Self-signed certificate on spring security oauth2 client provider issuer-uri

Question

I'm trying to create an example of a Spring Boot client app that can access Keycloak secured rest service.

As described in almost any tutorial a spring.security.oauth2.client should be defined. There's mine:

  security:
    oauth2:
      client:
        registration:
          keycloak:
            client-id: my-id
            client-secret: my-secret
            authorization-grant-type: client_credentials
        provider:
          keycloak:
            issuer-uri: https://myhost/auth/realms/master

But I have self-signed certificate under myhost Keycloak test server, so when app starts I get this:

Caused by: java.lang.IllegalArgumentException: Unable to resolve Configuration with the provided Issuer of "https://myhost/auth/realms/master"
    at org.springframework.security.oauth2.client.registration.ClientRegistrations.getConfiguration(ClientRegistrations.java:177)
    at org.springframework.security.oauth2.client.registration.ClientRegistrations.fromIssuerLocation(ClientRegistrations.java:140)
    at org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientPropertiesRegistrationAdapter.getBuilderFromIssuerIfPossible(OAuth2ClientPropertiesRegistrationAdapter.java:83)
    at org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientPropertiesRegistrationAdapter.getClientRegistration(OAuth2ClientPropertiesRegistrationAdapter.java:59)
    at org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientPropertiesRegistrationAdapter.lambda$getClientRegistrations$0(OAuth2ClientPropertiesRegistrationAdapter.java:53)
    at java.util.HashMap.forEach(HashMap.java:1289)
    at org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientPropertiesRegistrationAdapter.getClientRegistrations(OAuth2ClientPropertiesRegistrationAdapter.java:52)
    at org.springframework.boot.autoconfigure.security.oauth2.client.servlet.OAuth2ClientRegistrationRepositoryConfiguration.clientRegistrationRepository(OAuth2ClientRegistrationRepositoryConfiguration.java:49)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:154)
    ... 74 common frames omitted
Caused by: org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://myhost/auth/realms/master/.well-known/openid-configuration": sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:751)
    at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:654)
    at org.springframework.security.oauth2.client.registration.ClientRegistrations.getConfiguration(ClientRegistrations.java:170)
    ... 86 common frames omitted
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

How do I disable certificate validation on app startup?

Please import/add the certificate of keycloak into Java Keystore ,it would surely work. — Subodh Joshi, Feb 23 '20 at 14:39
@SubodhJoshi do you mean cacert keystore in jre/lib/security? It requires a password but I don't know it — Pavel Klyonov, Feb 23 '20 at 19:36

score 1 · Answer 1 · answered Feb 24 '20 at 05:19

Please have a look ,when trying to connect with keycloak from restapi client or any web application if you are getting error like below

Caused by: org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://myhost/auth/realms/master/.well-known/openid-configuration": sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

its trying to tell you certificate not added into the java keystore or wrong certificate added into the keystore .

As you have given the https in the end point so its mandatory to import/add certificate in Java keystore.

You have to import the certificate into the client machine

Import Certificates in Client machine

 keytool -import -noprompt -trustcacerts -alias "initcert" -file keycloak.cer -keystore "C:\Program Files\Java\jdk1.8.0_152\jre\lib\security\cacerts"

by default Password for Java keystore changeit

Self-signed certificate on spring security oauth2 client provider issuer-uri

1 Answers1