Invalid realm configuration (ACR-LOA map) after update to 19.0.1

Hi, there!

[org.keycloak.protocol.oidc.utils.AcrUtils] (executor-thread-146) Invalid realm configuration (ACR-LOA map)

We started using Keycloak 17.0.1 version and recently updated to 19.0.1. Now we are having a lot of this error in Keycloak container logs. Is that just noise or something mandatory missing in configuration?

Thanks in advance for any help!

4 Likes

I am having the same problem

Same here! I’m curious if this has any implications or can be ignored

I still have the same msgs in the log after updating to 19.0.2

WARN [org.keycloak.protocol.oidc.utils.AcrUtils] (executor-thread-0) Invalid realm configuration (ACR-LOA map)

I know it’s just a warning but I’d like to understand what’s the cause and possibly get rid of it.

Thanks!

I have the same problem…

2022-09-27 13:41:19,016 WARN [org.keycloak.protocol.oidc.utils.AcrUtils] (executor-thread-2) Invalid realm configuration (ACR-LOA map)
2022-09-27 13:41:19,027 WARN [org.keycloak.protocol.oidc.utils.AcrUtils] (executor-thread-2) Invalid realm configuration (ACR-LOA map)
2022-09-27 13:52:52,855 WARN [org.keycloak.protocol.oidc.utils.AcrUtils] (executor-thread-2) Invalid realm configuration (ACR-LOA map)
2022-09-27 13:52:52,856 WARN [org.keycloak.protocol.oidc.utils.AcrUtils] (executor-thread-2) Invalid realm configuration (ACR-LOA map)
2022-09-27 13:53:07,090 WARN [org.keycloak.protocol.oidc.utils.AcrUtils] (executor-thread-2) Invalid realm configuration (ACR-LOA map)
2022-09-27 13:53:07,090 WARN [org.keycloak.protocol.oidc.utils.AcrUtils] (executor-thread-2) Invalid realm configuration (ACR-LOA map)

Same problem. I created a brand-new realm “test” and then exported both that as well as my existing realm that had come thru the upgrade from older version and was emitting the error. In the old realm, but NOT the new “test” realm, I see the following:

    "acr.loa.map": "[]"

In the attributes object at the top level. Complete diff:

Old realm:

  "attributes": {
    "cibaBackchannelTokenDeliveryMode": "poll",
    "cibaAuthRequestedUserHint": "login_hint",
    "oauth2DevicePollingInterval": "5",
    "clientOfflineSessionMaxLifespan": "0",
    "clientSessionIdleTimeout": "0",
    "userProfileEnabled": "false",
    "clientOfflineSessionIdleTimeout": "0",
    "cibaInterval": "5",
    "cibaExpiresIn": "120",
    "oauth2DeviceCodeLifespan": "600",
    "parRequestUriLifespan": "60",
    "clientSessionMaxLifespan": "0",
    "frontendUrl": "",
    "acr.loa.map": "[]"
  },

New “test” realm:

  "attributes": {
    "cibaBackchannelTokenDeliveryMode": "poll",
    "cibaExpiresIn": "120",
    "cibaAuthRequestedUserHint": "login_hint",
    "oauth2DeviceCodeLifespan": "600",
    "oauth2DevicePollingInterval": "5",
    "parRequestUriLifespan": "60",
    "cibaInterval": "5"
  },

Hi,
working on an elytron-examples OIDC-WITH-BARRIER as a beginner, no samples works with this error.
I investigate a bit and found that in 19.0.2 there is no more /auth/ at the entry points of keycloak services.
To make samples work, i patched the oidc.json de /src/main/web-app/, changing
“provider-url” : “${env.OIDC_PROVIDER_URL:http://localhost:8080}/auth/realms/myrealm” by
“provider-url” : “${env.OIDC_PROVIDER_URL:http://localhost:8080}/realms/myrealm”.
and it works.

Later, i try some other samples designed with node.js : same problem. I can patch the frontend by removing /auth/ in this app.js:

// var KC_URL = process.env.KC_URL || "http://localhost:8080/auth";
var KC_URL = process.env.KC_URL || "http://localhost:8080"

This patch allows app to find the following localhost:8080/js/keycloak.js
But for the OIDC entry point, this file contains the same wrong /auth :

kc.endpoints = {
	                    authorize: function() {
	                        return getRealmUrl() + '/protocol/openid-connect/auth'; 
```.     
 At now, i have not found how to patch that.     
I think it will be better to restore */auth* in >19  if this is a mistake. Otherwise, patch and patch...    

HTH

Looks like I got it fixed by changing

"attributes": {
  "acr.loa.map": "[]"
}

to

"attributes": {
  "acr.loa.map": "{}"
}

I personally fixed this warning by editing each Realm settings.
In Admin console, open the Realm Settings (under Configure section in the left pane) and in the first General tab, locate the “ACR to LoA Mapping” setting. Put any valid key/value pair (ex: key=ABC, value=5) then save, remove the k/v just entered and save again. Repeat the same process for each realm, and the error is gone.

Adding a valid key/value and removing it force keycloak to set ‘acr.loa.map’ to an empty object instead of an empty list.

1 Like

Adding a valid key/value and removing it force keycloak to set ‘acr.loa.map’ to an empty object instead of an empty list.

Not in my case on 19.0.3, it just sets it back to a list.

Hi, tnx, helped with KC 20.0.1, console stopped to spam this error.