By: Bach Ph user 23 Nov 2018 at 12:47 p.m. CST

2 Responses
Bach Ph gravatar
Hello dear developers, Please kindly help me about the following issue. I'd like to register my roundcube site to a Keycloak SSO server as a Keycloak 'client' through Oxd server using Keycloak client registration services. I've gone through the public tickets interface https://support.gluu.org/ without founding related issues. Here's the description of my installations. 1) So on server 1 : I have a roundcube webmail and I installed gluufederation/roundcube_oxd_plugin : https://plugins.roundcube.net/packages/gluufederation/roundcube_oxd_plugin 2) On server 2 : I installed an Oxd server ( and oxd-https-extension, not used) 3) roundcube_oxd_plugin on Server 1 can communicate with Oxd server server 2, no pb. 4) On server 3 : I have a Keycloak SSO server providing client registration services through HTTPS call. 5) Server 1 and server 3 have public HTTPS urls. 4) When I try the registration site step (first step) : See https://gluu.org/docs/oxd/3.0.1/plugin/roundcube/ , Configuration general I have following error message from server 2:/var/log/oxd-server/oxd-server.log : Unrecognized field &quot;scopes&quot; (class org.keycloak.representations.oidc.OIDCClientRepresentation), not marked as ignorable And the roundcube_oxd_plugin UI gives me : Can not connect to the oxd server. Please check the oxd-config.json file to make sure you have entered the correct port and the oxd server is operational. As a consequence, I've a parsing error back at oxd-server : org.codehaus.jettison.json.JSONException: A JSONObject text must begin with '{' at character 1 I did provide "URI of the OpenID Provider", default "oxd port" 8099 I've check the configuration of the Keycloak SSO server to accept dynamic client registration and I've beeen able to call a command-line curl -X POST client registration and create a client https://www.keycloak.org/docs/latest/securing_apps/index.html#_client_registration Following command-line Curl worked : $ curl -H "Content-Type: application/json" \ -d '{"client_name":"gluu_oxd_server","redirect_uris": ["https://roundcube.mywebmail.org/*"]' \ -X POST https://my.sso.org/auth/realms/myrealm/clients-registrations/openid-connect Following command-line Curl failed with same error msg : Unrecognized field &quot;scopes&quot; (class org.keycloak.representations.oidc.OIDCClientRepresentation), not marked as ignorable $ curl -H "Content-Type: application/json" \ -d '{"client_name":"gluu_oxd_server","redirect_uris": ["https://roundcube.mywebmail.org/*"], "scopes":["openid","offline_access","address","phone","email","profile"]}' \ -X POST https://my.sso.org/auth/realms/myrealm/clients-registrations/openid-connect The OIDCClientRepresentation representation of Keycloak doesn't have 'scopes' field. See : https://github.com/keycloak/keycloak/blob/master/core/src/main/java/org/keycloak/representations/oidc/OIDCClientRepresentation.java So I suspect Oxd server sending a register request to Keycloak client registration endpoint and providing a parameter named "scopes" to the POST request. That's why I try to change the /var/tmp/oxd-default-site-config.json, hoping to discard parameter named "scopes". Then I restart the Oxd server with /etc/init.d/oxd-server restart I did try to register via the UI (https://gluu.org/docs/oxd/3.0.1/plugin/roundcube/ , Configuration general), again once with "URI of the OpenID Provider:" filed provided, and once without. But I get the same error again. Would you please kindly give me a hint on how to configure oxd server for registrating my roundcube site ? Thank you very much before hand. Here's : /var/tmp/oxd-default-site-config.json { "op_host":"https://my.sso.org/auth/realms/myrealm", "op_discovery_path":"auth/realms/myrealm", "response_types":["code"], "grant_type":["authorization_code"], "acr_values":[""], "ui_locales":["en"], "claims_locales":["en"], "contacts":[], "client_id":"XXX", "client_registration_client_uri":"https://my.sso.org/auth/realms/myrealm/clients-registrations/openid-connect/XXX", "client_registration_access_token":"YYY" } "client_id", "client_registration_client_uri" and "client_registration_access_token" are from Keycloak SSO server after a successful command-line CURL call on the client registration endpoints. I have try with and without these fields. Restarting server : $ /etc/init.d/oxd-server restart Please check the oxd-server-log.txt log file. 2018-11-23 18:22:38,668 INFO [org.xdi.oxd.server.ServerLauncher] Starting... 2018-11-23 18:22:38,673 INFO [org.xdi.oxd.server.ServerLauncher] commit: d5d41bd6c68ecf87b32a5605c5c65b350f2c9b56, branch: origin/version_3.1.4, build time:26.10.2018 @ 12:40:51 EDT 2018-11-23 18:22:38,701 DEBUG [org.xdi.oxd.server.ServerLauncher] BC registered: false 2018-11-23 18:22:38,782 DEBUG [org.xdi.oxd.server.ServerLauncher] Registered BC successfully. 2018-11-23 18:22:38,884 TRACE [org.xdi.oxd.server.service.ConfigurationService] Try to load configuration from system property: oxd.server.config, value: /etc/oxd/oxd-server/oxd-conf.json 2018-11-23 18:22:39,022 TRACE [org.xdi.oxd.server.service.ConfigurationService] Configuration loaded successfully from system property: oxd.server.config. 2018-11-23 18:22:39,022 TRACE [org.xdi.oxd.server.service.ConfigurationService] Configuration: Configuration{port=8099, timeOutInSeconds=0, registerClientAppType='web', registerClientResponesType='code', localhostOnly=false, useClientAuthenticationForPat=true, trustAllCerts=true, keyStorePath='', keyStorePassword='', cryptProviderKeyStorePath='', cryptProviderKeyStorePassword='', cryptProviderDnName='', supportGoogleLogout=true, stateExpirationInMinutes=5, nonceExpirationInMinutes=5, publicOpKeyCacheExpirationInMinutes=60, protectCommandsWithAccessToken=false, uma2AuthRegisterClaimsGatheringEndpointAsRedirectUriOfClient=true, migrationSourceFolderPath='', storage='h2', storageConfiguration={"dbFileLocation":"/opt/oxd-server/data/oxd_db"}} 2018-11-23 18:22:39,022 TRACE [org.xdi.oxd.server.service.ConfigurationService] Trying to read oxd-default-site-config.json, path: /etc/oxd/oxd-server/oxd-default-site-config.json 2018-11-23 18:22:39,072 INFO [org.xdi.oxd.server.service.ConfigurationService] Default RP configuration loaded successfully: Rp{oxdId='null', opHost='https://my.sso.org/auth/realms/myrealm', opDiscoveryPath='auth/realms/myrealm', idToken='null', accessToken='null', authorizationRedirectUri='null', postLogoutRedirectUri='null', applicationType='null', redirectUris=null, frontChannelLogoutUri=null, claimsRedirectUri=null, responseTypes=[code], clientId='XXX', clientRegistrationAccessToken='YYY', clientRegistrationClientUri='https://my.sso.org/auth/realms/myrealm/clients-registrations/openid-connect/XXX', clientIdIssuedAt=null, clientSecretExpiresAt=null, clientName='null', sectorIdentifierUri='null', clientJwksUri='null', setupClient='null', setupOxdId='null', setupClientId='null', scope=null, uiLocales=[en], claimsLocales=[en], acrValues=[], grantType=null, contacts=[], userId='null', userSecret='null', pat='null', patExpiresIn=0, patCreatedAt=null, patRefreshToken='null', umaProtectedResources=[], rpt='null', rptTokenType='null', rptPct='null', rptExpiresAt=null, rptCreatedAt=null, rptUpgraded=null, tokenEndpointAuthSigningAlg=null, tokenEndpointAuthMethod=null, oxdRpProgrammingLanguage=null} 2018-11-23 18:22:39,212 DEBUG [org.xdi.oxd.server.persistence.SqlPersistenceServiceImpl] Schema created successfully. 2018-11-23 18:22:39,230 INFO [org.xdi.oxd.server.persistence.SqlPersistenceServiceImpl] Loaded 0 RPs. 2018-11-23 18:22:39,231 DEBUG [org.xdi.oxd.server.service.MigrationService] Migration source folder is not specified. 2018-11-23 18:22:39,231 DEBUG [org.xdi.oxd.server.service.MigrationService] Skip migration because migration source folder is not specified or otherwise invalid. 2018-11-23 18:22:39,235 INFO [org.xdi.oxd.server.service.SocketService] Server socket is bound to port: 8099, with timeout: 0 seconds. Start listening for notifications. -- Log /var/log/oxd-server$ tail -f oxd-server.log 2018-11-23 18:05:52,473 TRACE [org.xdi.oxd.server.Processor] Command: {"command":"register_site", "params":{"op_host":"https://my.sso.org/auth/realms/myrealm", "authorization_redirect_uri":"https://roundcube.mywebmail.org//?_action=plugin.gluu_sso-login-from-gluu", "post_logout_redirect_uri":"https://roundcube.mywebmail.org//?_task=logout&logout=fromop", "application_type":"web","acr_values":[], "scope":["openid","offline_access","address","phone","email","profile"], "client_jwks_uri":"", "client_token_endpoint_auth_method":"", "client_request_uris":null, "contacts":["support"], "grant_types":["authorization_code"] ,"response_types":["code"], "client_logout_uris":["https://roundcube.mywebmail.org//?_task=logout&logout=fromop"], "client_id":null,"":null}} 2018-11-23 18:05:52,567 TRACE [org.xdi.oxd.server.op.RegisterSiteOperation] Skip auto registration of claims interaction endpoint as redirect_uri because OP host for different uri's is different which will not pass AS redirect_uri's validation (same host must be present). 2018-11-23 18:05:52,568 INFO [org.xdi.oxd.server.op.RegisterSiteOperation] Creating RP ... 2018-11-23 18:05:52,580 TRACE [org.xdi.oxd.server.service.HttpService] Created TRUST_ALL client. 2018-11-23 18:05:53,103 TRACE [org.xdi.oxd.server.service.DiscoveryService] Discovery response: {"issuer":"http://my.sso.org/auth/realms/myrealm", "authorization_endpoint":"http://my.sso.org/auth/realms/myrealm/protocol/openid-connect/auth", "token_endpoint":"http://my.sso.org/auth/realms/myrealm/protocol/openid-connect/token", "token_introspection_endpoint":"http://my.sso.org/auth/realms/myrealm/protocol/openid-connect/token/introspect", "userinfo_endpoint":"http://my.sso.org/auth/realms/myrealm/protocol/openid-connect/userinfo", "end_session_endpoint":"http://my.sso.org/auth/realms/myrealm/protocol/openid-connect/logout", "jwks_uri":"http://my.sso.org/auth/realms/myrealm/protocol/openid-connect/certs", "check_session_iframe":"http://my.sso.org/auth/realms/myrealm/protocol/openid-connect/login-status-iframe.html", "grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials"], "response_types_supported":["code","none","id_token","token","id_token token","code id_token","code token","code id_token token"], "subject_types_supported":["public","pairwise"], "id_token_signing_alg_values_supported":["ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","RS512"], "userinfo_signing_alg_values_supported":["ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","RS512","none"], "request_object_signing_alg_values_supported":["none","RS256"],"response_modes_supported":["query","fragment","form_post"], "registration_endpoint":"http://my.sso.org/auth/realms/myrealm/clients-registrations/openid-connect", "token_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","client_secret_jwt"], "token_endpoint_auth_signing_alg_values_supported":["RS256"], "claims_supported":["sub","iss","auth_time","name","given_name","family_name","preferred_username","email"], "claim_types_supported":["normal"],"claims_parameter_supported":false, "scopes_supported":["openid","offline_access","address","phone","email","profile"], "request_parameter_supported":true,"request_uri_parameter_supported":true, "code_challenge_methods_supported":["plain","S256"], "tls_client_certificate_bound_access_tokens":true, "introspection_endpoint":"http://my.sso.org/auth/realms/myrealm/protocol/openid-connect/token/introspect"} 2018-11-23 18:05:53,113 TRACE [org.xdi.oxd.server.service.HttpService] Created TRUST_ALL client. 2018-11-23 18:05:53,139 ERROR [org.xdi.oxauth.client.RegisterResponse] A JSONObject text must begin with '{' at character 1 of Unrecognized field &quot;scopes&quot; (class org.keycloak.representations.oidc.OIDCClientRepresentation), not marked as ignorable org.codehaus.jettison.json.JSONException: A JSONObject text must begin with '{' at character 1 of Unrecognized field &quot;scopes&quot; (class org.keycloak.representations.oidc.OIDCClientRepresentation), not marked as ignorable at org.codehaus.jettison.json.JSONTokener.syntaxError(JSONTokener.java:463) at org.codehaus.jettison.json.JSONObject.<init>(JSONObject.java:173) at org.codehaus.jettison.json.JSONObject.<init>(JSONObject.java:280) at org.xdi.oxauth.client.RegisterResponse.injectDataFromJson(RegisterResponse.java:81) at org.xdi.oxauth.client.RegisterResponse.<init>(RegisterResponse.java:60) at org.xdi.oxauth.client.RegisterClient._exec(RegisterClient.java:262) at org.xdi.oxauth.client.RegisterClient.exec(RegisterClient.java:78) at org.xdi.oxd.server.op.RegisterSiteOperation.registerClient(RegisterSiteOperation.java:271) at org.xdi.oxd.server.op.RegisterSiteOperation.persistRp(RegisterSiteOperation.java:240) at org.xdi.oxd.server.op.RegisterSiteOperation.execute_(RegisterSiteOperation.java:67) at org.xdi.oxd.server.op.RegisterSiteOperation.execute(RegisterSiteOperation.java:103) at org.xdi.oxd.server.op.RegisterSiteOperation.execute(RegisterSiteOperation.java:46) at org.xdi.oxd.server.Processor.process(Processor.java:74) at org.xdi.oxd.server.Processor.process(Processor.java:49) at org.xdi.oxd.server.SocketProcessor.run(SocketProcessor.java:55) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) 2018-11-23 18:05:53,143 ERROR [org.xdi.oxd.server.op.RegisterSiteOperation] ClientId: null, clientSecret: null 2018-11-23 18:05:53,143 ERROR [org.xdi.oxd.server.op.RegisterSiteOperation] Failed to register client for site. Details:Unrecognized field &quot;scopes&quot; (class org.keycloak.representations.oidc.OIDCClientRepresentation), not marked as ignorable java.lang.RuntimeException: Failed to register client for site. Details:Unrecognized field &quot;scopes&quot; (class org.keycloak.representations.oidc.OIDCClientRepresentation), not marked as ignorable at org.xdi.oxd.server.op.RegisterSiteOperation.registerClient(RegisterSiteOperation.java:286) at org.xdi.oxd.server.op.RegisterSiteOperation.persistRp(RegisterSiteOperation.java:240) at org.xdi.oxd.server.op.RegisterSiteOperation.execute_(RegisterSiteOperation.java:67) at org.xdi.oxd.server.op.RegisterSiteOperation.execute(RegisterSiteOperation.java:103) at org.xdi.oxd.server.op.RegisterSiteOperation.execute(RegisterSiteOperation.java:46) at org.xdi.oxd.server.Processor.process(Processor.java:74) at org.xdi.oxd.server.Processor.process(Processor.java:49) at org.xdi.oxd.server.SocketProcessor.run(SocketProcessor.java:55) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) 2018-11-23 18:05:53,171 TRACE [org.xdi.oxd.server.Processor] Send back response: {"status":"error","data":{"error":"internal_error","details":null,"error_description":"Unknown internal server error occurs."}}

By Mohib Zico staff 27 Nov 2018 at 2:58 a.m. CST

Mohib Zico gravatar
I have a suggestion for you... use Gluu Server instead of KeyCloak one. See how everything works here; compare your config there for KeyCloak. Hopefully you should have some insight.

By Bach Ph user 27 Nov 2018 at 3:21 a.m. CST

Bach Ph gravatar
Hello Mohib, Thank you very for your suggestion, I'll give a try. Best regards,