everything right from the sso-kubernetes project.
I made the most mistakes in the application.yml, so make sure to configure everything correct.

@VonDerBeck
Copy link
Collaborator

@MarvinKern
glad you made it 👍

@bolatk
Copy link

bolatk commented Dec 22, 2020

@VonDerBeck ,
Some Update on this. I got a little bit further and the application starts now, but there is some problem with reaching the keycloak server. I triple checke the configuration and the links to the keycloak server in the applciation.yml should be correct.
I get following error message:

Caused by: org.camunda.bpm.engine.impl.identity.IdentityProviderException: Unable to get access token from Keycloak server
at org.camunda.bpm.extension.keycloak.KeycloakContextProvider.openAuthorizationContext(KeycloakContextProvider.java:69)
at org.camunda.bpm.extension.keycloak.KeycloakContextProvider.createApiRequestEntity(KeycloakContextProvider.java:120)
at org.camunda.bpm.extension.keycloak.KeycloakIdentityProviderSession.getKeycloakAdminGroupId(KeycloakIdentityProviderSession.java:1032)
at org.camunda.bpm.extension.keycloak.plugin.KeycloakIdentityProviderPlugin.postProcessEngineBuild(KeycloakIdentityProviderPlugin.java:85)
at org.camunda.bpm.engine.impl.cfg.CompositeProcessEnginePlugin.postProcessEngineBuild(CompositeProcessEnginePlugin.java:107)
at org.camunda.bpm.engine.impl.cfg.ProcessEngineConfigurationImpl.invokePostProcessEngineBuild(ProcessEngineConfigurationImpl.java:1151)
at org.camunda.bpm.engine.impl.cfg.ProcessEngineConfigurationImpl.buildProcessEngine(ProcessEngineConfigurationImpl.java:872)
at org.camunda.bpm.engine.spring.SpringTransactionsProcessEngineConfiguration.buildProcessEngine(SpringTransactionsProcessEngineConfiguration.java:63)
at org.camunda.bpm.engine.spring.ProcessEngineFactoryBean.getObject(ProcessEngineFactoryBean.java:55)
at org.camunda.bpm.engine.spring.ProcessEngineFactoryBean.getObject(ProcessEngineFactoryBean.java:34)
at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:171)
... 93 common frames omitted
Caused by: org.springframework.web.client.ResourceAccessException: I/O error on POST request for "http://localhost:8080/auth/realms/master/protocol/openid-connect/token": http protocol is not supported; nested exception is org.apache.http.conn.UnsupportedSchemeException: http protocol is not supported
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:748)
at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:674)
at org.springframework.web.client.RestTemplate.postForEntity(RestTemplate.java:449)
at org.camunda.bpm.extension.keycloak.KeycloakContextProvider.openAuthorizationContext(KeycloakContextProvider.java:54)
... 103 common frames omitted
Caused by: org.apache.http.conn.UnsupportedSchemeException: http protocol is not supported
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:109)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
at org.springframework.http.client.HttpComponentsClientHttpRequest.executeInternal(HttpComponentsClientHttpRequest.java:87)
at org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:48)
at org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:53)
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:739)
... 106 common frames omitted

@MarvinKern what did you do? I have encountered the same issue with "java.io.FileNotFoundException: class path resource [org/camunda/bpm/extension/keycloak/plugin/KeycloakIdentityProviderPlugin.class] cannot be opened because it does not exist"

@bolatk
Copy link

bolatk commented Dec 22, 2020

I've solved the issue with "mvn spring-boot:run".

@jakubgs jakubgs mentioned this issue Jul 6, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bolatk @VonDerBeck @MarvinKern