Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

JSON Error when trying to authenticate with Yubikey #105

Closed
Pande-monium opened this issue May 25, 2022 · 2 comments
Closed

JSON Error when trying to authenticate with Yubikey #105

Pande-monium opened this issue May 25, 2022 · 2 comments

Comments

@Pande-monium
Copy link

Hello,

I'm having some troubles setting up Keycloak + Privacyidea + Yubikeys.
Both Keycloak and PI Servers are running and individually doing what they are supposed to do.
I have enrolled the Yubikeys in PI in AES mode with PI handling the private key of the yubikey.
When I try to login on the Keycloak server however I get an error:

2022-05-25 11:52:30,572 WARN  [org.keycloak.services] (executor-thread-0) KC-SERVICES0013: Failed authentication: java.lang.ClassCastException: class com.google.gson.JsonNull cannot be cast to class com.google.gson.JsonPrimitive (com.google.gson.JsonNull and com.google.gson.JsonPrimitive are in unnamed module of loader io.quarkus.bootstrap.runner.RunnerClassLoader @368239c8)
	at com.google.gson.JsonObject.getAsJsonPrimitive(JsonObject.java:172)
	at org.privacyidea.JSONParser.getString(JSONParser.java:508)
	at org.privacyidea.JSONParser.parsePIResponse(JSONParser.java:149)
	at org.privacyidea.PrivacyIDEA.validateCheck(PrivacyIDEA.java:129)
	at org.privacyidea.authenticator.PrivacyIDEAAuthenticator.action(PrivacyIDEAAuthenticator.java:402)
	at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:169)
	at org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:990)
	at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:321)
	at org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:292)
	at org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:276)
	at org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:349)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
	at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:170)
	at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:130)
	at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:660)
	at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:524)
	at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$2(ResourceMethodInvoker.java:474)
	at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364)
	at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:476)
	at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:434)
	at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:192)
	at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:141)
	at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:32)
	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:492)
	at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:261)
	at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:161)
	at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364)
	at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:164)
	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:247)
	at io.quarkus.resteasy.runtime.standalone.RequestDispatcher.service(RequestDispatcher.java:73)
	at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.dispatch(VertxRequestHandler.java:151)
	at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:82)
	at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:42)
	at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1212)
	at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:163)
	at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:141)
	at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:67)
	at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:55)
	at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1212)
	at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:163)
	at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:141)
	at io.quarkus.vertx.http.runtime.VertxHttpRecorder$5.handle(VertxHttpRecorder.java:380)
	at io.quarkus.vertx.http.runtime.VertxHttpRecorder$5.handle(VertxHttpRecorder.java:358)
	at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1212)
	at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:163)
	at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:141)
	at org.keycloak.quarkus.runtime.integration.web.QuarkusRequestFilter.lambda$createBlockingHandler$1(QuarkusRequestFilter.java:71)
	at io.vertx.core.impl.ContextImpl.lambda$null$0(ContextImpl.java:159)
	at io.vertx.core.impl.AbstractContext.dispatch(AbstractContext.java:100)
	at io.vertx.core.impl.ContextImpl.lambda$executeBlocking$1(ContextImpl.java:157)
	at io.quarkus.vertx.core.runtime.VertxCoreRecorder$13.runWith(VertxCoreRecorder.java:543)
	at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2449)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1478)
	at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
	at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
	at java.base/java.lang.Thread.run(Thread.java:829)

2022-05-25 11:52:30,597 WARN  [org.keycloak.events] (executor-thread-0) type=LOGIN_ERROR, realmId=MY_REALM, clientId=account-console, userId=null, ipAddress=213.240.178.59, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, redirect_uri=https://OUR.DOMAIN.com/realms/MY_REALM/account/#/, code_id=8fbf381f-3136-4f0d-93d9-5cc60ce281c7, authSessionParentId=8fbf381f-3136-4f0d-93d9-5cc60ce281c7, authSessionTabId=fuRGK8eT7NQ

It Looks like something in the JSON is Null that's not supposed to be Null.
The PI server logs show, that the authentication went through successfully.

Also the response just before this log entry looks quite promising (Log also from Keycloak):

2022-05-25 11:52:25,017 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-8-thread-1) PrivacyIDEA SDK: Sending to /auth
2022-05-25 11:52:25,018 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-8-thread-1) PrivacyIDEA SDK: username=SERVICE_ACCOUNT_USER
2022-05-25 11:52:25,018 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-8-thread-1) PrivacyIDEA SDK: password=****************
2022-05-25 11:52:25,018 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-8-thread-1) PrivacyIDEA SDK: realm=SERVICE_ACCOUNT_REALM
2022-05-25 11:52:25,664 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-8-thread-1) PrivacyIDEA SDK: Sending to /token/
2022-05-25 11:52:25,664 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-8-thread-1) PrivacyIDEA SDK: user=MY_USERNAME
2022-05-25 11:52:26,023 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (OkHttp https://pi.enobyte.com/...) PrivacyIDEA SDK: /token/:
{
  "id": 1,
  "jsonrpc": "2.0",
  "result": {
    "status": true,
    "value": {
      "count": 1,
      "current": 1,
      "tokens": [
        {
          "active": true,
          "count": 1294,
          "count_window": 10,
          "description": "15419071",
          "failcount": 0,
          "id": 6,
          "info": {
            "count_auth": "15",
            "count_auth_success": "9",
            "last_auth": "2022-05-25 11:51:14.799594+02:00",
            "tokenkind": "hardware",
            "yubikey.prefix": "vvccccunfhnv",
            "yubikey.tokenid": "3216472fa3cd"
          },
          "locked": false,
          "maxfail": 10,
          "otplen": 44,
          "realms": [
            "MY_REALM_ldap_realm"
          ],
          "resolver": "MY_REALM",
          "revoked": false,
          "rollout_state": "",
          "serial": "UBAM00024C24",
          "sync_window": 1000,
          "tokentype": "yubikey",
          "user_editable": true,
          "user_id": "a80cc5a0-507d-103a-9088-012f05376100",
          "user_realm": "MY_REALM_ldap_realm",
          "username": "MY_USERNAME"
        }
      ]
    }
  },
  "time": 1653472346.0000277,
  "version": "privacyIDEA None",
  "signature": "rsa_sha256_pss:OMITTED_A_512_CHAR_SIGNATURE"
}
2022-05-25 11:52:30,038 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-8-thread-2) PrivacyIDEA SDK: Sending to /validate/check
2022-05-25 11:52:30,039 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-8-thread-2) PrivacyIDEA SDK: user=MY_USERNAME
2022-05-25 11:52:30,039 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-8-thread-2) PrivacyIDEA SDK: pass=********************************************
2022-05-25 11:52:30,039 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-8-thread-2) PrivacyIDEA SDK: realm=MY_REALM_ldap_realm
2022-05-25 11:52:30,571 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (OkHttp https://pi.enobyte.com/...) PrivacyIDEA SDK: /validate/check:
{
  "detail": {
    "message": "matching 1 tokens",
    "otplen": 44,
    "serial": "UBAM00024C24",
    "threadid": 140277831210880,
    "type": "yubikey"
  },
  "id": 2,
  "jsonrpc": "2.0",
  "result": {
    "authentication": "ACCEPT",
    "status": true,
    "value": true
  },
  "time": 1653472350.551489,
  "version": "privacyIDEA None",
  "signature": "rsa_sha256_pss:OMITTED_ANOTHER_512_CHAR_SIGNATURE"
}

In case it matters:
The two omitted signatures are not identical.

Any idea if I did something wrong to cause this?

@nilsbehlen
Copy link
Member

Hi, i don't think you did something wrong - the provider should not crash because of something this trivial.
The problem is the version number. If you look at the response it says "version": "privacyIDEA None". There should also be a field "versionNumber" which seems to be missing if the version number can not be found in the server. I remember we had the same problem some time ago, but i referred to the server because i do not know much of it. I think it had to do with the python virtual env. However, for this provider, the problem will be fixed in the next version which should be released soon.
If you need it fixed quick, you can just comment the line https://github.com/privacyidea/java-client/blob/8153196d38cb8b810627e6ff6c08f0d38f304ad2/src/main/java/org/privacyidea/JSONParser.java#L155 (its 155 in the version in the main branch) and compile it according to the readme of this repo.

@Pande-monium
Copy link
Author

Hello nilsbehlen,

thank you for your quick response.
I'll see if I can get a maven build environment setup to compile it myself, but in any case I'm looking forward to the next version release :)

Best regards,
Pande

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants