-
Bug
-
Resolution: Done
-
Major
-
None
-
EAP72 1.0.0.GA
-
EAP Image + RH-SSO
-
Documentation (Ref Guide, User Guide, etc.), User Experience
-
-
-
-
-
-
Cloud Sprint 36
Today, when an user is configuring the RH-SSO integration with EAP base images, if the SSO_SECRET parameter is not set, the keycloak subsystem will be created with an empty credential:
<subsystem xmlns="urn:jboss:domain:keycloak:1.1"> <realm name="bsig"> <!-- ##KEYCLOAK_PUBLIC_KEY## --> <auth-server-url>https://sso-cicd.192.168.99.100.nip.io/auth</auth-server-url> <register-node-at-startup>true</register-node-at-startup> <register-node-period>600</register-node-period> <ssl-required>external</ssl-required> <disable-trust-manager>true</disable-trust-manager> <!-- ##KEYCLOAK_TRUSTSTORE## --> <allow-any-hostname>false</allow-any-hostname> </realm> <secure-deployment name="ROOT.war"> <realm>bsig</realm> <resource>root</resource> <auth-server-url>https://sso-cicd.192.168.99.100.nip.io/auth</auth-server-url> <enable-basic-auth>true</enable-basic-auth> <credential name="secret" /> <enable-cors>false</enable-cors> <bearer-only>false</bearer-only> <principal-attribute>preferred_username</principal-attribute> </secure-deployment> </subsystem> <!-- ##KEYCLOAK_SAML_SUBSYSTEM## -->
This will cause WARN messages like this:
16:15:58,005 WARN [org.keycloak.adapters.authentication.ClientIdAndSecretCredentialsProvider] (pool-25-thread-1) Client 'root' doesn't have secret available 16:15:58,013 ERROR [org.keycloak.adapters.NodesRegistrationManagement] (pool-25-thread-1) failed to register node to keycloak 16:15:58,013 ERROR [org.keycloak.adapters.NodesRegistrationManagement] (pool-25-thread-1) status from server: 400 16:15:58,013 ERROR [org.keycloak.adapters.NodesRegistrationManagement] (pool-25-thread-1) {"error":"unauthorized_client","error_description":"INVALID_CREDENTIALS: Invalid client credentials"}
The integration will fail and the application will not authenticate against the RH-SSO.
We recommend logging an error message during the subsystem configuration alerting the user to set the SSO_SECRET parameter before creating a client with an empty credential.
- clones
-
CLOUD-3199 SSO_SECRET parameter should be required if configuring RH-SSO integration
- New
- is cloned by
-
CLOUD-3209 [7.2.x-openjdk11] SSO_SECRET parameter should be required if configuring RH-SSO integration
- New
- is incorporated by
-
CLOUD-3215 EAP 7.2.2 OpenShift Image release
- Closed