[KEYCLOAK-10957] MismatchedInputException in Jackson causes Tomcat 8 Adapter to not work in Keycloak 6.0.1 - Red Hat Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Out of Date
Affects Version/s: 6.0.1
Fix Version/s: Backlog
Component/s: Adapter - JEE
Labels:
- tomcat

Epic Link:
JWS 5 Support
Steps to Reproduce:
Hide

Install KeyCloak 6.0.1

Create a realm

Create a test user and assign them a password

Make sure they are assigned the "offline_access" and "uma_authorization" realm roles under Users -> User -> Role Mappings. Believe these are defaults

Download Tomcat 8.5.43, unzip the tarball

In the lib/ folder, unzip the contents of keycloak-tomcat8-adapter-dist.zip as per https://www.keycloak.org/docs/latest/securing_apps/index.html#_tomcat_adapter

Follow the directions to deploy a small test webapp that contains META-INF/context.xml, WEB-INF/keycloak.json, WEB-INF/web.xml files.

Start Tomcat, visit the webapp

Webapp will redirect to the Keycloak authentication URL

Authenticate as the user you created earlier

Keycloak will redirect back to the Webapp and the error will occur
Show
Install KeyCloak 6.0.1 Create a realm Create a test user and assign them a password Make sure they are assigned the "offline_access" and "uma_authorization" realm roles under Users -> User -> Role Mappings. Believe these are defaults Download Tomcat 8.5.43, unzip the tarball In the lib/ folder, unzip the contents of keycloak-tomcat8-adapter-dist.zip as per https://www.keycloak.org/docs/latest/securing_apps/index.html#_tomcat_adapter Follow the directions to deploy a small test webapp that contains META-INF/context.xml, WEB-INF/keycloak.json, WEB-INF/web.xml files. Start Tomcat, visit the webapp Webapp will redirect to the Keycloak authentication URL Authenticate as the user you created earlier Keycloak will redirect back to the Webapp and the error will occur
Docs QE Status:
NEW
QE Status:
NEW

Description

The Tomcat 8 adapter distributed with Keycloak 6.0.1 does not appear to work properly with Keycloak. If the user is assigned any realm roles or client roles, the following Jackson exception is thrown and authentication into the webapp fails.

The Tomcat log file will log the following error:
org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode failed verification of token: Failed to read access token from JWT

The actual cause of this error will be the following exception:

com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot construct instance of `org.keycloak.representations.AccessToken$Access` (although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value ('[offline_access, uma_authorization]')

 at [Source: (byte[])"{"jti":"aab616ac-bad6-450d-b912-a6753df668c8","exp":1564415320,"nbf":0,"iat":1564412320,"iss":"http://app.example.org:8080/auth/realms/myrealm","aud":"account","sub":"19c4c859-e062-4528-b176-3a17caf443af","typ":"Bearer","azp":"myapp","auth_time":1564412288,"session_state":"5e393888-c788-406a-8ee2-6ef8020fbfea","acr":"0","realm_access":{"roles":["offline_access","uma_authorization"]},"resource_access":{"account":{"roles":["manage-account","manage-account-links","view-profile"]}},"sco"[truncated 297 bytes]; line: 1, column: 565] (through reference chain: org.keycloak.representations.AccessToken["realm_access"])

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

image-2019-07-29-11-28-07-260.png
2019/07/29 11:28 AM
41 kB
Philip Lowman

Activity

People

Assignee:: Unassigned

Reporter:: Philip Lowman (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2019/07/29 11:41 AM

Updated:: 2021/02/15 9:30 AM

Resolved:: 2021/02/15 9:30 AM