Accept self signed certs with the KeycloakAdmin client (java)

ndtreviv · May 13, 2024, 9:13am

I’m using the java KeycloakAdmin client to connect to Keycloak and create a realm/client.
This is my dependency:

    implementation group: 'org.keycloak', name: 'keycloak-admin-client', version: '24.0.0'

I create and use the KeycloakAdmin client like so:

        try (Keycloak keycloakAdmin = KeycloakBuilder.builder()
                .serverUrl(serverUrl)
                .realm(adminRealm)
                .username(username)
                .password(password)
                .clientId(adminClientId)
                .build()) {
             //... do stuff ...
        } catch (Exception e) {
            LOGGER.error("Error initializing Keycloak", e);
        }

The problem is that if Keycloak is running self signed certs then I get SSL Handshake Exceptions.

The KeycloakAdmin client doesn’t seem to have a way to turn off hostname verification or to generally accept self signed certs.

How do I do this?

ndtreviv · May 13, 2024, 9:35am

Ahh, I found the answer:

        KeycloakBuilder keycloakBuilder = KeycloakBuilder.builder()
                .serverUrl(serverUrl)
                .realm(adminRealm)
                .username(username)
                .password(password)
                .clientId(adminClientId);

        if (acceptUntrustedCerts) {
            SSLFactory defaultSslFactory = SSLFactory.builder()
                    .withUnsafeTrustMaterial()
                    .withUnsafeHostnameVerifier()
                    .build();

            keycloakBuilder.resteasyClient(ResteasyClientBuilder.newBuilder()
                    .sslContext(defaultSslFactory.getSslContext())
                    .hostnameVerifier(defaultSslFactory.getHostnameVerifier())
                    .build());
        }

jeffvictor · October 12, 2024, 2:39pm

I couldn’t find SSLFactory in the answer from @ndtreviv. This is what worked for me:

		KeycloakBuilder keycloakBuilder = KeycloakBuilder.builder()
				.serverUrl(environmentUtils.getKeycloakUrl())
				.realm("master")
				.clientId("admin-cli")
				.grantType(OAuth2Constants.PASSWORD)
				.username(environmentUtils.getKeycloakAdmin())
				.password(environmentUtils.getKeycloakAdminPassword());
		
        if (environmentUtils.isSslTrustSelfSignedCertificate()) {
        	
        	SSLContext sslContext = null;

        	try {
        		
				sslContext = org.apache.http.ssl.SSLContexts.custom().loadTrustMaterial(new TrustSelfSignedStrategy()).build();
			
        	} catch (KeyManagementException | NoSuchAlgorithmException | KeyStoreException e) {
				throw new RuntimeException(e.getMessage(), e);
			}
        	
            keycloak = keycloakBuilder.resteasyClient(ResteasyClientBuilder.newBuilder().sslContext(sslContext).build()).build();
        }

Topic		Replies	Views
javax.net.ssl.SSLHandshakeException Getting advice authentication	1	3105	June 29, 2021
Issue enabling https on keycloak Configuring the server	1	2665	October 21, 2020
How can I connect to bearer-only client with SSL? Getting advice	0	1087	May 19, 2020
Keycloak always uses a self signed certificate instead of my proper certificate HTTPS Configuring the server	1	616	September 28, 2021
Problem with HTTPS, Wildfly and Java adapters not trusting the Keycloak server Securing applications	2	2381	October 13, 2021

Accept self signed certs with the KeycloakAdmin client (java)

Related topics