Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-10957

MismatchedInputException in Jackson causes Tomcat 8 Adapter to not work in Keycloak 6.0.1

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Out of Date
    • 6.0.1
    • Backlog
    • Adapter - JEE
    • Hide
      1. Install KeyCloak 6.0.1
      2. Create a realm
      3. Create a test user and assign them a password
      4. Make sure they are assigned the "offline_access" and "uma_authorization" realm roles under Users -> User -> Role Mappings. Believe these are defaults
      5. Download Tomcat 8.5.43, unzip the tarball
      6. In the lib/ folder, unzip the contents of keycloak-tomcat8-adapter-dist.zip as per https://www.keycloak.org/docs/latest/securing_apps/index.html#_tomcat_adapter
      7. Follow the directions to deploy a small test webapp that contains META-INF/context.xml, WEB-INF/keycloak.json, WEB-INF/web.xml files.
      8. Start Tomcat, visit the webapp
      9. Webapp will redirect to the Keycloak authentication URL
      10. Authenticate as the user you created earlier
      11. Keycloak will redirect back to the Webapp and the error will occur
      Show
      Install KeyCloak 6.0.1 Create a realm Create a test user and assign them a password Make sure they are assigned the "offline_access" and "uma_authorization" realm roles under Users -> User -> Role Mappings. Believe these are defaults Download Tomcat 8.5.43, unzip the tarball In the lib/ folder, unzip the contents of keycloak-tomcat8-adapter-dist.zip as per https://www.keycloak.org/docs/latest/securing_apps/index.html#_tomcat_adapter Follow the directions to deploy a small test webapp that contains META-INF/context.xml, WEB-INF/keycloak.json, WEB-INF/web.xml files. Start Tomcat, visit the webapp Webapp will redirect to the Keycloak authentication URL Authenticate as the user you created earlier Keycloak will redirect back to the Webapp and the error will occur
    • NEW
    • NEW

    Description

      The Tomcat 8 adapter distributed with Keycloak 6.0.1 does not appear to work properly with Keycloak. If the user is assigned any realm roles or client roles, the following Jackson exception is thrown and authentication into the webapp fails.

      The Tomcat log file will log the following error:
      org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode failed verification of token: Failed to read access token from JWT

      The actual cause of this error will be the following exception:

      com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot construct instance of `org.keycloak.representations.AccessToken$Access` (although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value ('[offline_access, uma_authorization]')
      
       at [Source: (byte[])"{"jti":"aab616ac-bad6-450d-b912-a6753df668c8","exp":1564415320,"nbf":0,"iat":1564412320,"iss":"http://app.example.org:8080/auth/realms/myrealm","aud":"account","sub":"19c4c859-e062-4528-b176-3a17caf443af","typ":"Bearer","azp":"myapp","auth_time":1564412288,"session_state":"5e393888-c788-406a-8ee2-6ef8020fbfea","acr":"0","realm_access":{"roles":["offline_access","uma_authorization"]},"resource_access":{"account":{"roles":["manage-account","manage-account-links","view-profile"]}},"sco"[truncated 297 bytes]; line: 1, column: 565] (through reference chain: org.keycloak.representations.AccessToken["realm_access"])
      

      Attachments

        Activity

          People

            Unassigned Unassigned
            lowman1098 Philip Lowman (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: