Loading...

XML

Word

Printable

Type: Enhancement
Resolution: Done
Priority: Major
Fix Version/s: None
Affects Version/s: EAP72 1.0.0.GA
Component/s: EAP7
Labels:
Environment:

EAP Image + RH-SSO

Affects:

Documentation (Ref Guide, User Guide, etc.), User Experience
CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Target Release:

EAP CD 17.0.GA
Git Pull Request:
https://github.com/jboss-container-images/jboss-eap-modules/pull/86

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Today, when an user is configuring the RH-SSO integration with EAP base images, if the SSO_SECRET parameter is not set, the keycloak subsystem will be created with an empty credential:

<subsystem xmlns="urn:jboss:domain:keycloak:1.1">
   <realm name="bsig">
      <!-- ##KEYCLOAK_PUBLIC_KEY## -->
      <auth-server-url>https://sso-cicd.192.168.99.100.nip.io/auth</auth-server-url>
      <register-node-at-startup>true</register-node-at-startup>
      <register-node-period>600</register-node-period>
      <ssl-required>external</ssl-required>
      <disable-trust-manager>true</disable-trust-manager>
      <!-- ##KEYCLOAK_TRUSTSTORE## -->
      <allow-any-hostname>false</allow-any-hostname>
   </realm>
   <secure-deployment name="ROOT.war">
      <realm>bsig</realm>
      <resource>root</resource>
      <auth-server-url>https://sso-cicd.192.168.99.100.nip.io/auth</auth-server-url>
      <enable-basic-auth>true</enable-basic-auth>
      <credential name="secret" />
      <enable-cors>false</enable-cors>
      <bearer-only>false</bearer-only>
      <principal-attribute>preferred_username</principal-attribute>
   </secure-deployment>
</subsystem>
<!-- ##KEYCLOAK_SAML_SUBSYSTEM## -->

This will cause WARN messages like this:

16:15:58,005 WARN  [org.keycloak.adapters.authentication.ClientIdAndSecretCredentialsProvider] (pool-25-thread-1) Client 'root' doesn't have secret available
16:15:58,013 ERROR [org.keycloak.adapters.NodesRegistrationManagement] (pool-25-thread-1) failed to register node to keycloak
16:15:58,013 ERROR [org.keycloak.adapters.NodesRegistrationManagement] (pool-25-thread-1) status from server: 400
16:15:58,013 ERROR [org.keycloak.adapters.NodesRegistrationManagement] (pool-25-thread-1)    {"error":"unauthorized_client","error_description":"INVALID_CREDENTIALS: Invalid client credentials"}

The integration will fail and the application will not authenticate against the RH-SSO.

We recommend logging an error message during the subsystem configuration alerting the user to set the SSO_SECRET parameter before creating a client with an empty credential.

is cloned by

CLOUD-3208 [7.2.x] SSO_SECRET parameter should be required if configuring RH-SSO integration

is incorporated by

CLOUD-3308 EAP CD 17.0 Release

Closed

relates to

RHPAM-1307 Use default hostnames for SSO clients in RHPAM OpenShift templates

Closed

Assignee:: Ricardo Zanini

Reporter:: Ricardo Zanini

Involved:: Ken Wills

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2019/05/07 3:39 PM

Updated:: 2024/02/08 3:05 PM

Resolved:: 2019/05/09 6:29 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates