Message Boards
Liferay 7.1 Openid Connect Login Issue
Liferay 7.1 Openid Connect Login Issue
Liferay Master Posts: 533 Join Date: 7/4/10 Recent PostsI'm tyring to use the new OpenId Connect authentication module that comes with LR 7.1 GA2 with Keycloak. I have had some luck with LR 7.0 GA7 using the OpenId Connect Auth Module that I found in the LR Marketplace. Here's the config I have in LR 7.1 for OpenId Connect :
Provider Name
Keycloak
Set the name for the OpenID
Connect provider.
OpenID Connect Client ID
aimportal
Set the client
ID for the OpenID Connect provider.
OpenID connect client secret
aea9c3e4-1b52-4303-892a-ddf429fec8a5
Set the client secret for
the OpenID Connect provider.
Scopes
openid email profile
Set the scopes Liferay
will request during authentication. Scopes are delimited with spaces.
Discovery Endpoint
Set the discovery endpoint for the
OpenID Connect provider. If this is set, manually set endpoints will
be ignored.
Discovery Endpoint Cache in Milliseconds
Discovery
endpoint metadata will be cached on this interval in milliseconds. If
0 is set, the metadata is never refreshed.
Authorization Endpoint
http://localhost:15080/auth/realms/aim/protocol/openid-connect/auth
Set the authorization endpoint for the OpenID Connect provider.
Issuer URL
http://localhost:15080/auth/realms/aim
Set the issuer URL for the OpenID Connect provider.
JWKS URI
Set the JWKS URI for the OpenID Connect provider.
Subject Types
public
Set the subject types for the
OpenID Connect provider.
Token Endpoint
http://localhost:15080/auth/realms/aim/protocol/openid-connect/token
Set the token endpoint for the OpenID Connect provider.
User Information Endpoint
http://localhost:15080/auth/realms/aim/protocol/openid-connect/userinfo
Set the user information endpoint for the OpenID Connect provider.
With the OpenId Connect module enabled I do get a link for OpenId Connect that takes me to my KeyCloak login page but when a do login I get the following error displayed to me:
Internal Server Error
An error occurred while accessing
the requested resource.
http://localhost:17080/c/portal/login/openidconnect?state=YDdJ8jZQb74CBfdlYNjDDP9vDTtaXQm5dF8vJ870CWg&session_state=8bf0d4b6-7e35-4db3-8ed1-fb88c86357b2&code=a81c9191-0b8b-4333-adf5-8d81992e8589.8bf0d4b6-7e35-4db3-8ed1-fb88c86357b2.7b0b4b2a-457f-464e-8893-5f2470184965
In the liferay log I see the following:
2018-12-20 22:30:39.987 ERROR [http-nio-17080-exec-9][OpenIdConnectFilter:111] Unable to process the OpenID login
com.liferay.portal.security.sso.openid.connect.OpenIdConnectServiceException$TokenException: Unable to instantiate token validator
at com.liferay.portal.security.sso.openid.connect.internal.OpenIdConnectServiceHandlerImpl.validateToken(OpenIdConnectServiceHandlerImpl.java:608)
at com.liferay.portal.security.sso.openid.connect.internal.OpenIdConnectServiceHandlerImpl.requestTokens(OpenIdConnectServiceHandlerImpl.java:515)
at com.liferay.portal.security.sso.openid.connect.internal.OpenIdConnectServiceHandlerImpl.requestIdToken(OpenIdConnectServiceHandlerImpl.java:461)
at com.liferay.portal.security.sso.openid.connect.internal.OpenIdConnectServiceHandlerImpl.processAuthenticationResponse(OpenIdConnectServiceHandlerImpl.java:163)
at com.liferay.portal.security.sso.openid.connect.internal.service.filter.OpenIdConnectFilter.processAuthenticationResponse(OpenIdConnectFilter.java:106)
at com.liferay.portal.security.sso.openid.connect.internal.service.filter.OpenIdConnectFilter.processFilter(OpenIdConnectFilter.java:123)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:144)
at com.liferay.portal.sharepoint.SharepointFilter.processFilter(SharepointFilter.java:88)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:144)
at com.liferay.portal.servlet.filters.virtualhost.VirtualHostFilter.processFilter(VirtualHostFilter.java:263)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:144)
at com.liferay.portal.monitoring.internal.servlet.filter.MonitoringFilter.processFilter(MonitoringFilter.java:178)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:188)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:188)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96)
at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:176)
at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:145)
at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:92)
at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:389)
at com.liferay.portal.servlet.filters.urlrewrite.UrlRewriteFilter.processFilter(UrlRewriteFilter.java:65)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:168)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:168)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:188)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilter.doFilter(InvokerFilter.java:101)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:764)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1388)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
Caused by: com.nimbusds.oauth2.sdk.GeneralException: Missing OpenID Provider id_token_signing_alg_values_supported parameter
at com.nimbusds.openid.connect.sdk.validators.IDTokenValidator.createJWSKeySelector(IDTokenValidator.java:473)
at com.nimbusds.openid.connect.sdk.validators.IDTokenValidator.create(IDTokenValidator.java:578)
at com.liferay.portal.security.sso.openid.connect.internal.OpenIdConnectServiceHandlerImpl.validateToken(OpenIdConnectServiceHandlerImpl.java:600)
... 60 more
RE: Liferay 7.1 Openid Connect Login Issue
Liferay Master Posts: 533 Join Date: 7/4/10 Recent PostsI tried adding the following to the config as well:
JWKS URI
http://localhost:15080/auth/realms/aim/protocol/openid-connect/certs
Set the JWKS URI for the OpenID Connect provider.
Still didn't work but I got a different error:
Caused by: com.nimbusds.oauth2.sdk.GeneralException: Missing OpenID
Provider id_token_signing_alg_values_supported parameter
at
com.nimbusds.openid.connect.sdk.validators.IDTokenValidator.createJWSKeySelector(IDTokenValidator.java:473)
at
com.nimbusds.openid.connect.sdk.validators.IDTokenValidator.create(IDTokenValidator.java:578)
at
com.liferay.portal.security.sso.openid.connect.internal.OpenIdConnectServiceHandlerImpl.validateToken(OpenIdConnectServiceHandlerImpl.java:600)
... 60 more
RE: Liferay 7.1 Openid Connect Login Issue
Liferay Master Posts: 533 Join Date: 7/4/10 Recent PostsRE: Liferay 7.1 Openid Connect Login Issue
New Member Post: 1 Join Date: 2/11/19 Recent Posts
RE: Liferay 7.1 Openid Connect Login Issue
Liferay Master Posts: 533 Join Date: 7/4/10 Recent Posts
RE: Liferay 7.1 Openid Connect Login Issue
Liferay Master Posts: 533 Join Date: 7/4/10 Recent PostsRE: Liferay 7.1 Openid Connect Login Issue
New Member Posts: 2 Join Date: 5/1/19 Recent PostsWe are also trying to switch to Liferay 7.1 but are stuck at the keycloack authentication.
From what I can see I am doing the same as you though the erro I get is different:
2019-04-30 09:32:29.954 ERROR [http-nio-8080-exec-5][OpenIdConnectFilter:132] Unable to process the OpenID login
com.liferay.portal.security.sso.openid.connect.OpenIdConnectServiceException$TokenException: Unable to validate tokens
at com.liferay.portal.security.sso.openid.connect.internal.OpenIdConnectServiceHandlerImpl.validateToken(OpenIdConnectServiceHandlerImpl.java:612)
at com.liferay.portal.security.sso.openid.connect.internal.OpenIdConnectServiceHandlerImpl.requestTokens(OpenIdConnectServiceHandlerImpl.java:515)
at com.liferay.portal.security.sso.openid.connect.internal.OpenIdConnectServiceHandlerImpl.requestIdToken(OpenIdConnectServiceHandlerImpl.java:461)
at com.liferay.portal.security.sso.openid.connect.internal.OpenIdConnectServiceHandlerImpl.processAuthenticationResponse(OpenIdConnectServiceHandlerImpl.java:163)
at com.liferay.portal.security.sso.openid.connect.internal.service.filter.OpenIdConnectFilter.processAuthenticationResponse(OpenIdConnectFilter.java:109)
at com.liferay.portal.security.sso.openid.connect.internal.service.filter.OpenIdConnectFilter.processFilter(OpenIdConnectFilter.java:147)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:144)
at com.liferay.portal.sharepoint.SharepointFilter.processFilter(SharepointFilter.java:88)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:144)
at com.liferay.portal.servlet.filters.virtualhost.VirtualHostFilter.processFilter(VirtualHostFilter.java:263)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:144)
at com.liferay.portal.monitoring.internal.servlet.filter.MonitoringFilter.processFilter(MonitoringFilter.java:178)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:188)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:188)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96)
at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:176)
at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:145)
at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:92)
at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:389)
at com.liferay.portal.servlet.filters.urlrewrite.UrlRewriteFilter.processFilter(UrlRewriteFilter.java:65)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:168)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:168)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:188)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilter.doFilter(InvokerFilter.java:101)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:764)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1388)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
Caused by: com.nimbusds.jose.proc.BadJOSEException: Signed JWT rejected: No matching key(s) found
at com.nimbusds.jwt.proc.DefaultJWTProcessor.<clinit>(DefaultJWTProcessor.java:100)
at com.nimbusds.openid.connect.sdk.validators.IDTokenValidator.validate(IDTokenValidator.java:390)
at com.nimbusds.openid.connect.sdk.validators.IDTokenValidator.validate(IDTokenValidator.java:329)
at com.liferay.portal.security.sso.openid.connect.internal.OpenIdConnectServiceHandlerImpl.validateToken(OpenIdConnectServiceHandlerImpl.java:605)
... 60 more
2019-04-30 09:32:30.236 ERROR [http-nio-8080-exec-5][status_jsp:872] Unable to validate tokens
</clinit>RE: Liferay 7.1 Openid Connect Login Issue
Liferay Master Posts: 533 Join Date: 7/4/10 Recent Posts
RE: Liferay 7.1 Openid Connect Login Issue
Liferay Master Posts: 533 Join Date: 7/4/10 Recent PostsRE: Liferay 7.1 Openid Connect Login Issue
New Member Posts: 2 Join Date: 5/1/19 Recent PostsWe upgraded to Liferay 7.1.3 CE GA4, which solved the issue.
RE: Liferay 7.1 Openid Connect Login Issue
Liferay Master Posts: 533 Join Date: 7/4/10 Recent Posts
RE: Liferay 7.1 Openid Connect Login Issue
Liferay Master Posts: 533 Join Date: 7/4/10 Recent Posts
RE: Liferay 7.1 Openid Connect Login Issue
New Member Posts: 12 Join Date: 4/8/16 Recent Posts
RE: Liferay 7.1 Openid Connect Login Issue
New Member Posts: 12 Join Date: 4/8/16 Recent PostsRE: Liferay 7.1 Openid Connect Login Issue
New Member Posts: 5 Join Date: 7/31/19 Recent Posts
RE: Liferay 7.1 Openid Connect Login Issue
Liferay Legend Posts: 2416 Join Date: 12/22/10 Recent PostsI'm not sure if Fabian tried setting the values via the UI and it didn't work, but I found what he is referencing in the Control Panel > Configuration > System Settings.
I searched for OpenId and then picked the OpenID Connect Provider option. In there, when you add a provider there is an option for the ID Token Signing Algorithms
Is that what you are looking for?
RE: Liferay 7.1 Openid Connect Login Issue
New Member Posts: 5 Join Date: 7/31/19 Recent Posts