Hello, Hello, We are reaching out to you to express our frustration, as we have just migrated our infrastructure to JS7. Everything seems to be working except for the SSO OIDC connection module with Keycloak (https://kb.sos-berlin.com/display/JS7/JS7+-+OIDC+Identity+Service). After following this document and setting up all the necessary configurations, we have a persistent error: "Error Getting Token". We have attached the corresponding logs for more details on what's happening. On the Keycloak side, we have a classic client configuration.
you are in the driver seat for both, the configuration of OIDC in the Keycloak Server and in JS7. You did not provide information about what you configured in Keycloak, but express frustration and blame the JS7 OIDC Client. This is not the perfect approach to request assistance.
Did you read the log output of JS7? The account that was used to login was in fact authenticated with the LDAP UTB Identity Service,. However, for this service no roles have been configured in JS7: "Account has no roles, login skipped". In fact this means that you are almost done with Keycloak LDAP integration. The JS7 docs at https://kb.sos-berlin.com/display/JS7/JS7+-+LDAP+Identity+Service explain that you can use the service type LDAP-JOC to configure roles in JOC Cockpit or our can use the service type LDAP and configure the group/roles mapping from the Identity Service settings.
Did you check log output of Keycloak for OIDC errors?
I will not guess and I will not ask questions. If you are looking for assistance then please forward the configuration used in the Keycloak OIDC Server and in the JS7 OIDC Client. If this includes sensitive information then send private mail to info@sos-berlin.com.
Best regards
Andreas
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Please describe how and where you have configured the truststore path.
Do you have created the client in Keycloak with
client-protocol=openid-connect
accessType=confidental
Do you see the button "Continue with Keycloak"?
If yes, have you clicked the button to login?
When you try to login with keycload-oidc, do you see the keycload credentials form?
Please enable debug logging (https://kb.sos-berlin.com/x/PMUwAw) and share the authentication-debug.log file.
To find the log4j2 configuration file refer to Jhttps://kb.sos-berlin.com/x/VsQwAw
Yes in Keycloak our configuration is good in my opinion (see capture), the button appears well on the login page, and the redirection to the Keycloack SSO authentication page works.
I have already activated debug and the identifier-debug.log file
I configured a new truststore in this folder : /home/jobscheduleruser/sos-berlin.com/js7/joc/JETTY_BASE/resources/joc/https-truststore.p12
And i edit this file to apply : /home/jobscheduleruser/sos-berlin.com/js7/joc/resources/joc/joc.properties
Ok. Now we have another error message. I assume that you did not use the button "Continue with.." in your first post.
"access token is not valid" means
The configured client id from the JOC identity service is not equals with the field "aud" where the client id is returned from the Open Id Service Provider.
or
The configured client authentication url from the JOC identity service is not equals with the field "iss" where the url is returned from the Open Id Service Provider.
or
The account from the login is not equals with the account in the accees-token. The account from the access-token is returned in the field as configured in the joc identity service or if empty the value for PREFERRED_USERNAME or if not supported then "email". This is the most happened issue.
You have specified the attribute "username" that holds the account. Please check the access-token whether the field "username" is set correctly. Otherwise change the configuration either in JOC Cockpit identity service or in keycloak.
or
The access-token expiration is not greater than 0.
or
The verification with the returned publicKey does not match.
The verification is done with the JWTVerifier. The verifer uses publicKey and the algorithm as stated in the return of https://keycloak:<port>/auth/realms/<realm>. If this fails, an error message should be seen in the log. As this is not the fact I assume that one of points above causes the access token to be regarded as invalid.</realm></port>
To check this, you need the returned access-token.
You can see the token by opening the developer console of your browser (f12)
The endpoint "token" shows the access-token in the field "id_token"
The token can be checked here: https://jwt.io/
The return should be something like this
{"realm":"JOC","public_key":"MIIBIj4+zAAANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmkxrdQw2WKldL2wrSSMWcxlwKD4M6OfZKqGUR5qkM2OL1iP5w5Kr4+zAAY6tsadfQIXoHkBbceGm33jUteFNhXYsBFf3LlC6mUHSaKIMcU+bhYMAtp2oxxClWohqxMbudQzECLU039QkXa4+zAA4+zAAqhDRck+I0CZk6wzakWh9X2j983XtYW3Up/WSSDe/0T11wpYSznNUXrCne9GZyYoiDR1ygGA7pl8yLajoOftJnsfB7R4+zAAo4+zAALH5MGXWZ9D23xOqUQIDAQAB","token-service":"https://keycloak:8443/auth/realms/JOC/protocol/openid-connect","account-service":"https://keycloak:8443/auth/realms/JOC/account","tokens-not-before":1655803551}
Hello, Hello, We are reaching out to you to express our frustration, as we have just migrated our infrastructure to JS7. Everything seems to be working except for the SSO OIDC connection module with Keycloak (https://kb.sos-berlin.com/display/JS7/JS7+-+OIDC+Identity+Service). After following this document and setting up all the necessary configurations, we have a persistent error: "Error Getting Token". We have attached the corresponding logs for more details on what's happening. On the Keycloak side, we have a classic client configuration.
Hi Gregory,
you are in the driver seat for both, the configuration of OIDC in the Keycloak Server and in JS7. You did not provide information about what you configured in Keycloak, but express frustration and blame the JS7 OIDC Client. This is not the perfect approach to request assistance.
Did you read the log output of JS7? The account that was used to login was in fact authenticated with the LDAP UTB Identity Service,. However, for this service no roles have been configured in JS7: "Account has no roles, login skipped". In fact this means that you are almost done with Keycloak LDAP integration. The JS7 docs at https://kb.sos-berlin.com/display/JS7/JS7+-+LDAP+Identity+Service explain that you can use the service type LDAP-JOC to configure roles in JOC Cockpit or our can use the service type LDAP and configure the group/roles mapping from the Identity Service settings.
Did you check log output of Keycloak for OIDC errors?
I will not guess and I will not ask questions. If you are looking for assistance then please forward the configuration used in the Keycloak OIDC Server and in the JS7 OIDC Client. If this includes sensitive information then send private mail to info@sos-berlin.com.
Best regards
Andreas
Please describe how and where you have configured the truststore path.
Do you have created the client in Keycloak with
Do you see the button "Continue with Keycloak"?
If yes, have you clicked the button to login?
When you try to login with keycload-oidc, do you see the keycload credentials form?
Please enable debug logging (https://kb.sos-berlin.com/x/PMUwAw) and share the authentication-debug.log file.
To find the log4j2 configuration file refer to Jhttps://kb.sos-berlin.com/x/VsQwAw
**JOC Cockpit Log4j2 Configuration
**
<property name="RootLogLevel">DEBUG</property><property name="AuthLogLevel">DEBUG</property>
Yes in Keycloak our configuration is good in my opinion (see capture), the button appears well on the login page, and the redirection to the Keycloack SSO authentication page works.
I have already activated debug and the identifier-debug.log file
I configured a new truststore in this folder : /home/jobscheduleruser/sos-berlin.com/js7/joc/JETTY_BASE/resources/joc/https-truststore.p12
And i edit this file to apply : /home/jobscheduleruser/sos-berlin.com/js7/joc/resources/joc/joc.properties
Ok. Now we have another error message. I assume that you did not use the button "Continue with.." in your first post.
"access token is not valid" means
The configured client id from the JOC identity service is not equals with the field "aud" where the client id is returned from the Open Id Service Provider.
or
The configured client authentication url from the JOC identity service is not equals with the field "iss" where the url is returned from the Open Id Service Provider.
or
The account from the login is not equals with the account in the accees-token. The account from the access-token is returned in the field as configured in the joc identity service or if empty the value for PREFERRED_USERNAME or if not supported then "email". This is the most happened issue.
You have specified the attribute "username" that holds the account. Please check the access-token whether the field "username" is set correctly. Otherwise change the configuration either in JOC Cockpit identity service or in keycloak.
or
The access-token expiration is not greater than 0.
or
The verification with the returned publicKey does not match.
The verification is done with the JWTVerifier. The verifer uses publicKey and the algorithm as stated in the return of https://keycloak:<port>/auth/realms/<realm>. If this fails, an error message should be seen in the log. As this is not the fact I assume that one of points above causes the access token to be regarded as invalid.</realm></port>
To check this, you need the returned access-token.
You can see the token by opening the developer console of your browser (f12)
The endpoint "token" shows the access-token in the field "id_token"
The token can be checked here: https://jwt.io/
You also should check the return of
https://keycloak:<port>/auth/realms/<realm>
e.g. https://keycloak:8443/auth/realms/JOC</realm></port>
The return should be something like this
{"realm":"JOC","public_key":"MIIBIj4+zAAANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmkxrdQw2WKldL2wrSSMWcxlwKD4M6OfZKqGUR5qkM2OL1iP5w5Kr4+zAAY6tsadfQIXoHkBbceGm33jUteFNhXYsBFf3LlC6mUHSaKIMcU+bhYMAtp2oxxClWohqxMbudQzECLU039QkXa4+zAA4+zAAqhDRck+I0CZk6wzakWh9X2j983XtYW3Up/WSSDe/0T11wpYSznNUXrCne9GZyYoiDR1ygGA7pl8yLajoOftJnsfB7R4+zAAo4+zAALH5MGXWZ9D23xOqUQIDAQAB","token-service":"https://keycloak:8443/auth/realms/JOC/protocol/openid-connect","account-service":"https://keycloak:8443/auth/realms/JOC/account","tokens-not-before":1655803551}
The actual public configuration can be checked with https://keycloak:<port>/auth/realms/<realm>/.well-known/openid-configuration
e.g. https://keycloak:8443/auth/realms/JOC/.well-known/openid-configuration</realm></port>
Last edit: Uwe Risse 2024-09-16