I run keycloak in a docker container and run my spring boot app from the idea.
When I try to login in the keycloak form I get back an error
failed to turn code into token
status from server: 401
{"error":"unauthorized_client","error_description":"Client secret not provided in request"}
and the exception is:
org.keycloak.adapters.springsecurity.KeycloakAuthenticationException: Invalid authorization header, see WWW-Authenticate header for details
Inside keycloak admin panels I have configured my users and roles.
The properties file:
keycloak.realm=myrealm
keycloak.resource=myclient
keycloak.auth-server-url=http://localhost:8081/auth
keycloak.ssl-required=external
keycloak.public-client=true
keycloak.principal-attribute=preferred_username
keycloak.credentials.secret=eba15252-we3r-423e-8df0-87f1da4a7c04
keycloak.use-resource-role-mappings=true
Could you please someone help how to fix this?
**UPDATE: if I run keycloak without docker it works.
Its clear, in the post request you are not entering client_secret. You should be able to get this from Clients section in Keycloak admin. Thats how your request should look like.
curl --location --request POST '{{KEYCLOAK_BASE_URL}}/auth/realms/{{KEYCLOAK_REALM}}/protocol/openid-connect/token' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'client_id=web-app-client' \
--data-urlencode 'username=user#gmail.com' \
--data-urlencode 'password=123123' \
--data-urlencode 'client_secret=ea05b21c-fcb4-412d-acb7-c888ba7f996d' \
--data-urlencode 'scope=openid phone address'
Related
I successfully setup HTTPS for Elasticsearch server. Now I can use curl like curl -u elastic:111111 --cacerts "Path/to/my/cert" https://localhost:9200. How can I setup to use curl without user authentication and cert?
Sorry for my bad English :(
I am using Elastic 7.9.2 version and wanted to use security.
so I ran :
bin/elasticsearch-certutil cert -out config/elastic-certificates.p12 -pass ""
and then added
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p1
in config/elasticsearch.yaml
Now when I am running the ES by
bin/elasticsearch
getting below error :
"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication credentials
for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-
8\""}}],"type":"security_exception","reason":"missing authentication credentials for REST
request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-
8\""}},"status":401}root#ip-localhost:/var/log/elasticsearch
Can anyone please help!
Just pass authentication credential with url like below
curl -X GET "http://localhost:9200" -u elastic:pass123
I had security already enabled and user authentication working. Kibana loaded fine.
I have a 3 node cluster and stopped elasticsearch service on each node so I could add transport ssl.
After enabling xpack.security.transport.ssl.enabled and keystore and truststore settings, I got the same ""missing authentication credentials for REST request" error in Kibana. Turns out the error was because I only had one node running and needed a minimum of two. After enabling transport ssl on another node and starting it, kibana worked again.
If you enable security for your cluster you & still got some error with AUTH yours clients, documentation wrote, what you need enable ssl for client optional OR required. Please, read the original topic: https://discuss.elastic.co/t/missing-authentication-for-rest-request/154807/13
You need to pass the credentials with your request with -u username:password
To add the credentials to curl, you need to know them. The root user is elastic, the passwords can be reset using
bin/elasticsearch-setup-passwords auto
Then, you can use
curl -X GET "http://localhost:9200" -u elastic:password_from_console
as written above (go upvote).
GET https://localhost:9200
Authorization: Basic elastic:{your user password}
My curl message updates a webhook on my website perfectly when I run the site locally, using 'localhost:800' as the URI, with 'ws://localhost:8080/ws' in the webpage javascript code and "curl -H "cache-control: no-cache" -H "content-type: application/json" -XPOST -d '{"object":"event","data":{"paid":true}}' localhost:8080/webhook" as the curl message sent. However when I send the same curl message to the Heroku hosted site:'https://XXXX.herokuapp.com/webhook' with 'ws://XXXX.herokuapp.com/ws' on the webpage it doesn't update with the info received in the curl, though from the Heroku logs I can see that the message was received. Does anyone know what the problem might be?
Turns out I just needed to change "var exampleSocket = new WebSocket("ws://myapp.herokuapp.com/ws")" to "var exampleSocket = new WebSocket("wss://myapp.herokuapp.com/ws")" in the .html page. Now it works fine. I have a SSL Cert in Heroku for that App and this seems to work with wss as well as https
I've installed kubectl (version 1.16.0) on Windows 10, and the command works fine.
However, when tryin to run kubectl config set-credentials <some_param> --auth-provider=oidc, I get the following error: Error: unknown flag: --auth-provider.
This happens even though when I run kubectl config set-credentials -h I can see the --auth-provider as a possible option..
How can it be fixed?
If you want to use the kubectl oidc authenticator during authentication process, which sets the id_token as a bearer token for all requests and refreshes the token once it expires. After you’ve logged into your provider, use kubectl to add your id_token, refresh_token, client_id, and client_secret to configure the plugin.
Proper configuration of command kubectl config set-credentials is that:
First you have to define user name for whom credentials will be created. Then you can pass additional parameters (enable oidc as auth-provider and add arguments to it). This is how proper syntax of kubectl config set-credentials command should look like:
$ kubectl config set-credentials USER_NAME \
--auth-provider=oidc \
--auth-provider-arg=idp-issuer-url=( issuer url ) \
--auth-provider-arg=client-id=( your client id ) \
--auth-provider-arg=client-secret=( your client secret ) \
--auth-provider-arg=refresh-token=( your refresh token ) \
--auth-provider-arg=idp-certificate-authority=( path to your ca certificate ) \
--auth-provider-arg=id-token=( your id_token )
More information about authentication you can find here: kubernetes-authentication.
I have a spring boot application deployed on pivotal cloud foundry.
I'm trying to tunnel (cf ssh) to that application in pcf from my spring boot application, but not able to find any api or client libraries to achieve it.
Actual cli command to tunnel pcf:
cf ssh -N -T -L 10001:localhost:10001 ms name
Any suggestions are welcome.
If you're trying to write Java code that would do the same thing as the cf ssh command, that should be possible. It's standard SSH, but with short-lived credentials so the trick will be generating credentials that you can use from your app.
Here's an example of using a standard SSH/SCP/SFTP client, note that ssh.bosh-lite.com will be your SSH domain, which you can see from cf curl /v2/info:
$ ssh -p 2222 cf:$(cf app app-name --guid)/0#ssh.bosh-lite.com
$ scp -P 2222 -oUser=cf:$(cf app app-name --guid)/0 my-local-file.json ssh.bosh-lite.com:my-remote-file.json
$ sftp -P 2222 cf:$(cf app app-name --guid)/0#ssh.bosh-lite.com
https://github.com/cloudfoundry/diego-ssh#cloud-foundry-via-cloud-controller-and-uaa
That said, you should be able to do something similar with any standard SSH Java library.
As mentioned above, the trick is in getting credentials. The username will be the format cf:application-guid/app-instance-number, which is easy, but the password needs to be generated with cf ssh-code, or the comparable call to the UAA API.
Ex: curl -vv -H 'Accept: application/json' -H "Authorization: $(cf oauth-token)" "https://uaa.run.pivotal.io/oauth/authorize?client_id=ssh-proxy&response_type=code"
This example uses curl to send the request and cf oauth-token to get a valid Oauth2 bearer token for the logged in user. You could get a valid bearer token in a number of ways, including making direct API calls or using the cf-java-client. It just needs to be a valid token for the user that should perform the SSH action (i.e. it would be the user that's running cf ssh).
Hope that helps!