How to set up SSL for Administration Console AND protecting it with Keycloak?
gunterze Apr 19, 2019 10:35 AMI followed Protecting Wildfly Adminstration Console With Keycloak , with Wildfly 16.0.0.Final and Keycloak (Wildfly Adapter) 5.0.0, and configured a <server-ssl-context name="httpsSSC">:
<subsystem xmlns="urn:wildfly:elytron:6.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
<tls>
<key-stores>
<key-store name="httpsKS">
<credential-reference clear-text="secret"/>
<implementation type="JKS"/>
<file path="/home/gunter/wildfly-16.0.0.Final/standalone/configuration/dcm4chee-arc/key.jks"/>
</key-store>
</key-stores><key-managers>
<key-manager name="httpsKM" algorithm="SunX509" key-store="httpsKS">
<credential-reference clear-text="secret"/>
</key-manager></key-managers>
<server-ssl-contexts><server-ssl-context name="httpsSSC" protocols="TLSv1.2" key-manager="httpsKM"/>
</server-ssl-contexts>
</tls></subsystem>
and referred it by the <http-interface> element of the <management-interfaces> and changed also <socket-binding> to https="management-https":
<management>
<management-interfaces>
<http-interface http-authentication-factory="keycloak-mgmt-http-authentication" ssl-context="httpsSSC">
<http-upgrade enabled="true" sasl-authentication-factory="management-sasl-authentication"/>
<socket-binding https="management-https"/>
</http-interface>
</management-interfaces>
<access-control provider="rbac" use-identity-roles="true">
<role-mapping>
<role name="SuperUser">
<include>
<user name="$local"/>
</include>
</role>
</role-mapping>
</access-control>
</management>
The request to https://localhost:9993 got redirected to the Keycloak Login page, but the redirect back to https://localhost:9993/console/index.html did not load the Admin Console.
The server.log of the Keycloak adapter looks:
2019-04-19 14:53:58,191 DEBUG [org.keycloak.adapters.elytron.KeycloakHttpServerAuthenticationMechanism] (management task-4) Evaluating request for path [https://localhost:9993/management]
2019-04-19 14:53:58,203 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (management task-4) adminRequest https://localhost:9993/management
2019-04-19 14:53:58,203 TRACE [org.keycloak.adapters.RequestAuthenticator] (management task-4) --> authenticate()
2019-04-19 14:53:58,204 TRACE [org.keycloak.adapters.RequestAuthenticator] (management task-4) try bearer
2019-04-19 14:53:58,205 TRACE [org.keycloak.adapters.RequestAuthenticator] (management task-4) try query paramter auth
2019-04-19 14:53:58,205 DEBUG [org.keycloak.adapters.RequestAuthenticator] (management task-4) NOT_ATTEMPTED: bearer only
2019-04-19 14:53:59,451 DEBUG [org.keycloak.adapters.elytron.KeycloakHttpServerAuthenticationMechanism] (management task-2) Evaluating request for path [https://localhost:9993/management]
2019-04-19 14:53:59,452 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (management task-2) adminRequest https://localhost:9993/management
2019-04-19 14:53:59,452 TRACE [org.keycloak.adapters.RequestAuthenticator] (management task-2) --> authenticate()
2019-04-19 14:53:59,452 TRACE [org.keycloak.adapters.RequestAuthenticator] (management task-2) try bearer
2019-04-19 14:53:59,452 TRACE [org.keycloak.adapters.RequestAuthenticator] (management task-2) try query paramter auth
2019-04-19 14:53:59,452 DEBUG [org.keycloak.adapters.RequestAuthenticator] (management task-2) NOT_ATTEMPTED: bearer only
2019-04-19 14:54:30,863 DEBUG [org.keycloak.adapters.elytron.KeycloakHttpServerAuthenticationMechanism] (management task-1) Evaluating request for path [https://localhost:9993/management]
2019-04-19 14:54:30,864 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (management task-1) adminRequest https://localhost:9993/management
2019-04-19 14:54:30,864 TRACE [org.keycloak.adapters.RequestAuthenticator] (management task-1) --> authenticate()
2019-04-19 14:54:30,864 TRACE [org.keycloak.adapters.RequestAuthenticator] (management task-1) try bearer
2019-04-19 14:54:45,636 TRACE [org.keycloak.adapters.RequestAuthenticator] (management task-1) try query paramter auth
2019-04-19 14:54:45,636 DEBUG [org.keycloak.adapters.RequestAuthenticator] (management task-1) NOT_ATTEMPTED: bearer only
compared with working pure (no SSL) http://localhost:9990 :
2019-04-19 14:42:33,652 DEBUG [org.keycloak.adapters.elytron.KeycloakHttpServerAuthenticationMechanism] (management task-1) Evaluating request for path [http://localhost:9990/management]
2019-04-19 14:42:33,666 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (management task-1) adminRequest http://localhost:9990/management
2019-04-19 14:42:33,667 TRACE [org.keycloak.adapters.RequestAuthenticator] (management task-1) --> authenticate()
2019-04-19 14:42:33,668 TRACE [org.keycloak.adapters.RequestAuthenticator] (management task-1) try bearer
2019-04-19 14:42:33,669 TRACE [org.keycloak.adapters.RequestAuthenticator] (management task-1) try query paramter auth
2019-04-19 14:42:33,670 DEBUG [org.keycloak.adapters.RequestAuthenticator] (management task-1) NOT_ATTEMPTED: bearer only
2019-04-19 14:42:34,520 DEBUG [org.keycloak.adapters.elytron.KeycloakHttpServerAuthenticationMechanism] (management task-3) Evaluating request for path [http://localhost:9990/management]
2019-04-19 14:42:34,521 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (management task-3) adminRequest http://localhost:9990/management
2019-04-19 14:42:34,522 TRACE [org.keycloak.adapters.RequestAuthenticator] (management task-3) --> authenticate()
2019-04-19 14:42:34,522 TRACE [org.keycloak.adapters.RequestAuthenticator] (management task-3) try bearer
2019-04-19 14:42:34,522 TRACE [org.keycloak.adapters.RequestAuthenticator] (management task-3) try query paramter auth
2019-04-19 14:42:34,523 DEBUG [org.keycloak.adapters.RequestAuthenticator] (management task-3) NOT_ATTEMPTED: bearer only
2019-04-19 14:42:34,665 DEBUG [org.keycloak.adapters.elytron.KeycloakHttpServerAuthenticationMechanism] (management task-3) Evaluating request for path [http://localhost:9990/management]
2019-04-19 14:42:34,665 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (management task-3) adminRequest http://localhost:9990/management
2019-04-19 14:42:34,665 TRACE [org.keycloak.adapters.RequestAuthenticator] (management task-3) --> authenticate()
2019-04-19 14:42:34,665 TRACE [org.keycloak.adapters.RequestAuthenticator] (management task-3) try bearer
2019-04-19 14:42:34,665 DEBUG [org.keycloak.adapters.BearerTokenRequestAuthenticator] (management task-3) Found [1] values in authorization header, selecting the first value for Bearer.
2019-04-19 14:42:34,666 DEBUG [org.keycloak.adapters.BearerTokenRequestAuthenticator] (management task-3) Verifying access_token
2019-04-19 14:42:34,683 TRACE [org.keycloak.adapters.BearerTokenRequestAuthenticator] (management task-3) access_token: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJJN2RkWEJTUm9iQ1R0NnJnQTBzc3FqVHo0WERfVUFFQTdndV9tOF9EdjlzIn0.eyJqdGkiOiIzMGNmMmI2Yi0yNjlkLTRhOGItODYzNS1jZGEzMWNhNTNlYzIiLCJleHAiOjE1NTU2NzgwNTQsIm5iZiI6MCwiaWF0IjoxNTU1Njc3NzU0LCJpc3MiOiJodHRwczovL2xvY2FsaG9zdDo4ODQzL2F1dGgvcmVhbG1zL2RjbTRjaGUiLCJhdWQiOlsicmVhbG0tbWFuYWdlbWVudCIsImFjY291bnQiXSwic3ViIjoiMTQ0ZTRkZjYtNjQ2Ni00YjdlLWFlNmQtMGViOGZjNzdlZGNjIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoid2lsZGZseS1jb25zb2xlIiwibm9uY2UiOiI5NWEyMjUxNC0xZDczLTQ0N2QtODNhMC01ZDQ3OTcwY2RmYmEiLCJhdXRoX3RpbWUiOjE1NTU2NzczOTcsInNlc3Npb25fc3RhdGUiOiJiNTEyMzNhOS0xODAwLTQ2MmYtYTZiMi0yNTVkZjNlM2UyMDIiLCJhY3IiOiIwIiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHA6Ly9sb2NhbGhvc3Q6OTk5MCJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiQURNSU5JU1RSQVRPUiIsImF1ZGl0bG9nIiwiYWRtaW4iLCJ1c2VyIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsicmVhbG0tbWFuYWdlbWVudCI6eyJyb2xlcyI6WyJ2aWV3LXJlYWxtIiwidmlldy1pZGVudGl0eS1wcm92aWRlcnMiLCJtYW5hZ2UtaWRlbnRpdHktcHJvdmlkZXJzIiwiaW1wZXJzb25hdGlvbiIsInJlYWxtLWFkbWluIiwiY3JlYXRlLWNsaWVudCIsIm1hbmFnZS11c2VycyIsInF1ZXJ5LXJlYWxtcyIsInZpZXctYXV0aG9yaXphdGlvbiIsInF1ZXJ5LWNsaWVudHMiLCJxdWVyeS11c2VycyIsIm1hbmFnZS1ldmVudHMiLCJtYW5hZ2UtcmVhbG0iLCJ2aWV3LWV2ZW50cyIsInZpZXctdXNlcnMiLCJ2aWV3LWNsaWVudHMiLCJtYW5hZ2UtYXV0aG9yaXphdGlvbiIsIm1hbmFnZS1jbGllbnRzIiwicXVlcnktZ3JvdXBzIl19LCJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJhZG1pbiIsImdpdmVuX25hbWUiOiIiLCJmYW1pbHlfbmFtZSI6IiJ9.signature
2019-04-19 14:42:34,739 TRACE [org.keycloak.adapters.rotation.JWKPublicKeyLocator] (management task-3) Going to send request to retrieve new set of realm public keys for client wildfly-management
2019-04-19 14:42:34,927 DEBUG [org.keycloak.adapters.rotation.JWKPublicKeyLocator] (management task-3) Realm public keys successfully retrieved for client wildfly-management. New kids: [I7ddXBSRobCTt6rgA0ssqjTz4XD_UAEA7gu_m8_Dv9s]
2019-04-19 14:42:34,929 DEBUG [org.keycloak.adapters.BearerTokenRequestAuthenticator] (management task-3) successful authorized
2019-04-19 14:42:34,936 TRACE [org.keycloak.adapters.RefreshableKeycloakSecurityContext] (management task-3) checking whether to refresh.
2019-04-19 14:42:34,936 TRACE [org.keycloak.adapters.AdapterUtils] (management task-3) use realm role mappings
2019-04-19 14:42:34,936 TRACE [org.keycloak.adapters.AdapterUtils] (management task-3) Setting roles:
2019-04-19 14:42:34,936 TRACE [org.keycloak.adapters.AdapterUtils] (management task-3) role: ADMINISTRATOR
2019-04-19 14:42:34,937 TRACE [org.keycloak.adapters.AdapterUtils] (management task-3) role: auditlog
2019-04-19 14:42:34,937 TRACE [org.keycloak.adapters.AdapterUtils] (management task-3) role: admin
2019-04-19 14:42:34,937 TRACE [org.keycloak.adapters.AdapterUtils] (management task-3) role: user
Debugging BearerTokenRequestAuthenticator.authenticate(HttpFacade exchange)
exchange.getRequest().getHeaders("Authorization");
always returned null with SSL configured.