Hi,
I’m trying to migrate Keycloak Wildfly to Quarkus (the new application version of keycloak). OTP with PrivacyIdea provider worked fine when I was on Keycloak Wildfly but after I switched to Quarkus, privacyidea provider is causing some issues. I downloaded the latest Privacyidea provider (PrivacyIDEA-Provider-v1.1.0.jar) from here. GitHub - privacyidea/keycloak-provider: OTP Two Factor Authentication Provider for Keycloak to run with privacyIDEA
I don’t see anywhere it says these providers support the Quarkus version of Keycloak. Is it not supported??
It is supported. For keycloak v19, you have to use 19.0.2, the previous versions had bugs that caused problems with external authenticators.
What problems are you encountering?
Hi,
I’m also having authentication error. When I try to enter the OTP, the authentication fails with below error. The strange thing is I ‘disabled’ the Verify SSL option from the PrivacyIdea config and somehow it still checks for the SSL cert. Another issue is Privacyidea authentication is created by ansible, but when I try to create the step manually, I get a ’ Cannot convert undefined or null to object’ error. In Wildfly, this doesn’t happen. I did try adding the cert to the path, and using https-key-store-file and password in conf file, but still no luck.
2022-09-27 14:52:58,306 WARN [org.keycloak.services] (Brute Force Protector) KC-SERVICES0053: login failure for user 7ca46981-bd33-4dff-874c-fec73001229e from ip 71.126.165.248
2022-09-27 14:53:43,305 INFO [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-8-thread-2) PrivacyIDEA Client: POST /validate/check
2022-09-27 14:53:43,306 INFO [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-8-thread-2) PrivacyIDEA Client: user=i541869
2022-09-27 14:53:43,307 INFO [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-8-thread-2) PrivacyIDEA Client: pass=**********
2022-09-27 14:53:43,332 ERROR [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (OkHttp https://pimfa/…) PrivacyIDEA Client: : javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:353)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:296)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:291)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:183)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1506)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1416)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:456)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:427)
at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:336)
at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:300)
at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:185)
at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.java:224)
at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.java:108)
at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.java:88)
at okhttp3.internal.connection.Transmitter.newExchange(Transmitter.java:169)
at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:41)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:94)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:88)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:229)
at okhttp3.RealCall$AsyncCall.execute(RealCall.java:172)
at okhttp3.internal.NamedRunnable.run(NamedRunnable.java:32)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
at java.base/sun.security.validator.Validator.validate(Validator.java:264)
at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)
… 35 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
… 41 more
i am unable to replicate your issues with ssl, it works as intended.
The 'Cannot convert undefined or null to object’ is a keycloak problem: Bug when configuring an authenticator · Issue #3375 · keycloak/keycloak-ui · GitHub
You might want to use v18 until everything is resolved on the keycloak side.
Hi,
After disabling the fips, the issue has been resolved.
added ‘-Dcom.redhat.fips=false"’ in kc.sh file.
Thank you!
Interesting, never heard of that before. Thanks for sharing your solution!