I have keycloak running in Docker and have another container running a spring based java app that is attempting to connect to keycloak. The error message I keep getting is: Unable to resolve Configuration with the provided issuer of "http://keycloak:8080/auth/realms/someproject". the realm name does exist in the keycloak DB. I can curl to the above URL from any other container. But the web app keeps giving me that message. Any hints would help. Thanks, Bill
Try to expose your keycloak container port and set provided issuer like this http://docker-host-ip:exposed-port/auth/realms/someproject
Related
I have a Spring cloud API gateway talking to keycloak server for JWT authentication. If I run my application from eclipse and keycloak as single docker container, it works fine. However when I run my spring boot application as docker container(using docker compose or kubernetes) its unable to authorize with keycloak throws following error.
org.springframework.security.oauth2.jwt.JwtDecoderInitializationException: Failed to lazily resolve the supplied JwtDecoder instance
at org.springframework.security.oauth2.jwt.SupplierReactiveJwtDecoder.wrapException(SupplierReactiveJwtDecoder.java:48) ~[spring-security-oauth2-jose-5.7.6.jar!/:5.7.6]
Suppressed: reactor.core.publisher.FluxOnAssembly$OnAssemblyException:
.
.
Caused by: java.lang.IllegalArgumentException: Unable to resolve the Configuration with the provided Issuer of "http://keycloak-server:8080/realms/master"
at org.springframework.security.oauth2.jwt.JwtDecoderProviderConfigurationUtils.getConfiguration(JwtDecoderProviderConfigurationUtils.java:161) ~[spring-security-oauth2-jose-5.7.6.jar!/:5.7.6]
at org.springframework.security.oauth2.jwt.JwtDecoderProviderConfigurationUtils.getConfigurationForIssuerLocation(JwtDecoderProviderConfigurationUtils.java:79) ~[spring-security-oauth2-jose-5.7.6.jar!/:5.7.6]
Are there any additional configurations required for this situation?
If the keycloak and springboot applications are deployed in different namespace, you would need to include the namespace in the keycloak url configured in your springboot application (https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#namespaces-of-services).
Also you might need to check if the kubernetes service for keycloak is configured correctly.
To solve this modified few things
Created new realm instead of using default master realm
Instead of using keycloak kubernetes service name in issuer url, used host.docker.internal ip
While generating JWT from postman used same host.docker.internal ip in the token generation url
here i am trying to get a list with users from keycloak.
it works withe docker compose, but not in openshift?!
my application.property
keycloak.enabled=true
keycloak.realm=somname
keycloak.ssl-required=none
keycloak.resource=someapp
keycloak.public-client=true
keycloak.auth-server-url=${KEYCLOAK_AUTH-SERVER-URL:https://localhost/auth}
keycloak.disable-trust-manager=true
app.connectors.KeyCloakAdminConnector.serverUri=${KEYCLOAK_ADMIN-URL:http://idm.local:8081/auth}
app.connectors.KeyCloakAdminConnector.realm=${keycloak.realm}
app.connectors.KeyCloakAdminConnector.username=admin
app.connectors.KeyCloakAdminConnector.password=pass
app.connectors.KeyCloakAdminConnector.clientId=${keycloak.resource}
As a solution i changed the:
keycloak-admin-url: 'my-keycloak-route/auth'
in application.property to
keycloak-admin-url: 'http://myservice-keycloak-http:8080/auth'
so i change the connection between the Spring boot App and Keycloack from Rout-Object to a Service-Object.
its works because Service is not https. so i dont need to provide a certificate to JVM keytrust in the Spring boot App
so, i tried to deploy spring boot app to a PCF Server. When i deployed it, the logs showed that my application was shut down because it failed to open a tomcat server because there is a java.netsocketexception where it says that permission denied. The tomcat server was fine for a moment (it successfully use the port) but the next moment, it was shut down because there is the permission denied netsocketexception.
the port i tried to use is port 443. i tried to look up to several kinds of problems. one of it said that i need to have root access to be able to use port lower than 1000. the problem is, my other apps, which is eureka server run perfectly even when i use port 443.
the configuration, build-pack, and everything is the same. and it is even deployed on a same pcf platform. so, why can this app failed but the other (eureka server) can use the 443 port.
can anyone tell me for the things i need to check to make sure of the problem?
Remove server.port configuration from Spring Boot yml / properties configuration. It will by default expose the service to 443 on PCF
I have developed a Spring boot application connecting to Postgresql instance running on my local.
Now i deployed the application to Cloud foundry local bosh lite installation. I created one user provided service for postgresql and bound it to my application.
The app is working fine till now. Then i wanted to make this application as a service broker. So i again used spring boot cloud foundry service broker.
And implemented my code same as the sample mongodb spring boot service broker.
https://github.com/spring-cloud-samples/cloudfoundry-service-broker
But now when i am trying to start the application. It is failing with following error.
2017-06-20T17:16:19.82+0530 [DEA/0] OUT Starting app instance (index 0) with guid 65b656e1-fbe4-4a7f-bc34-6c410dbb3a4e
2017-06-20T17:16:23.07+0530 [DEA/0] ERR Instance (index 0) failed to start accepting connections
2017-06-20T17:16:23.09+0530 [API/0] OUT App instance exited with guid 65b656e1-fbe4-4a7f-bc34-6c410dbb3a4e payload: {"cc_partition"=>"default", "droplet"=>"65b656e1-fbe4-4a7f-bc34-6c410dbb3a4e", "version"=>"432ef489-14e3-44d7-bab8-bdd64bc8d9d3", "instance"=>"9bf4bd1c3a8741508a6b33da9ba76400", "index"=>0, "reason"=>"CRASHED", "exit_status"=>127, "exit_description"=>"failed to accept connections within health check timeout", "crash_timestamp"=>1497959183}
2017-06-20T17:16:23.09+0530 [API/0] OUT App instance exited with guid 65b656e1-fbe4-4a7f-bc34-6c410dbb3a4e payload: {"cc_partition"=>"default", "droplet"=>"65b656e1-fbe4-4a7f-bc34-6c410dbb3a4e", "version"=>"432ef489-14e3-44d7-bab8-bdd64bc8d9d3", "instance"=>"9bf4bd1c3a8741508a6b33da9ba76400", "index"=>0, "reason"=>"CRASHED", "exit_status"=>127, "exit_description"=>"failed to accept connections within health check timeout", "crash_timestamp"=>1497959183}
I searched over the net, it seems the error is related to ports and when the port is inaccessible.
https://github.com/cloudfoundry/cf-release/issues/649
but i have not defined any port for my application and i hope CF automatically assigns a port for my application
Best Regards,
Saurav
I have deleted the application and then deployed again.
It started working.
I know this does not tell the root cause . But may be a spring boot /cloud foundry framework developer can tell the root cause.
There was one point i would like to highlight.
The application is developed as a spring boot cloud foundry service broker Initally when i had deployed the application, it asked an username/password for me . I did not know about this earlier. Might have given wrong usernames and password and then pressed cancel.
After that the application was throwing the above error.
But it has to be noted that a spring boot cloud foundry service broker application already has spring boot authentication built in where password is already generated with username being "user".
Check more details here https://github.com/spring-cloud/spring-cloud-cloudfoundry-service-broker#security
I don't know if this was the reason. But a delete and redeploy worked with me.
Best Regards,
Saurav
I am using Cloud Foundry and I deployed my Spring boot application on Cloud. I have bound the Mongodb Service with my application. When my application is trying to read the data from mongodb I am seeing below error.
Query failed with error code 13 and error message 'not authorized for query on cfe5cb4d-2ca8-40f3-9f83-0cc8321e8c19.ACCOUNT_DETAILS' on server IP:Port
At the same time when I am connecting to this db with application deployed on my local systems its working fine.
Please help me if I need to modify anything here in Configuration to make the application on Cloud work ?
I think you should check your VCAP_SERVICES, probably locally you are using the connection parameters directly but on Bluemix you have to use VCAP_SERVICES parsing.
Please if possible, copy and paste the code section used to connect to MongoDB.