-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
29.0.1.Final, 30.0.0.Final
-
None
-
-
---
-
---
I've made a small web based OIDC application which consists of a single servlet (the attached TokenServlet). All it does, is to display the access and ID token. This application is deployed to a local WildFly instance. This application is hooked up to Keycloak, also running locally.
Before deploying the application, the following command has been run through the jboss-cli, followed by a reload:
/subsystem=undertow/application-security-domain=other:write-attribute(name=integrated-jaspi, value=false)
Upon hitting the application the first time, everything is fine. I'm presented with a Keycloak logon page, and after logging on, I'm redirected back to my application which displays the tokens - exactly as it's supposed to. However, if I wait until the access token has expired and then access the servlet again, thus triggering a refresh of the tokens, the following error occurs:
2023-11-30 09:29:53,628 FINER [org.wildfly.security.soteria.original.OpenIdIdentityStore] (default task-1) Returning caller name: qwe 2023-11-30 09:29:53,628 FINE [org.wildfly.security.soteria.original.OpenIdIdentityStore] (default task-1) Returning caller: [whatever] 2023-11-30 09:29:53,628 TRACE [org.wildfly.security] (default task-1) Handling CallerPrincipalCallback 2023-11-30 09:29:53,628 TRACE [org.wildfly.security] (default task-1) Original Principal = 'jakarta.security.enterprise.CallerPrincipal@5b0d6a85', Caller Name = 'null', Resulting Principal = 'jakarta.security.enterprise.CallerPrincipal@5b0d6a85' 2023-11-30 09:29:53,628 TRACE [org.wildfly.security] (default task-1) Principal assigning: [jakarta.security.enterprise.CallerPrincipal@5b0d6a85], pre-realm rewritten: [jakarta.security.enterprise.CallerPrincipal@5b0d6a85], realm name: [ApplicationRealm], post-realm rewritten: [jakarta.security.enterprise.CallerPrincipal@5b0d6a85], realm rewritten: [jakarta.security.enterprise.CallerPrincipal@5b0d6a85] 2023-11-30 09:29:53,633 TRACE [org.wildfly.security] (default task-1) PropertiesRealm: identity [qwe] does not exist 2023-11-30 09:29:53,633 TRACE [org.wildfly.security] (default task-1) Authorization failed - identity does not exist 2023-11-30 09:29:53,634 ERROR [io.undertow.request] (default task-1) UT005023: Exception handling request to /wildfly-oidc-sandbox-0.0.1-SNAPSHOT/tokens: java.lang.IllegalStateException: java.io.IOException: org.wildfly.security.authz.AuthorizationFailureException: ELY01088: Attempting to run as "jakarta.security.enterprise.CallerPrincipal@5b0d6a85" authorization operation failed at org.glassfish.soteria@3.0.3//org.glassfish.soteria.mechanisms.jaspic.Jaspic.handleCallbacks(Jaspic.java:180) at org.glassfish.soteria@3.0.3//org.glassfish.soteria.mechanisms.jaspic.Jaspic.notifyContainerAboutLogin(Jaspic.java:153) at org.glassfish.soteria@3.0.3//org.glassfish.soteria.mechanisms.HttpMessageContextImpl.notifyContainerAboutLogin(HttpMessageContextImpl.java:220) at org.glassfish.soteria@3.0.3//org.glassfish.soteria.mechanisms.HttpMessageContextImpl.notifyContainerAboutLogin(HttpMessageContextImpl.java:198) at org.wildfly.security.jakarta.security@3.0.3.Final//org.wildfly.security.soteria.original.OpenIdAuthenticationMechanism.refreshTokens(OpenIdAuthenticationMechanism.java:421) at org.wildfly.security.jakarta.security@3.0.3.Final//org.wildfly.security.soteria.original.OpenIdAuthenticationMechanism.lambda$reAuthenticate$0(OpenIdAuthenticationMechanism.java:395) at java.base/java.util.Optional.map(Optional.java:260) at org.wildfly.security.jakarta.security@3.0.3.Final//org.wildfly.security.soteria.original.OpenIdAuthenticationMechanism.reAuthenticate(OpenIdAuthenticationMechanism.java:395) at org.wildfly.security.jakarta.security@3.0.3.Final//org.wildfly.security.soteria.original.OpenIdAuthenticationMechanism.validateRequest(OpenIdAuthenticationMechanism.java:200) at org.wildfly.security.jakarta.security@3.0.3.Final//org.wildfly.security.soteria.original.OpenIdAuthenticationMechanism$Proxy$_$$_WeldClientProxy.validateRequest(Unknown Source) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:568) at org.jboss.weld.core@5.1.2.Final//org.jboss.weld.bean.proxy.AbstractBeanInstance.invoke(AbstractBeanInstance.java:38) at org.jboss.weld.core@5.1.2.Final//org.jboss.weld.bean.proxy.ProxyMethodHandler.invoke(ProxyMethodHandler.java:109) at org.wildfly.security.jakarta.security@3.0.3.Final//org.jboss.weld.generated.proxies.security.enterprise.authentication.mechanism.http.HttpAuthenticationMechanism$397943940$Proxy$_$$_WeldClientProxy.validateRequest(Unknown Source) at org.glassfish.soteria@3.0.3//org.glassfish.soteria.mechanisms.jaspic.HttpBridgeServerAuthModule.validateRequest(HttpBridgeServerAuthModule.java:89) at org.wildfly.security.jakarta.authentication@3.0.3.Final//org.wildfly.security.auth.jaspi.impl.ElytronServerAuthContext.validateRequest(ElytronServerAuthContext.java:85) at org.wildfly.security.jakarta.authentication@3.0.3.Final//org.wildfly.security.auth.jaspi.impl.WrappingServerAuthContext.lambda$validateRequest$0(WrappingServerAuthContext.java:50) at org.wildfly.security.jakarta.authentication@3.0.3.Final//org.wildfly.security.auth.jaspi.impl.ThreadLocalCallbackHandler.get(ThreadLocalCallbackHandler.java:56) at org.wildfly.security.jakarta.authentication@3.0.3.Final//org.wildfly.security.auth.jaspi.impl.WrappingServerAuthContext.validateRequest(WrappingServerAuthContext.java:50) at org.wildfly.security.elytron-web.undertow-server-servlet@4.0.0.Final//org.wildfly.elytron.web.undertow.server.servlet.ServletSecurityContextImpl.authenticate(ServletSecurityContextImpl.java:176) at org.wildfly.security.elytron-web.undertow-server-servlet@4.0.0.Final//org.wildfly.elytron.web.undertow.server.servlet.ServletSecurityContextImpl.authenticate(ServletSecurityContextImpl.java:101) at io.undertow.servlet@2.3.10.Final//io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55) at io.undertow.core@2.3.10.Final//io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33) at io.undertow.core@2.3.10.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.core@2.3.10.Final//io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53) at io.undertow.core@2.3.10.Final//io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet@2.3.10.Final//io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.servlet@2.3.10.Final//io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:60) at io.undertow.core@2.3.10.Final//io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at org.wildfly.security.elytron-web.undertow-server-servlet@4.0.0.Final//org.wildfly.elytron.web.undertow.server.servlet.CleanUpHandler.handleRequest(CleanUpHandler.java:38) at io.undertow.core@2.3.10.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow@30.0.0.Final//org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:44) at io.undertow.core@2.3.10.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow@30.0.0.Final//org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:51) at io.undertow.servlet@2.3.10.Final//io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52) at io.undertow.core@2.3.10.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet@2.3.10.Final//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:276) at io.undertow.servlet@2.3.10.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet@2.3.10.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:132) at io.undertow.servlet@2.3.10.Final//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet@2.3.10.Final//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow@30.0.0.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1413) at org.wildfly.extension.undertow@30.0.0.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1413) at org.wildfly.extension.undertow@30.0.0.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1413) at org.wildfly.extension.undertow@30.0.0.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1413) at io.undertow.servlet@2.3.10.Final//io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:256) at io.undertow.servlet@2.3.10.Final//io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:101) at io.undertow.core@2.3.10.Final//io.undertow.server.Connectors.executeRootHandler(Connectors.java:393) at io.undertow.core@2.3.10.Final//io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:859) at org.jboss.threads@2.4.0.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990) at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486) at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377) at org.jboss.xnio@3.8.11.Final//org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1282) at java.base/java.lang.Thread.run(Thread.java:833) Caused by: java.io.IOException: org.wildfly.security.authz.AuthorizationFailureException: ELY01088: Attempting to run as "jakarta.security.enterprise.CallerPrincipal@5b0d6a85" authorization operation failed at org.wildfly.security.jakarta.authentication@3.0.3.Final//org.wildfly.security.auth.jaspi.impl.JaspiAuthenticationContext$1.handle(JaspiAuthenticationContext.java:149) at org.wildfly.security.jakarta.authentication@3.0.3.Final//org.wildfly.security.auth.jaspi.impl.ThreadLocalCallbackHandler.handle(ThreadLocalCallbackHandler.java:49) at org.glassfish.soteria@3.0.3//org.glassfish.soteria.mechanisms.jaspic.Jaspic.handleCallbacks(Jaspic.java:174) ... 57 more Caused by: org.wildfly.security.authz.AuthorizationFailureException: ELY01088: Attempting to run as "jakarta.security.enterprise.CallerPrincipal@5b0d6a85" authorization operation failed at org.wildfly.security.elytron-base@2.2.2.Final//org.wildfly.security.auth.server.SecurityIdentity.createRunAsIdentity(SecurityIdentity.java:750) at org.wildfly.security.jakarta.authentication@3.0.3.Final//org.wildfly.security.auth.jaspi.impl.JaspiAuthenticationContext$1.handleOne(JaspiAuthenticationContext.java:223) at org.wildfly.security.jakarta.authentication@3.0.3.Final//org.wildfly.security.auth.jaspi.impl.JaspiAuthenticationContext$1.lambda$handle$0(JaspiAuthenticationContext.java:138) at org.wildfly.security.jakarta.authentication@3.0.3.Final//org.wildfly.security.auth.jaspi.impl.SecurityActions.doPrivileged(SecurityActions.java:39) at org.wildfly.security.jakarta.authentication@3.0.3.Final//org.wildfly.security.auth.jaspi.impl.JaspiAuthenticationContext$1.handle(JaspiAuthenticationContext.java:137) ... 59 more
Looking a few lines above in the log, it does indeed seem that the tokens are successfully refreshed:
2023-11-30 09:29:53,625 FINE [org.wildfly.security.soteria.original.OpenIdAuthenticationMechanism] (default task-1) tokensBody = \{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJrMmpreG1sbUk5SWhQcjlVLTY2WmhEOVR5SHlrNFkyOG9wZ1VOOFR4Nm9zIn0.eyJleHAiOjE3MDEzMzMwNTMsImlhdCI6MTcwMTMzMjk5MywiYXV0aF90aW1lIjoxNzAxMzMyODQ3LCJqdGkiOiJlNjhkZTJmYi1hZmZkLTRjODUtYmM0Yi1kYzZiOTA1ZTNhZTMiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL21hc3RlciIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiIyZWE2NDcxMS0wZGM2LTQzMjgtYmQ5Ni05ZTRjN2U4NzY0MjYiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJzb21lY2xpZW50Iiwibm9uY2UiOiJVZ3JBSVJROFJHQjJxcjlqT1pkNUVRMVMxaWpjVUdUODZEa1BnMkltZlNNIiwic2Vzc2lvbl9zdGF0ZSI6IjE4OGU0YmU5LTgyZjAtNGIzOS05ZTM2LWFhZTEzZTYxNTljMiIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovbG9jYWxob3N0OjgwODIiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbImRlZmF1bHQtcm9sZXMtbWFzdGVyIiwib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoib3BlbmlkIHByb2ZpbGUgZW1haWwiLCJzaWQiOiIxODhlNGJlOS04MmYwLTRiMzktOWUzNi1hYWUxM2U2MTU5YzIiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsImdyb3VwcyI6WyJ3aGF0ZXZlciJdLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJxd2UifQ.VGQNAY-bXQ8sjUpBwh2yRTlIw-xvKQVOeZ8lQu4KLHHYj2OXz7p5Kxzz8_NY1ltY0TK0C9Eoda3XDUgsNQzO5FsiIjffS8bI8gdoQvHMc-m5IXQvmEdN3sJ71VQWZ_3CVxh0UksM_jBHIC2gy_WzLgPJfwvG2yb7ufzh9jeT1mSTOTJCSFMnTPYDkfGx7cn-HPNlHRLd4X9bAdey8S48hg6LbAS2byfY9rgvPsiv2z7jZw57g9z8oauD1jzlBLf0oSUYnEpIzBnmOjbLT9Jexfx5vwp-7rpMd2dNdd4o4OB1Q-Sf1EZFcpjhLaXlndmPiP5pyRm4HPYGAS8Ude8AIg","expires_in":60,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlNTBiOTkyNS1lZDM2LTRhMWItYjgwNC0wMDA3MmUwZDliOTQifQ.eyJleHAiOjE3MDEzMzQ3OTMsImlhdCI6MTcwMTMzMjk5MywianRpIjoiNzAxYjk5YTAtZWZhZi00MGFhLWFiZDktYmIzOTUwM2NiNGJjIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3JlYWxtcy9tYXN0ZXIiLCJhdWQiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL21hc3RlciIsInN1YiI6IjJlYTY0NzExLTBkYzYtNDMyOC1iZDk2LTllNGM3ZTg3NjQyNiIsInR5cCI6IlJlZnJlc2giLCJhenAiOiJzb21lY2xpZW50Iiwibm9uY2UiOiJVZ3JBSVJROFJHQjJxcjlqT1pkNUVRMVMxaWpjVUdUODZEa1BnMkltZlNNIiwic2Vzc2lvbl9zdGF0ZSI6IjE4OGU0YmU5LTgyZjAtNGIzOS05ZTM2LWFhZTEzZTYxNTljMiIsInNjb3BlIjoib3BlbmlkIHByb2ZpbGUgZW1haWwiLCJzaWQiOiIxODhlNGJlOS04MmYwLTRiMzktOWUzNi1hYWUxM2U2MTU5YzIifQ.WsPRJIlwtCMz8T7FOzosHtb6G0puM3UVHNqUOiSV6uM","token_type":"Bearer","id_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJrMmpreG1sbUk5SWhQcjlVLTY2WmhEOVR5SHlrNFkyOG9wZ1VOOFR4Nm9zIn0.eyJleHAiOjE3MDEzMzMwNTMsImlhdCI6MTcwMTMzMjk5MywiYXV0aF90aW1lIjoxNzAxMzMyODQ3LCJqdGkiOiJiOTUyMTVlZi1lYmRlLTQxYzUtOGM3Mi0wYzdmMGM2NTU4ZjIiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL21hc3RlciIsImF1ZCI6InNvbWVjbGllbnQiLCJzdWIiOiIyZWE2NDcxMS0wZGM2LTQzMjgtYmQ5Ni05ZTRjN2U4NzY0MjYiLCJ0eXAiOiJJRCIsImF6cCI6InNvbWVjbGllbnQiLCJub25jZSI6IlVnckFJUlE4UkdCMnFyOWpPWmQ1RVExUzFpamNVR1Q4NkRrUGcySW1mU00iLCJzZXNzaW9uX3N0YXRlIjoiMTg4ZTRiZTktODJmMC00YjM5LTllMzYtYWFlMTNlNjE1OWMyIiwiYXRfaGFzaCI6InVjV0pTb2kzMVMwXzZIdndyRjBiVGciLCJhY3IiOiIxIiwic2lkIjoiMTg4ZTRiZTktODJmMC00YjM5LTllMzYtYWFlMTNlNjE1OWMyIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJncm91cHMiOlsid2hhdGV2ZXIiXSwicHJlZmVycmVkX3VzZXJuYW1lIjoicXdlIn0.QZ1vVxYGZG2E1EhmJqYghOajmMYtsG9n4wtN8SvNa56_MjVZHpjBLn463VSkFD6CkbnHmUuUeNBXIJaQWt_g2_QPMhOkOg_yzMg3kB4hcEufMs0kKadGY1-uBv5TVzZPAFUyWr_eOgUDM9wJeYJtDrgjxzz7lnedNtBI_bcZazu6E5BIpitjNXY-5p4xWZODRjtN-FLDSSfB5OTKf_PXvOYJUvCbvIEagV2eY5b68s2-zpKiOzWWgPrVmm1X9DlGv5uAiLXTdXrURaGkv4J_nIrfr5BQUENpuCHR7IVc4f4TZZggJOT-IZUteplv-ZG9MsYN4Y2IQGckWgw6hAhhTA","not-before-policy":0,"session_state":"188e4be9-82f0-4b39-9e36-aae13e6159c2","scope":"openid profile email"}
- is incorporated by
-
-
- Open
-
