Skip to content
This repository has been archived by the owner on Dec 31, 2021. It is now read-only.

Can't get SSO working with Keycloak 14 #74

Open
HS-157 opened this issue Jul 28, 2021 · 10 comments
Open

Can't get SSO working with Keycloak 14 #74

HS-157 opened this issue Jul 28, 2021 · 10 comments

Comments

@HS-157
Copy link

HS-157 commented Jul 28, 2021

Hi,

I tried to set up a Nexus with SSO using nexus3-keycloak-plugin, but unfortunately, I was not successful.

For my tests, I use a Debian 10 VM with vagrant where install Docker and OpenResty via their official repositories.

I run Nexus via Docker and I create a new image from Nexus official image. In this image, I add nexus3-keycloak-plugin file and change logs from INFO to DEBUG mode. The container was lauch by systemd service via this command.

/usr/bin/docker run -p 8081:8081 --name nexus -v /srv/nexus:/nexus-data -e INSTALL4J_ADD_VM_PARAMS='-Xms1024m -Xmx1024m -XX:MaxDirectMemorySize=1024m' test/nexus3:3.32.0

I run directelly a local Keycloak for my tests in CLI via this command.

docker run -d -p 8080:8080 --name nexus-keycloak -e INSTALL4J_ADD_VM_PARAMS='-Xms1024m -Xmx1024m -XX:MaxDirectMemorySize=1024m' -e JAVA_OPTS_APPEND="-Dkeycloak.profile.feature.admin_fine_grained_authz=enabled" -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin quay.io/keycloak/keycloak:14.0.0

Nexus Dockerfile :

# syntax=docker/dockerfile:1
FROM sonatype/nexus3:3.32.0
ADD --chown=200:200 https://github.com/flytreeleft/nexus3-keycloak-plugin/releases/download/v0.5.0/nexus3-keycloak-plugin-0.5.0-bundle.kar /opt/sonatype/nexus/deploy
USER root
RUN sed -i'' s/"8192"/"16384"/ /opt/sonatype/nexus/etc/jetty/jetty.xml
RUN sed -i'' s/"INFO"/"DEBUG"/ /opt/sonatype/nexus/etc/logback/logback.xml
USER nexus

The versions of the components I have installed :

  • Nexus : 3.32.0
  • Keycloak : 14.0.0
  • nexus3-keycloak-plugin : 0.5.0
  • Openresty : 1.19.3.2

In first time, I have configure Nexus. Add Keycloak Authentication Realm in active list, in Realms admin page and I create a role in External role mapping > Keycloak.

nexus-reaml

Realm configuration

nexus-role

Admin role

In a second step, I create a new test realm, a new client, configure with info from readme and create a new roles in this client. After, create a new user and add the role.

keycloak-client

Keycloak client configuration

keycloak-service-account

Keycloak service account roles

keycloak role

Keycloak role

Then, in OpenResty config file, I add URL from auth server and the secret client.

For nexus3-keycloak-plugin, I deploie Keycloak OICD JSON from Keycloak on volume docker mounted in /srv/nexus/etc/keycloak.json with id user nexus.

Finally, to test, I connect to OpenResty which asks me to connect on Keycloak page, then, I am redirected to Nexus, but my browser ask me a login / password. If I input the same thing as keycloak, it reask a login / password. If I click on cancel bouton, Nexus say Operation failed as server could not be contacted.

Nexus log when authentification fail when my browser ask a login / password :

Jul 27 13:02:40 default-paylead-nexus docker[11469]: 2021-07-27 13:02:40,912+0000 INFO  [qtp2106632495-405] *UNKNOWN org.github.flytreeleft.nexus3.keycloak.plugin.KeycloakAuthenticatingRealm
- doGetAuthenticationInfo for toto via org.github.flytreeleft.nexus3.keycloak.plugin.internal.KeycloakHttpHeaderAuthToken: false                                                              
Jul 27 13:02:40 default-paylead-nexus docker[11469]: 2021-07-27 13:02:40,912+0000 INFO  [qtp2106632495-406] *UNKNOWN org.github.flytreeleft.nexus3.keycloak.plugin.KeycloakAuthenticatingRealm
- doGetAuthenticationInfo for toto via org.github.flytreeleft.nexus3.keycloak.plugin.internal.KeycloakHttpHeaderAuthToken: false                                                              
Jul 27 13:02:40 default-paylead-nexus docker[11469]: 2021-07-27 13:02:40,917+0000 INFO  [qtp2106632495-403] *UNKNOWN org.github.flytreeleft.nexus3.keycloak.plugin.KeycloakAuthenticatingRealm
- doGetAuthenticationInfo for toto via org.github.flytreeleft.nexus3.keycloak.plugin.internal.KeycloakHttpHeaderAuthToken: false                                                              
Jul 27 13:02:40 default-paylead-nexus docker[11469]: 2021-07-27 13:02:40,919+0000 INFO  [qtp2106632495-391] *UNKNOWN org.github.flytreeleft.nexus3.keycloak.plugin.KeycloakAuthenticatingRealm
- doGetAuthenticationInfo for toto via org.github.flytreeleft.nexus3.keycloak.plugin.internal.KeycloakHttpHeaderAuthToken: false                                                              
Jul 27 13:02:40 default-paylead-nexus docker[11469]: 2021-07-27 13:02:40,921+0000 INFO  [qtp2106632495-393] *UNKNOWN org.github.flytreeleft.nexus3.keycloak.plugin.KeycloakAuthenticatingRealm
- doGetAuthenticationInfo for toto via org.github.flytreeleft.nexus3.keycloak.plugin.internal.KeycloakHttpHeaderAuthToken: false

Sans titre

Browser ask a login / password

nexus-eror

Nexus failed authentification

Attachment :

  • Nexus logs in DEBUG mode
  • Keycloak config file
  • Tcpdump (tcpdump -v -w tcpdump -i any port 443 or port 8080 or port 8081 - between openresty (port 443), keycloak (port 8080) and nexus (port 8081))
  • OpenResty config file
@flytreeleft
Copy link
Owner

@HS-157 Can you provide the Keycloak log when authentification fail? It seems that the org.github.flytreeleft.nexus3.keycloak.plugin.internal.KeycloakAdminClient#obtainUserInfo return a null value.

@flytreeleft
Copy link
Owner

@HS-157 Please try to use the release 0.6.0-prev1-SNAPSHOT, it will print more details when authentification fail.

@HS-157
Copy link
Author

HS-157 commented Aug 10, 2021

Hi @flytreeleft, here are the attached logs in debug mode with the pre-release 0.6.0 :

@asyd
Copy link

asyd commented Aug 16, 2021

Hi @flytreeleft I have similar issues, where output of nexus:

2021-08-16 14:28:42,086+0000 INFO  [qtp496676177-82] *UNKNOWN org.github.flytreeleft.nexus3.keycloak.plugin.KeycloakAuthenticatingRealm - doGetAuthenticationInfo for bruno.bonfils via org.github.flytreeleft.nexus3.keycloak.plugin.internal.KeycloakHttpHeaderAuthToken: false
2021-08-16 14:28:42,339+0000 INFO  [qtp496676177-350] *UNKNOWN org.github.flytreeleft.nexus3.keycloak.plugin.KeycloakAuthenticatingRealm - doGetAuthenticationInfo for bruno.bonfils via org.github.flytreeleft.nexus3.keycloak.plugin.internal.KeycloakHttpHeaderAuthToken: false
2021-08-16 14:28:42,347+0000 INFO  [qtp496676177-86] *UNKNOWN org.github.flytreeleft.nexus3.keycloak.plugin.KeycloakAuthenticatingRealm - doGetAuthenticationInfo for bruno.bonfils via org.github.flytreeleft.nexus3.keycloak.plugin.internal.KeycloakHttpHeaderAuthToken: false
2021-08-16 14:28:42,441+0000 INFO  [qtp496676177-86] *UNKNOWN org.github.flytreeleft.nexus3.keycloak.plugin.KeycloakAuthenticatingRealm - doGetAuthenticationInfo for bruno.bonfils via org.github.flytreeleft.nexus3.keycloak.plugin.internal.KeycloakHttpHeaderAuthToken: false
2021-08-16 14:28:42,441+0000 INFO  [qtp496676177-346] *UNKNOWN org.github.flytreeleft.nexus3.keycloak.plugin.KeycloakAuthenticatingRealm - doGetAuthenticationInfo for bruno.bonfils via org.github.flytreeleft.nexus3.keycloak.plugin.internal.KeycloakHttpHeaderAuthToken: false

And here, the keycloak logs, which are requests from OpenResty, the reverse proxy in front of Nexus:

xx.xx.xx.xx - - [16/Aug/2021:14:28:40 +0000] "GET /auth/realms/Paylead/.well-known/openid-configuration HTTP/1.1" 200 3890 "-" "lua-resty-http/0.16.1 (Lua) ngx_lua/10020"
xx.xx.xx.xx - nexus-bruno [16/Aug/2021:14:28:41 +0000] "POST /auth/realms/Paylead/protocol/openid-connect/token HTTP/1.1" 200 3607 "-" "lua-resty-http/0.16.1 (Lua) ngx_lua/10020"
xx.xx.xx.xx - - [16/Aug/2021:14:28:41 +0000] "GET /auth/realms/Paylead/protocol/openid-connect/certs HTTP/1.1" 200 1466 "-" "lua-resty-http/0.16.1 (Lua) ngx_lua/10020"

So I'm surprise to see there is no request to keycloak from Nexus itself

Regards

@flytreeleft
Copy link
Owner

@asyd @HS-157 Please try to use nexus3-keycloak-plugin.zip which is just adjusted the logging behavior, and paste the output logs.

@asyd
Copy link

asyd commented Aug 16, 2021

hmm I finally found the issue. keycloak.json is expected in /opt/sonatype/nexus/etc/ directory and not /opt/sonatype-work/nexus3/etc. However I still have another issue, I have following logs in nexus:

org.github.flytreeleft.nexus3.keycloak.plugin.internal.http.HttpResponseException: Unexpected response for url https://xxx/auth/admin/realms/Paylead/users?grant_type=access_token&email=bruno.bonfils%40example.com: 403 / Forbidden

@flytreeleft
Copy link
Owner

flytreeleft commented Aug 17, 2021
edited
Loading

@asyd It seems that the Keycloak client have no permission to view users, please configure the Keycloak client following Configure Keycloak realm client.

@asyd
Copy link

asyd commented Aug 18, 2021

@flytreeleft it have :/ I tried with a fresh keycloak instance and it works like a charm (FYI both have fined grain authz enabled). I need to investigate.

Thanks for your feedback (I think you can close the ticket)

@asyd
Copy link

asyd commented Aug 18, 2021

Just in case, my setup didn't work because I modified the global client role mapper, after reset token claim name to resource_access.${client_id}.roles it's working fine

@flytreeleft
Copy link
Owner

@asyd Well done 😃

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@asyd @flytreeleft @HS-157