2

we have installed keycloak as standalone on the server and have registered it as adapter on the same server by wildfly. So, after registration by Identity Broker with OpenId (is self written and is deployed on the other domain) we will be not redirected back to our application, but we get next error: "Failed to make identity provider oath callback: "Token is no longer valid". It works next: DNS:8080(8443)/app.war (server wildfly)-> (makes a redirection to keycloak on) DNS:8180(8543)/auth -> (after choosing open-id provider we will successful redirected to it and we'll be logged in the system after entering name and password) -> (Error) Instead of to be redirected to our app back we get an Exception.

We have tried also Google Auth to test, whether server works properly and yes, it does. But also our Identity Broker works properly with localhost. What it could be?

I appreciate any help and will provide you with any snippet of code, you need.

Keycloak 1.9.4.Final, Wildfly 8.2.1.Final

Code:

wildfly, standalone-full.xml:

 <subsystem xmlns="urn:jboss:domain:keycloak:1.1">
        <secure-deployment name="jbpm-console.war">
            <realm>nameOfRealm</realm>
            <resource>nameOfClient</resource>
            <enable-basic-auth>true</enable-basic-auth>
            <realm-public-key>myPublicKey</realm-public-key>
            <auth-server-url>myUrl</auth-server-url>
            <ssl-required>none</ssl-required>
            <principal-attribute>preferred_username</principal-attribute>
            <credential name="secret">mysecret</credential>
        </secure-deployment>
    </subsystem>

<interfaces>
    <interface name="management">
        <inet-address value="${jboss.bind.address.management:0.0.0.0}"/>
    </interface>
    <interface name="public">
        <inet-address value="${jboss.bind.address:0.0.0.0}"/>
    </interface>
    <interface name="unsecure">
        <inet-address value="${jboss.bind.address.unsecure:127.0.0.1}"/>
    </interface>
</interfaces>

 <subsystem xmlns="urn:jboss:domain:undertow:1.2">
        <buffer-cache name="default"/>
        <server name="default-server">
            <http-listener name="default" socket-binding="http"/>
            <host name="default-host" alias="localhost">
                <location name="/" handler="welcome-content"/>
                <filter-ref name="server-header"/>
                <filter-ref name="x-powered-by-header"/>
                <single-sign-on path="/"/>
            </host>
        </server>



23:33:18,529 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-5) Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: Token is no longer valid
at org.keycloak.broker.oidc.OIDCIdentityProvider.validateToken(OIDCIdentityProvider.java:346)
at org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedIdentity(OIDCIdentityProvider.java:254)
at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:230)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
user3467471
  • 127
  • 2
  • 12

2 Answers2

6

Ran into this same issue with Office 365 where Microsoft Azure AD is responsible for emitting tokens that would be validated and consumed by Keycloak.

The issue was with the Keycloak server having clock skew. It resulted in Keycloak rejecting the JSON Web Token because of apparent token expiry when it wasn't the case. To fix this issue, the date on the server hosting Keycloak had to be synced to reduce or eliminate clock skew so that Keycloak would validate the token before it would expire.

Vineet Reynolds
  • 76,006
  • 17
  • 150
  • 174
1

There is an existing feature request: https://issues.jboss.org/browse/KEYCLOAK-4538

We hit the same issue and patched our server and client code module to support the clock skew feature.

Patched class JsonWebToken within keycloak-core project. Replaced the keycloak-core module within JBoss / Wildfly with the updated module. Changes to JsonWebToken are noted below

# Added these two fields to get clock skew from system property
public static final String KEYCLOAK_WEBTOKEN_CLOCK_SKEW_SEC = "Keycloak.WebToken.ClockSkew.Sec";
private static final Integer clockSkew = Integer.getInteger(KEYCLOAK_WEBTOKEN_CLOCK_SKEW_SEC, 0);

    # Updated this method to support clock skew
    @JsonIgnore
    public boolean isNotBefore() {

        int currentTime = Time.currentTime() + clockSkew;
        int tokenTime = notBefore;

        return currentTime >= tokenTime;
    }
Kailash
  • 527
  • 4
  • 13