Liferay 7.0.1 Authorization with OpenId Connect and Keycloak

Robert Szabad, modified 6 Years ago.

New Member Posts: 2 Join Date: 1/21/19 Recent Posts

Hey there, we are using Liferay 7.1.0 CE GA1 and want to connect our users via OpenId Connect as it is built into LR, using Keycloak as a provider.

I can create a System Scope OpenId Connect Provider and choose it as a way to login through the frontend. After being directed to Keycloack I can log in and I am redirected to the expected Liferay page. Now that page shows that I am not logged in and the following:

Internal Server Error

An error occurred while accessing the requested resource.

http://X.X.X.X:8080/c/portal/login/openidconnect?state=_2DOogTxdSfoW5TZfyYW5szsIw3yzkNxjjPVxGC9qKU&session_state=221fa86e-029e-4ee6-9a2d-24b46204b453&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..4pl5Q8z8DEMawk1mYEgVTg.9kak7Ez2pCy5TlckUvJ_2rQM1ymqVVTj9td3nwrQ9juqsM9lHD6CypQ15HvFIO9GIFh-HOmO19ZdgZkxxkjBlypB6IeeH6T7rRMPIwoWiL1O9ShJZ4m1CZ1mrfifbUJV0xwCY2h9cIDDZDUurLMRNsGMkjl_3H7cD7Yas0EOP3ZW3BEbXQ0Av3IWzqpDNU2YKYnwYy9bu3w9g0ZaLvpPkPjyPqooH9vYCfYvPa31eJQ8fznUES5rzaS94JSQ_c8j.WkG4xFrhUlzNxyqziMRJDw

The log that is written upon clicking Login is the following:

2019-01-21 07:07:25.816 ERROR [http-nio-8080-exec-8][OpenIdConnectFilter:107] Unable to process the OpenID login
com.liferay.portal.security.sso.openid.connect.OpenIdConnectServiceException$TokenException: invalid_client
        at com.liferay.portal.security.sso.openid.connect.internal.OpenIdConnectServiceHandlerImpl.requestTokens(OpenIdConnectServiceHandlerImpl.java:470)
        at com.liferay.portal.security.sso.openid.connect.internal.OpenIdConnectServiceHandlerImpl.requestIdToken(OpenIdConnectServiceHandlerImpl.java:422)
        at com.liferay.portal.security.sso.openid.connect.internal.OpenIdConnectServiceHandlerImpl.processAuthenticationResponse(OpenIdConnectServiceHandlerImpl.java:163)
        at com.liferay.portal.security.sso.openid.connect.internal.service.filter.OpenIdConnectFilter.processAuthenticationResponse(OpenIdConnectFilter.java:103)
        at com.liferay.portal.security.sso.openid.connect.internal.service.filter.OpenIdConnectFilter.processFilter(OpenIdConnectFilter.java:119)
        at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
        at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:144)
        at com.liferay.portal.sharepoint.SharepointFilter.processFilter(SharepointFilter.java:88)
        at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
        at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:144)
        at com.liferay.portal.servlet.filters.virtualhost.VirtualHostFilter.processFilter(VirtualHostFilter.java:263)
        at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
        at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:144)
        at com.liferay.portal.monitoring.internal.servlet.filter.MonitoringFilter.processFilter(MonitoringFilter.java:181)
        at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:188)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:188)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96)
        at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:176)
        at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:145)
        at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:92)
        at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:389)
        at com.liferay.portal.servlet.filters.urlrewrite.UrlRewriteFilter.processFilter(UrlRewriteFilter.java:65)
        at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:168)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:168)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:188)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilter.doFilter(InvokerFilter.java:100)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:494)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:651)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:407)
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:754)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1376)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:748)

2019-01-21 07:07:25.854 ERROR [http-nio-8080-exec-8][status_jsp:927]invalid_client
2019-01-21 07:07:25.868 ERROR [http-nio-8080-exec-8][OpenIdConnectSessionValidationFilter:62] java.lang.IllegalStateException: Cannot call sendRedirect() after the response has been committed
java.lang.IllegalStateException: Cannot call sendRedirect() after the response has been committed
        at org.apache.catalina.connector.ResponseFacade.sendRedirect(ResponseFacade.java:488)
        at javax.servlet.http.HttpServletResponseWrapper.sendRedirect(HttpServletResponseWrapper.java:138)
        at javax.servlet.http.HttpServletResponseWrapper.sendRedirect(HttpServletResponseWrapper.java:138)
        at javax.servlet.http.HttpServletResponseWrapper.sendRedirect(HttpServletResponseWrapper.java:138)
        at com.liferay.portal.servlet.filters.absoluteredirects.AbsoluteRedirectsResponse.sendRedirect(AbsoluteRedirectsResponse.java:46)
        at com.liferay.portal.struts.PortalRequestProcessor.process(PortalRequestProcessor.java:167)
        at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1913)
        at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:449)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:634)
        at com.liferay.portal.servlet.MainServlet.callParentService(MainServlet.java:605)
        at com.liferay.portal.servlet.MainServlet.service(MainServlet.java:582)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:119)
        at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:144)
        at com.liferay.portal.security.sso.openid.connect.internal.service.filter.OpenIdConnectSessionValidationFilter.processFilter(OpenIdConnectSessionValidationFilter.java:123)
        at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
        at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:144)
        at com.liferay.portal.servlet.filters.secure.BaseAuthFilter.processFilter(BaseAuthFilter.java:340)
        at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
        at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:144)
        at com.liferay.portal.security.sso.openid.connect.internal.service.filter.OpenIdConnectFilter.processFilter(OpenIdConnectFilter.java:121)
        at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
        at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:144)
        at com.liferay.portal.sharepoint.SharepointFilter.processFilter(SharepointFilter.java:88)
        at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
        at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:144)
        at com.liferay.portal.servlet.filters.virtualhost.VirtualHostFilter.processFilter(VirtualHostFilter.java:263)
        at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
        at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:144)
        at com.liferay.portal.monitoring.internal.servlet.filter.MonitoringFilter.processFilter(MonitoringFilter.java:181)
        at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:188)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:188)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96)
        at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:176)
        at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:145)
        at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:92)
        at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:389)
        at com.liferay.portal.servlet.filters.urlrewrite.UrlRewriteFilter.processFilter(UrlRewriteFilter.java:65)
        at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:168)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:168)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:188)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96)
        at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilter.doFilter(InvokerFilter.java:100)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:494)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:651)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:407)
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:754)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1376)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:748)

Now, I am absolutely not confident that our configuration is totally correct but "java.lang.IllegalStateException: Cannot call sendRedirect() after the response has been committed" sounds somewhat like an implementation-problem rather than a configuration-problem.

Anyways, I would be more than grateful for any Input regarding this matter!

Robert Szabad, modified 6 Years ago.

RE: Liferay 7.0.1 Authorization with OpenId Connect and Keycloak

New Member Posts: 2 Join Date: 1/21/19 Recent Posts

RE: Liferay 7.0.1 Authorization with OpenId Connect and Keycloak

Andrew Litte, modified 6 Years ago.

RE: Liferay 7.0.1 Authorization with OpenId Connect and Keycloak

New Member Posts: 5 Join Date: 7/31/19 Recent Posts

Did you resolve this issue? i have run into the same thing with no luck fixing this issue. Any info would be helpful.

Andrew Jardine, modified 6 Years ago.

RE: Liferay 7.0.1 Authorization with OpenId Connect and Keycloak

Liferay Legend Posts: 2416 Join Date: 12/22/10 Recent Posts

Hey Robert (and Andrew),

The send redirect is an error i have seen many times before -- normally when someone tries to do a response.sendRedirect from the Render Phase of a portlet (which is a no no). Looking at the stack trace though, I think it's a red herring. I think the first exception you posted is the real culprit

2019-01-21 07:07:25.816 ERROR [http-nio-8080-exec-8][OpenIdConnectFilter:107]&nbsp;[b][b]Unable to process the OpenID login
com.liferay.portal.security.sso.openid.connect.OpenIdConnectServiceException$TokenException: invalid_client[/b][/b]&nbsp;

I would wager a guess that the second exception is caused by the fact that it ends up on an error page, in the render cycle, but maybe there is a redirect= parameter in the url which is causing liferay to try to redirect when it shouldn't be or something.

You have a different version in the title than you do in your post -- if you let me know which one it is, I'm happy to keep troubleshooting with you. JUst want to make sure I am looking at the right version of the source emoticon

Andrew Litte, modified 6 Years ago.

RE: Liferay 7.0.1 Authorization with OpenId Connect and Keycloak

New Member Posts: 5 Join Date: 7/31/19 Recent Posts

Sorry i guess my issue is a little different it appears the client is fine. i'm getting the below error. This post is just the closest to my issue so i figured i would ask.

2019-07-31 13:47:33.846 ERROR [http-nio-8080-exec-6][OpenIdConnectFilter:107] Unable to process the OpenID login
com.liferay.portal.security.sso.openid.connect.OpenIdConnectServiceException$TokenException: Unable to validate tokens

... later in the trace


Caused by: com.nimbusds.jose.proc.BadJOSEException: Signed JWT rejected: No matching key(s) found

At this point i'm not really sure what the issue is or how to go about debugging it. it looks like in the keycloak logs that everything is functioning correctly, but when the redirect happens back to liferay after the user logs in to the keycloak page the error occurs.

this is what debugger is saying for keycloack right before erroring on the liferay server.


13:47:43,688 DEBUG [org.keycloak.events] (default task-129) type=LOGIN, realmId=Liferay, clientId=portal, userId=39d797a3-8dc9-4d83-af8d-2223fb5cef7a, ipAddress=10.244.2.1, auth_method=openid-connect, auth_type=code, redirect_uri=https://portal.greatdanetrailers.com/c/portal/login/openidconnect, consent=no_consent_required, code_id=85e4063a-209d-4803-9ac5-6d7f7e4046b7, username=alittle2

Srikanth Reddy Sanivarapu, modified 5 Years ago.

RE: Liferay 7.0.1 Authorization with OpenId Connect and Keycloak

Regular Member Posts: 203 Join Date: 11/15/08 Recent Posts

Did you find any way to resolve this issue? Thanks.

Community

Company

Feedback

Ask Questions and Find Answers

Important:

Ask is now read-only. You can review any existing questions and answers, but not add anything new.

But - don't panic! While ask is no more, we've replaced it with discuss - the new Liferay Discussion Forum! Read more here here or just visit the site here:

discuss.liferay.com

Liferay 7.0.1 Authorization with OpenId Connect and Keycloak

Internal Server Error