Hi Community,
I need some help to secure my application because after upgrading my keycloak instance to version 21.0.1 (the last one) from the 16.1, I’m facing the error below trying to authentication client on this endpoint:
realms/"myrealm"/protocol/openid-connect/auth
It should ask for username/password with a login mask UI, instead I receive an exception:
Unexpected error when handling authentication request to identity provider.
Looking at the logs this is the first part of the Exception stack:
2023-03-21 10:23:17,275 WARN [org.keycloak.services] (executor-thread-50) KC-SERVICES0013: Failed authentication: java.lang.NullPointerException
at org.jboss.resteasy.plugins.server.BaseHttpRequest.getFormParameters(BaseHttpRequest.java:53)
at org.jboss.resteasy.plugins.server.BaseHttpRequest.getDecodedFormParameters(BaseHttpRequest.java:74)
at org.keycloak.services.HttpRequestImpl.getDecodedFormParameters(HttpRequestImpl.java:62)
at org.keycloak.authentication.authenticators.directgrant.ValidateUsername.retrieveUsername(ValidateUsername.java:161)
at org.keycloak.authentication.authenticators.directgrant.ValidateUsername.authenticate(ValidateUsername.java:52)
at org.keycloak.authentication.DefaultAuthenticationFlow.processSingleFlowExecutionModel(DefaultAuthenticationFlow.java:445)
at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:249)
at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:1025)
at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:887)
at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:153)
at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:363)
With the following error:
2023-03-21 10:23:17,361 WARN [org.keycloak.events] (executor-thread-50) type=LOGIN_ERROR, realmId=*******, clientId=*****,
userId=null, ipAddress=*******, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, response_typ
e=code, redirect_uri=************, code_id=64b4911b-e9bf-4574-a6c6-bdd62951f23a, respons
e_mode=query, authSessionParentId=64b4911b-e9bf-4574-a6c6-bdd62951f23a, authSessionTabId=XguMC_VfO70
For sure, it is some my lack of knowledge but I cannot understand while it is expecting username/password since I’m going on such endpoint to insert them. Therefore it raises an exception since it found “null” the fields username/password.
Furthermore, before it was not necessary to add in the URI query the parameters response_type, scope, redirect_uri, client_id, instead now they are compulsory. I understand that in the new Keycloak version, they are more strict regarding OAuth RFC (i.e. scope parameter) but I don’t understand the other query parameters requested.
The openid-client client had been imported from the previous version as well as realm configuration, when it is used to work. Nevertheless, I tried different configuration and query parameters without success.
How do I solve this problem?