Skip to content

keycloak: Fix some deployment issues

When testing webapp authentication feature, I noticed a couple of issues in current Keycloak deployment.

Current OpenID Connect endpoints returns an error 500 when reaching them (see https://auth.softwareheritage.org/auth/realms/SoftwareHeritage/protocol/openid-connect/auth for instance). I managed to track the issue using docker:

2020-04-09 09:57:58,873 WARN  [org.keycloak.events] (default task-6) type=LOGIN_ERROR, realmId=SoftwareHeritage, clientId=null, userId=null, ipAddress=172.23.0.1, error=invalid_request
2020-04-09 09:57:58,882 ERROR [io.undertow.request] (default task-6) UT005023: Exception handling request to /auth/realms/SoftwareHeritage/protocol/openid-connect/auth: java.lang.NullPointerException
        at java.base/sun.util.locale.LocaleUtils.toLowerString(LocaleUtils.java:89)
        at java.base/sun.util.locale.LanguageTag.parse(LanguageTag.java:192)
        at java.base/java.util.Locale.forLanguageTag(Locale.java:1682)
        at org.keycloak.keycloak-services@8.0.1//org.keycloak.locale.DefaultLocaleSelectorProvider.getLocale(DefaultLocaleSelectorProvider.java:58)
        at org.keycloak.keycloak-services@8.0.1//org.keycloak.locale.DefaultLocaleSelectorProvider.resolveLocale(DefaultLocaleSelectorProvider.java:45)
        at org.keycloak.keycloak-services@8.0.1//org.keycloak.services.DefaultKeycloakContext.resolveLocale(DefaultKeycloakContext.java:132)
        at org.keycloak.keycloak-services@8.0.1//org.keycloak.forms.login.freemarker.FreeMarkerLoginFormsProvider.createResponse(FreeMarkerLoginFormsProvider.java:182)
        at org.keycloak.keycloak-services@8.0.1//org.keycloak.forms.login.freemarker.FreeMarkerLoginFormsProvider.createErrorPage(FreeMarkerLoginFormsProvider.java:542)
        at org.keycloak.keycloak-services@8.0.1//org.keycloak.services.ErrorPage.error(ErrorPage.java:31)

This is related to the default locale not set in the realms so I added its configuration in puppet manifest. The endpoints are working correctly after that change.

When testing those changes locally, I encoutered the following error when running puppet multiple times:

Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Info: Loading facts
Info: Caching catalog for 386ed9f43621.test
Info: Applying configuration version '1586426518'
Error: kcadm create protocol-mapper failed
Error message: Execution of '/opt/keycloak/bin/kcadm-wrapper.sh create clients/2ae76714-3f08-5a70-af28-472ddd0ad36b/protocol-mappers/models -o -r SoftwareHeritage -f /tmp/keycloak_protocol_mapper20200409-7549-1a31p97' returned 1: 
Error: /Stage[main]/Profile::Keycloak::Resources/Keycloak_client_protocol_mapper[audience for 2ae76714-3f08-5a70-af28-472ddd0ad36b on SoftwareHeritage]/ensure: change from 'absent' to 'present' failed: kcadm create protocol-mapper failed
Error message: Execution of '/opt/keycloak/bin/kcadm-wrapper.sh create clients/2ae76714-3f08-5a70-af28-472ddd0ad36b/protocol-mappers/models -o -r SoftwareHeritage -f /tmp/keycloak_protocol_mapper20200409-7549-1a31p97' returned 1:  (corrective)
Error: kcadm create protocol-mapper failed
Error message: Execution of '/opt/keycloak/bin/kcadm-wrapper.sh create clients/2ae76714-3f08-5a70-af28-472ddd0ad36b/protocol-mappers/models -o -r SoftwareHeritage -f /tmp/keycloak_protocol_mapper20200409-7549-qr330r' returned 1: 
Error: /Stage[main]/Profile::Keycloak::Resources/Keycloak_client_protocol_mapper[groups for 2ae76714-3f08-5a70-af28-472ddd0ad36b on SoftwareHeritage]/ensure: change from 'absent' to 'present' failed: kcadm create protocol-mapper failed
Error message: Execution of '/opt/keycloak/bin/kcadm-wrapper.sh create clients/2ae76714-3f08-5a70-af28-472ddd0ad36b/protocol-mappers/models -o -r SoftwareHeritage -f /tmp/keycloak_protocol_mapper20200409-7549-qr330r' returned 1:  (corrective)
Notice: Applied catalog in 25.81 seconds

Puppet try to recreate the protocol mappers at each run but it should not. After reading puppet module for keycloak code, I noticed the check for protocol mapper existence is based on the value of the resource_name field and not the name one (see here). Renaming name to resource_name in protocol mappers configuration effectively fix the above errors.

Below is the octocatalog-diff output:

12:20 $ bin/octocatalog-diff --octocatalog-diff-args --no-truncate-details kelvingrove.internal.softwareheritage.org
Found host kelvingrove.internal.softwareheritage.org
Clonage dans '/tmp/swh-ocd.lP4gdrrF/environments/production/data/private'...
fait.
Clonage dans '/tmp/swh-ocd.lP4gdrrF/environments/staging/data/private'...
fait.
*** Running octocatalog-diff on host kelvingrove.internal.softwareheritage.org
I, [2020-04-09T12:21:02.824016 #19643]  INFO -- : Catalogs compiled for kelvingrove.internal.softwareheritage.org
I, [2020-04-09T12:21:03.990616 #19643]  INFO -- : Diffs computed for kelvingrove.internal.softwareheritage.org
diff origin/production/kelvingrove.internal.softwareheritage.org current/kelvingrove.internal.softwareheritage.org
*******************************************
  Keycloak_client_protocol_mapper[audience for 2ae76714-3f08-5a70-af28-472ddd0ad36b on SoftwareHeritage] =>
   parameters =>
     name =>
      - audience
*******************************************
  Keycloak_client_protocol_mapper[audience for c0d0fca0-7d28-5d3f-9d71-3f998de90ca2 on SoftwareHeritageStaging] =>
   parameters =>
     name =>
      - audience
*******************************************
  Keycloak_client_protocol_mapper[groups for 2ae76714-3f08-5a70-af28-472ddd0ad36b on SoftwareHeritage] =>
   parameters =>
     name =>
      - groups
*******************************************
  Keycloak_client_protocol_mapper[groups for c0d0fca0-7d28-5d3f-9d71-3f998de90ca2 on SoftwareHeritageStaging] =>
   parameters =>
     name =>
      - groups
*******************************************
  Keycloak_realm[SoftwareHeritageStaging] =>
   parameters =>
     supported_locales =>
      + ["en"]
*******************************************
  Keycloak_realm[SoftwareHeritage] =>
   parameters =>
     supported_locales =>
      + ["en"]
*******************************************
*** End octocatalog-diff on kelvingrove.internal.softwareheritage.org

Migrated from D2986 (view on Phabricator)

Merge request reports