CAC Authentiction on newer versions of Keycloak (24+) not working, create-user.jar also broken. #1441

localhostDJT · 2024-11-26T02:06:14Z

localhostDJT
Nov 26, 2024

Hello,

I have recently set up an instance of STIG Manager with the following versions:

STIG-Manager: latest
Keycloak: 24.0.5, 25.0.4, 26.0.5
NGINX: 1.27.2

nginx.conf

events {
  worker_connections  4096;  ## Default: 1024
}
pid                                                         /var/cache/nginx/nginx.pid;
http {
            access_log                                /var/log/nginx/keycloak.access.log;
            error_log                                  /var/log/nginx/keycloak.error.log;

	server {
    		listen 			               8443			    ssl;
		#http2			               on;
    		server_name 		        example.lab www.example.lab redacted_host_IP;

                ssl_certificate                         /etc/nginx/example.lab.crt;
                ssl_certificate_key                 /etc/nginx/example.lab.key;

                root                                         /usr/share/nginx/html;
                client_max_body_size             100M;
                ssl_prefer_server_ciphers       on;
                ssl_client_certificate                /etc/nginx/dod-certs.pem;
                
                ssl_verify_client                        on;
                ssl_verify_depth                       4;

                error_log                                  /var/log/nginx/error.log debug;

                if ($return_unauthorized)       { return 496; }

                proxy_set_header                Host                               $host;
                proxy_set_header                X-Real-IP                       $remote_addr;
                proxy_set_header                X-Forwarded-For          $proxy_add_x_forwarded_for;
                proxy_set_header                X-Forwarded-Host        $host;
                proxy_set_header                X-Forwarded-Server      $host;
                proxy_set_header                X-Forwarded-Port          server_port;
                proxy_set_header                X-Forwarded-Proto       $scheme;

                proxy_read_timeout              300s;
                proxy_connect_timeout         75s;

                proxy_buffer_size                    128k;
                proxy_buffers                          4                                   256k;
                proxy_busy_buffers_size        256k;


            location / {
                autoindex              		on;
               ssi 				                on;
    	    }	

            location /stigman/ {
                proxy_pass                      http://stigman:54000/;
            }

	    location /kc/ {
	    	proxy_set_header 		Host 			      $host;
	    	proxy_set_header 		X-Real-IP 		      $remote_addr;
	    	proxy_set_header 		X-Forwarded-For 	       $proxy_add_x_forwarded_for;
    		proxy_set_header 		X-Forwarded-Host   	$host;
    		proxy_set_header 		X-Forwarded-Server 	$host;
    		proxy_set_header 		X-Forwarded-Port   	$server_port;
    		proxy_set_header 		X-Forwarded-Proto 	$scheme;
                proxy_set_header 		ssl-client-cert 	       $ssl_client_escaped_cert;


    		proxy_read_timeout 		300s;
    		proxy_connect_timeout        75s;

    		proxy_buffer_size   		128k;
    		proxy_buffers   		        4 			             256k;
    		proxy_busy_buffers_size   	256k;
		proxy_pass			        http://auth:8080/;
	    }
	
	   location /resources/ {
          	proxy_pass 			       http://auth:8080/resources/;
           	proxy_set_header 		Host 			        $host;
           	proxy_set_header 		X-Real-IP 		        $remote_addr;
           	proxy_set_header 		X-Forwarded-For 	        $proxy_add_x_forwarded_for;
           	proxy_set_header		        X-Forwarded-Host 	$host;
           	proxy_set_header 		X-Forwarded-Server 	$host;
           	proxy_set_header 		X-Forwarded-Port 	$server_port;
           	proxy_set_header 		X-Forwarded-Proto 	$scheme;
                proxy_set_header                  ssl-client-cert                 $ssl_client_escaped_cert;

        }

            location /js/ {
            	proxy_pass			       http://auth:8080/js/;
            	proxy_set_header 		Host 			       $host;
            	proxy_set_header 		X-Real-IP 		       $remote_addr;
            	proxy_set_header 		X-Forwarded-For 	       $proxy_add_x_forwarded_for;
            	proxy_set_header 		X-Forwarded-Host 	$host;
            	proxy_set_header 		X-Forwarded-Server	$host;
            	proxy_set_header 		X-Forwarded-Port 	$server_port;
           	proxy_set_header 		X-Forwarded-Proto 	$scheme;
                proxy_set_header                  ssl-client-cert                 $ssl_client_escaped_cert;

        }

    	    location /realms/ {
                 proxy_set_header                Host                                 $host;
       	 proxy_set_header                X-Real-IP                         $remote_addr;
       	 proxy_set_header                X-Forwarded-For            $proxy_add_x_forwarded_for;
       	 proxy_set_header                X-Forwarded-Host          $host;
       	 proxy_set_header                X-Forwarded-Server      $host;
       	 proxy_set_header                X-Forwarded-Port          $server_port;
       	 proxy_set_header                X-Forwarded-Proto       $scheme;
                 proxy_set_header                ssl-client-cert                 $ssl_client_escaped_cert;

       	 proxy_read_timeout              300s;
       	 proxy_connect_timeout        75s;
		
      		  proxy_buffer_size               128k;
      		  proxy_buffers                      4                                        256k;
       	  proxy_busy_buffers_size      256k;
       	  proxy_pass                      http://auth:8080/realms/;
            }
}
   # define which endpoints require mTLS
    map_hash_bucket_size 128;
    map $uri $secured_url {
        default false;
        "/kc/realms/stigman/protocol/openid-connect/auth" true;
    }

    map "$secured_url:$ssl_client_verify" $return_unauthorized {
            default 0;
            "true:FAILED" 1;
            "true:NONE" 1;
            "true:" 1;
    }
}

docker-compose.yml:

version: "3.7"

services:
  auth:
    container_name: auth
    image: docker.io/keycloak/keycloak:24.0.5
    command: start --import-realm --file=/opt/keycloak/data/import/realm-export-stigman.json
    environment:
      - KEYCLOAK_ADMIN=
      - KEYCLOAK_ADMIN_PASSWORD=
      - KC_PROXY=edge
      - KC_HOSTNAME_URL=https://example.lab:8443/
      - KC_HOSTNAME_ADMIN_URL=https://example.lab:8443/kc
      - KC_HOSTNAME_DEBUG=true
      - KC_PROXY_HEADERS=xforwarded
      - KC_HTTPS_CLIENT_AUTH=required
      - PROXY_ADDRESS_FORWARDING=true
        #- KC_HOSTNAME_STRICT=true
        #
      - KC_HTTPS_CERTIFICATE_FILE=/opt/keycloak/conf/truststores/example.lab.crt
      - KC_HTTPS_CERTIFICATE_KEY_FILE=/opt/keycloak/conf/truststores/example.lab.key
      # x.509 Certificate
      - KC_SPI_X509CERT_LOOKUP_PROVIDER=nginx
      - KC_SPI_X509CERT_LOOKUP_NGINX_SSL_CLIENT_CERT=SSL-CLIENT-CERT
    volumes:
      - ./keycloak/realm-export.json:/opt/keycloak/data/import/realm-export.json:z
      - ./certs/example.lab.crt:/opt/keycloak/conf/truststores/example.lab.crt:z
      - ./certs/example.lab.key:/opt/keycloak/conf/truststores/example.lab.key:z
      - ./certs/dod_CAs.pem:/opt/keycloak/conf/truststores/dod-certs.pem:z

      # Breaks keycloak with java errors
      #- /opt/containers/files/keycloak/create-x509-user.jar:/opt/keycloak/providers/create-x509-user.jar:z

  nginx:
    container_name: nginx
    image: docker.io/library/nginx:latest
    ports:
      - "8443:8443"
    volumes: 
      - ./certs/example.lab.crt:/etc/nginx/example.lab.crt:z
      - ./certs/example.lab.key:/etc/nginx/example.lab.key:z
      - ./nginx/keycloak.conf:/etc/nginx/nginx.conf:z
      - ./certs/dod_CAs.pem:/etc/nginx/dod-certs.pem:z

    depends_on: 
      - auth

  mysql:
    container_name: mysql
    image: docker.io/mysql/mysql-server
    command: --innodb-buffer-pool-size=512M --sort_buffer_size=64M 
    environment:
      - MYSQL_ROOT_PASSWORD=
      - MYSQL_USER=stigman
      - MYSQL_DATABASE=stigman
      - MYSQL_PASSWORD=
    ports: 
      - "3306:3306"
    volumes:
      - ./certs/example.lab.crt:/etc/ssl/certs/example.lab.crt:z
      - ./certs/example.lab.key:/etc/ssl/certs/example.lab.key:z
      - /opt/containers/certs/myCA.pem:/etc/ssl/certs/myCA.pem:z
      - ./mysql/tls.cnf:/etc/my.cnf:z
      - /opt/containers/files/mysql/mysql-data:/var/lib/mysql:z
      - ./mysql/init-user-perms.sql:/docker-entrypoint-initdb.d/init-user-perms.sql:z

  stigman:
    container_name: stigman
    image: docker.io/nuwcdivnpt/stig-manager:latest
    environment:
      - STIGMAN_DB_USER=stigman
      - STIGMAN_DB_PORT=3306
      - STIGMAN_DB_HOST=mysql
      - STIGMAN_DB_PASSWORD=
      - STIGMAN_CLIENT_OIDC_PROVIDER=https://example.lab:8443/realms/stigman
      - STIGMAN_OIDC_PROVIDER=http://auth:8080/realms/stigman
      - STIGMAN_LOG_LEVEL=4
      - STIGMAN_DB_TLS_CA_FILE=myCA.pem
      - STIGMAN_DB_TLS_CERT_FILE=example.lab.crt
      - STIGMAN_DB_TLS_KEY_FILE=example.lab.key
      - NODE_EXTRA_CA_CERTS=/tmp/myCA.pem
    volumes:
      - ./certs/myCA.pem:/home/node/tls/myCA.pem:z
      - ./certs/myCA.pem:/tmp/myCA.pem:z
      - ./certs/example.lab.crt:/home/node/tls/example.lab.crt:z
      - ./certs/example.lab.key:/home/node/tls/example.lab.key:z

    ports:
      - "54000:54000"
    init: true

I downloaded the latest DoD certificates from the cyber.mil website and followed their instructions to convert them in .PEM format to be used as a CA.pem (/certs/dod_CAs.pem) with openssl, and mounted the .pem file for NGINX to be used as the CA:
ssl_client_certificate /etc/nginx/dod-certs.pem;

I also created my own root Certificate Authority and signed my hosts certificates and referenced them in NGINX as well:

                ssl_certificate                         /etc/nginx/example.lab.crt;
                ssl_certificate_key                 /etc/nginx/example.lab.key;

The Keycloak import file I am using is from the stigman-auth orchestration uploaded for version 23.0.1 of Keycloak, but I do not believe it has any x.509 settings imported.

Current status:

I am able to use a username and password to log into Keycloak and configure a username and password for STIG Manager.
It does prompt me for my CAC and I am able to input my CAC PIN, but it goes straight to the username/password login page after putting in my CAC PIN. I hadn't noticed any errors until tonight, after much troubleshooting:

KC-SERVICES0091: Request is missing scope 'openid' so it's not treated as OIDC, but just pure OAuth2 request.

The create-user.jar file breaks, heres a snippit:

ERROR: Failed to run 'build' command.
ERROR: io.quarkus.builder.BuildException: Build failure: Build failed due to errors
	[error]: Build step org.keycloak.quarkus.deployment.KeycloakProcessor#configureKeycloakSessionFactory threw an exception: java.util.ServiceConfigurationError: org.keycloak.authentication.AuthenticatorFactory: Provider org.keycloak.authentication.authenticators.x509.CnsX509ClientCertificateAuthenticatorFactory could not be instantiated
	at java.base/java.util.ServiceLoader.fail(ServiceLoader.java:586)
	at java.base/java.util.ServiceLoader$ProviderImpl.newInstance(ServiceLoader.java:813)
	at java.base/java.util.ServiceLoader$ProviderImpl.get(ServiceLoader.java:729)
	at java.base/java.util.ServiceLoader$3.next(ServiceLoader.java:1403)
	at org.keycloak.provider.DefaultProviderLoader.load(DefaultProviderLoader.java:60)
	at org.keycloak.provider.ProviderManager.load(ProviderManager.java:93)
	at org.keycloak.quarkus.deployment.KeycloakProcessor.loadFactories(KeycloakProcessor.java:690)
	at org.keycloak.quarkus.deployment.KeycloakProcessor.configureKeycloakSessionFactory(KeycloakProcessor.java:398)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:568)
	at io.quarkus.deployment.ExtensionLoader$3.execute(ExtensionLoader.java:849)
	at io.quarkus.builder.BuildContext.run(BuildContext.java:256)
	at org.jboss.threads.ContextHandler$1.runWith(ContextHandler.java:18)
	at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538)
	at java.base/java.lang.Thread.run(Thread.java:840)
	at org.jboss.threads.JBossThread.run(JBossThread.java:501)
Caused by: java.lang.NoClassDefFoundError: javax/ws/rs/core/MultivaluedMap
	at org.keycloak.authentication.authenticators.x509.CnsX509ClientCertificateAuthenticatorFactory.<clinit>(CnsX509ClientCertificateAuthenticatorFactory.java:28)
	at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:77)
	at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:499)
	at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:480)
	at java.base/java.util.ServiceLoader$ProviderImpl.newInstance(ServiceLoader.java:789)
	... 17 more
Caused by: java.lang.ClassNotFoundException: javax.ws.rs.core.MultivaluedMap
	at io.quarkus.bootstrap.classloading.QuarkusClassLoader.loadClass(QuarkusClassLoader.java:520)
	at io.quarkus.bootstrap.classloading.QuarkusClassLoader.loadClass(QuarkusClassLoader.java:468)
	at io.quarkus.bootstrap.classloading.QuarkusClassLoader.loadClass(QuarkusClassLoader.java:518)
	at io.quarkus.bootstrap.classloading.QuarkusClassLoader.loadClass(QuarkusClassLoader.java:468)
	... 24 more

ERROR: Build failure: Build failed due to errors
	[error]: Build step org.keycloak.quarkus.deployment.KeycloakProcessor#configureKeycloakSessionFactory threw an exception: java.util.ServiceConfigurationError: org.keycloak.authentication.AuthenticatorFactory: Provider org.keycloak.authentication.authenticators.x509.CnsX509ClientCertificateAuthenticatorFactory could not be instantiated
	at java.base/java.util.ServiceLoader.fail(ServiceLoader.java:586)
	at java.base/java.util.ServiceLoader$ProviderImpl.newInstance(ServiceLoader.java:813)
	at java.base/java.util.ServiceLoader$ProviderImpl.get(ServiceLoader.java:729)
	at java.base/java.util.ServiceLoader$3.next(ServiceLoader.java:1403)
	at org.keycloak.provider.DefaultProviderLoader.load(DefaultProviderLoader.java:60)
	at org.keycloak.provider.ProviderManager.load(ProviderManager.java:93)
	at org.keycloak.quarkus.deployment.KeycloakProcessor.loadFactories(KeycloakProcessor.java:690)
	at org.keycloak.quarkus.deployment.KeycloakProcessor.configureKeycloakSessionFactory(KeycloakProcessor.java:398)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:568)
	at io.quarkus.deployment.ExtensionLoader$3.execute(ExtensionLoader.java:849)
	at io.quarkus.builder.BuildContext.run(BuildContext.java:256)
	at org.jboss.threads.ContextHandler$1.runWith(ContextHandler.java:18)
	at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538)
	at java.base/java.lang.Thread.run(Thread.java:840)
	at org.jboss.threads.JBossThread.run(JBossThread.java:501)
Caused by: java.lang.NoClassDefFoundError: javax/ws/rs/core/MultivaluedMap
	at org.keycloak.authentication.authenticators.x509.CnsX509ClientCertificateAuthenticatorFactory.<clinit>(CnsX509ClientCertificateAuthenticatorFactory.java:28)
	at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:77)
	at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:499)
	at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:480)
	at java.base/java.util.ServiceLoader$ProviderImpl.newInstance(ServiceLoader.java:789)
	... 17 more
Caused by: java.lang.ClassNotFoundException: javax.ws.rs.core.MultivaluedMap
	at io.quarkus.bootstrap.classloading.QuarkusClassLoader.loadClass(QuarkusClassLoader.java:520)
	at io.quarkus.bootstrap.classloading.QuarkusClassLoader.loadClass(QuarkusClassLoader.java:468)
	at io.quarkus.bootstrap.classloading.QuarkusClassLoader.loadClass(QuarkusClassLoader.java:518)
	at io.quarkus.bootstrap.classloading.QuarkusClassLoader.loadClass(QuarkusClassLoader.java:468)
	... 24 more

ERROR: org.keycloak.authentication.AuthenticatorFactory: Provider org.keycloak.authentication.authenticators.x509.CnsX509ClientCertificateAuthenticatorFactory could not be instantiated
ERROR: javax/ws/rs/core/MultivaluedMap
ERROR: javax.ws.rs.core.MultivaluedMap

My docker-compose.yml for Keycloak 26.0.5:

services:
  auth:
    container_name: auth
    image: docker.io/keycloak/keycloak:latest
    command: start --import-realm file=/opt/keycloak/data/import/realm-export.json
    environment:
      # Setup metrics
      - KC_HEALTH_ENABLED=true
      - KC_METRICS_ENABLED=true
      - KC_HOSTNAME_DEBUG=true
      # Setup EDGE proxy
      - KC_HTTP_ENABLED=true
      - KC_PROXY_HEADERS=xforwarded
      - KC_HTTPS_CLIENT_AUTH=request
      # Setup hostname and username
      - KC_HOSTNAME=https://example.lab:8443
      - KC_HOSTNAME_ADMIN=https://example.lab:8443/kc
      - KC_BOOTSTRAP_ADMIN_USERNAME=
      - KC_BOOTSTRAP_ADMIN_PASSWORD=
      # Setup HTTPS certificate/key
      - KC_HTTPS_CERTIFICATE_FILE=/opt/keycloak/conf/truststores/example.lab.crt
      - KC_HTTPS_CERTIFICATE_KEY_FILE=/opt/keycloak/conf/truststores/example.lab.key
      # Setup x.509 certificates
      - KC_SPI_X509CERT_LOOKUP_PROVIDER=nginx
      - KC_SPI_X509CERT_LOOKUP_NGINX_SSL_CLIENT_CERT=SSL-CLIENT-CERT

Not really seeing any errors after logging in.

[stigman] | {"date":"2024-11-26T01:58:54.318Z","level":3,"component":"static","type":"transaction","data":{"request":{"date":"2024-11-26T01:58:54.314Z","source":"::ffff:10.89.4.44","method":"GET","url":"/","headers":{"host":"example.lab","x-real-ip":"10.89.4.44","x-forwarded-for":"10.89.4.44","x-forwarded-host":"example.lab","x-forwarded-server":"example.lab","x-forwarded-port":"8443","x-forwarded-proto":"https","connection":"close","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7","sec-ch-ua":"\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","sec-ch-ua-platform":"\"Windows\"","sec-fetch-site":"none","sec-fetch-mode":"navigate","sec-fetch-user":"?1","sec-fetch-dest":"document","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.9","authorization":false},"body":{}},"response":{"date":"2024-11-26T01:58:54.317Z","status":200,"headers":{"x-powered-by":"Express","access-control-allow-origin":"*","accept-ranges":"bytes","cache-control":"public, max-age=0","last-modified":"Tue, 19 Nov 2024 18:26:54 GMT","etag":"W/\"392-19345ad6db0\"","content-type":"text/html; charset=UTF-8","content-length":914,"vary":"Accept-Encoding"},"responseBody":""},"operationStats":{"durationMs":3}}}
[stigman] | {"date":"2024-11-26T01:58:54.334Z","level":3,"component":"static","type":"transaction","data":{"request":{"date":"2024-11-26T01:58:54.333Z","source":"::ffff:10.89.4.44","method":"GET","url":"/css/init.css","headers":{"host":"example.lab","x-real-ip":"10.89.4.44","x-forwarded-for":"10.89.4.44","x-forwarded-host":"example.lab","x-forwarded-server":"example.lab","x-forwarded-port":"8443","x-forwarded-proto":"https","connection":"close","sec-ch-ua-platform":"\"Windows\"","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36","sec-ch-ua":"\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","accept":"text/css,*/*;q=0.1","sec-fetch-site":"same-origin","sec-fetch-mode":"no-cors","sec-fetch-dest":"style","referer":"https://example.lab:8443/stigman/","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.9","if-none-match":"W/\"325-19345ad6db0\"","if-modified-since":"Tue, 19 Nov 2024 18:26:54 GMT","authorization":false},"body":{}},"response":{"date":"2024-11-26T01:58:54.333Z","status":304,"headers":{"x-powered-by":"Express","access-control-allow-origin":"*","accept-ranges":"bytes","cache-control":"public, max-age=0","last-modified":"Tue, 19 Nov 2024 18:26:54 GMT","etag":"W/\"325-19345ad6db0\""},"responseBody":""},"operationStats":{"durationMs":0}}}
[stigman] | {"date":"2024-11-26T01:58:54.338Z","level":3,"component":"static","type":"transaction","data":{"request":{"date":"2024-11-26T01:58:54.337Z","source":"::ffff:10.89.4.44","method":"GET","url":"/js/Env.js","headers":{"host":"example.lab","x-real-ip":"10.89.4.44","x-forwarded-for":"10.89.4.44","x-forwarded-host":"example.lab","x-forwarded-server":"example.lab","x-forwarded-port":"8443","x-forwarded-proto":"https","connection":"close","sec-ch-ua-platform":"\"Windows\"","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36","sec-ch-ua":"\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","accept":"*/*","sec-fetch-site":"same-origin","sec-fetch-mode":"no-cors","sec-fetch-dest":"script","referer":"https://example.lab:8443/stigman/","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.9","authorization":false},"body":{}},"response":{"date":"2024-11-26T01:58:54.338Z","status":200,"headers":{"x-powered-by":"Express","access-control-allow-origin":"*","content-type":"application/javascript","vary":"Accept-Encoding","content-encoding":"gzip"},"responseBody":""},"operationStats":{"durationMs":1}}}
[stigman] | {"date":"2024-11-26T01:58:54.344Z","level":3,"component":"static","type":"transaction","data":{"request":{"date":"2024-11-26T01:58:54.343Z","source":"::ffff:10.89.4.44","method":"GET","url":"/js/init.js","headers":{"host":"example.lab","x-real-ip":"10.89.4.44","x-forwarded-for":"10.89.4.44","x-forwarded-host":"example.lab","x-forwarded-server":"example.lab","x-forwarded-port":"8443","x-forwarded-proto":"https","connection":"close","origin":"https://example.lab:8443","sec-ch-ua-platform":"\"Windows\"","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36","sec-ch-ua":"\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","accept":"*/*","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest":"script","referer":"https://example.lab:8443/stigman/","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.9","if-none-match":"W/\"9fb-19345ad6db0\"","if-modified-since":"Tue, 19 Nov 2024 18:26:54 GMT","authorization":false},"body":{}},"response":{"date":"2024-11-26T01:58:54.344Z","status":304,"headers":{"x-powered-by":"Express","access-control-allow-origin":"*","accept-ranges":"bytes","cache-control":"public, max-age=0","last-modified":"Tue, 19 Nov 2024 18:26:54 GMT","etag":"W/\"9fb-19345ad6db0\""},"responseBody":""},"operationStats":{"durationMs":1}}}
[stigman] | {"date":"2024-11-26T01:58:54.346Z","level":3,"component":"static","type":"transaction","data":{"request":{"date":"2024-11-26T01:58:54.345Z","source":"::ffff:10.89.4.44","method":"GET","url":"/img/shield-green-check.svg","headers":{"host":"example.lab","x-real-ip":"10.89.4.44","x-forwarded-for":"10.89.4.44","x-forwarded-host":"example.lab","x-forwarded-server":"example.lab","x-forwarded-port":"8443","x-forwarded-proto":"https","connection":"close","sec-ch-ua-platform":"\"Windows\"","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36","sec-ch-ua":"\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","accept":"image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8","sec-fetch-site":"same-origin","sec-fetch-mode":"no-cors","sec-fetch-dest":"image","referer":"https://example.lab:8443/stigman/","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.9","if-none-match":"W/\"810-19345ad6db0\"","if-modified-since":"Tue, 19 Nov 2024 18:26:54 GMT","authorization":false},"body":{}},"response":{"date":"2024-11-26T01:58:54.345Z","status":304,"headers":{"x-powered-by":"Express","access-control-allow-origin":"*","accept-ranges":"bytes","cache-control":"public, max-age=0","last-modified":"Tue, 19 Nov 2024 18:26:54 GMT","etag":"W/\"810-19345ad6db0\""},"responseBody":""},"operationStats":{"durationMs":0}}}
[stigman] | {"date":"2024-11-26T01:58:54.349Z","level":3,"component":"static","type":"transaction","data":{"request":{"date":"2024-11-26T01:58:54.348Z","source":"::ffff:10.89.4.44","method":"GET","url":"/img/loading.svg","headers":{"host":"example.lab","x-real-ip":"10.89.4.44","x-forwarded-for":"10.89.4.44","x-forwarded-host":"example.lab","x-forwarded-server":"example.lab","x-forwarded-port":"8443","x-forwarded-proto":"https","connection":"close","sec-ch-ua-platform":"\"Windows\"","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36","sec-ch-ua":"\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","accept":"image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8","sec-fetch-site":"same-origin","sec-fetch-mode":"no-cors","sec-fetch-dest":"image","referer":"https://example.lab:8443/stigman/css/init.css","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.9","if-none-match":"W/\"230-19345ad6db0\"","if-modified-since":"Tue, 19 Nov 2024 18:26:54 GMT","authorization":false},"body":{}},"response":{"date":"2024-11-26T01:58:54.348Z","status":304,"headers":{"x-powered-by":"Express","access-control-allow-origin":"*","accept-ranges":"bytes","cache-control":"public, max-age=0","last-modified":"Tue, 19 Nov 2024 18:26:54 GMT","etag":"W/\"230-19345ad6db0\""},"responseBody":""},"operationStats":{"durationMs":0}}}[stigman] | {"date":"2024-11-26T01:58:54.352Z","level":3,"component":"static","type":"transaction","data":{"request":{"date":"2024-11-26T01:58:54.351Z","source":"::ffff:10.89.4.44","method":"GET","url":"/js/resources.js","headers":{"host":"example.lab","x-real-ip":"10.89.4.44","x-forwarded-for":"10.89.4.44","x-forwarded-host":"example.lab","x-forwarded-server":"example.lab","x-forwarded-port":"8443","x-forwarded-proto":"https","connection":"close","origin":"https://example.lab:8443","sec-ch-ua-platform":"\"Windows\"","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36","sec-ch-ua":"\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","accept":"*/*","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest":"script","referer":"https://example.lab:8443/stigman/js/init.js","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.9","if-none-match":"W/\"256-19345ad6db0\"","if-modified-since":"Tue, 19 Nov 2024 18:26:54 GMT","authorization":false},"body":{}},"response":{"date":"2024-11-26T01:58:54.352Z","status":304,"headers":{"x-powered-by":"Express","access-control-allow-origin":"*","accept-ranges":"bytes","cache-control":"public, max-age=0","last-modified":"Tue, 19 Nov 2024 18:26:54 GMT","etag":"W/\"256-19345ad6db0\""},"responseBody":""},"operationStats":{"durationMs":1}}}
[stigman] | {"date":"2024-11-26T01:58:54.353Z","level":3,"component":"static","type":"transaction","data":{"request":{"date":"2024-11-26T01:58:54.353Z","source":"::ffff:10.89.4.44","method":"GET","url":"/js/modules/oidcProvider.js","headers":{"host":"example.lab","x-real-ip":"10.89.4.44","x-forwarded-for":"10.89.4.44","x-forwarded-host":"example.lab","x-forwarded-server":"example.lab","x-forwarded-port":"8443","x-forwarded-proto":"https","connection":"close","origin":"https://example.lab:8443","sec-ch-ua-platform":"\"Windows\"","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36","sec-ch-ua":"\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","accept":"*/*","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest":"script","referer":"https://example.lab:8443/stigman/js/init.js","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.9","if-none-match":"W/\"22d6-19345ad6db0\"","if-modified-since":"Tue, 19 Nov 2024 18:26:54 GMT","authorization":false},"body":{}},"response":{"date":"2024-11-26T01:58:54.353Z","status":304,"headers":{"x-powered-by":"Express","access-control-allow-origin":"*","accept-ranges":"bytes","cache-control":"public, max-age=0","last-modified":"Tue, 19 Nov 2024 18:26:54 GMT","etag":"W/\"22d6-19345ad6db0\""},"responseBody":""},"operationStats":{"durationMs":0}}}
[stigman] | {"date":"2024-11-26T01:58:55.937Z","level":3,"component":"static","type":"transaction","data":{"request":{"date":"2024-11-26T01:58:55.935Z","source":"::ffff:10.89.4.44","method":"GET","url":"/serviceWorker.js","headers":{"host":"example.lab","x-real-ip":"10.89.4.44","x-forwarded-for":"10.89.4.44","x-forwarded-host":"example.lab","x-forwarded-server":"example.lab","x-forwarded-port":"8443","x-forwarded-proto":"https","connection":"close","cache-control":"max-age=0","accept":"*/*","service-worker":"script","sec-fetch-site":"same-origin","sec-fetch-mode":"same-origin","sec-fetch-dest":"serviceworker","referer":"https://example.lab:8443/stigman/serviceWorker.js","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.9","authorization":false},"body":{}},"response":{"date":"2024-11-26T01:58:55.936Z","status":200,"headers":{"x-powered-by":"Express","access-control-allow-origin":"*","accept-ranges":"bytes","cache-control":"public, max-age=0","last-modified":"Tue, 19 Nov 2024 18:26:55 GMT","etag":"W/\"4e4-19345ad7198\"","content-type":"application/javascript; charset=UTF-8","vary":"Accept-Encoding","content-encoding":"gzip"},"responseBody":""},"operationStats":{"durationMs":1}}}

Any help is greatly appreciated!

Very respectfully

localhostDJT · 2024-11-26T02:09:05Z

localhostDJT
Nov 26, 2024
Author

After reviewing the stigman-auth github page, I saw the @csmig updated the realm-import file for Keycloak version 26.0.6 yesterday, I am no longer receiving this error when logging in:
KC-SERVICES0091: Request is missing scope 'openid' so it's not treated as OIDC, but just pure OAuth2 request.

No changes other than that.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CAC Authentiction on newer versions of Keycloak (24+) not working, create-user.jar also broken. #1441

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Select a reply

CAC Authentiction on newer versions of Keycloak (24+) not working, create-user.jar also broken. #1441

localhostDJT Nov 26, 2024

Replies: 1 comment

localhostDJT Nov 26, 2024 Author

localhostDJT
Nov 26, 2024

localhostDJT
Nov 26, 2024
Author