Hi everyone. I’m trying to use CIBA grant with Keycloak 24.0.4 for my thesis, but I can’t get through an error:
Blockquote
{
“error”: “server_error”,
“error_description”: “Failed to send authentication request”
}
Keycloak Container log:
Blockquote
2024-05-13 13:28:43,303 WARN [org.keycloak.protocol.oidc.grants.ciba.endpoints.BackchannelAuthenticationEndpoint] (executor-thread-12) Unexpected failure when processing CIBA authentication request: java.lang.RuntimeException: Authentication Channel Access failed.
at org.keycloak.protocol.oidc.grants.ciba.channel.HttpAuthenticationChannelProvider.requestAuthentication(HttpAuthenticationChannelProvider.java:92)
at org.keycloak.protocol.oidc.grants.ciba.endpoints.BackchannelAuthenticationEndpoint.processGrantRequest(BackchannelAuthenticationEndpoint.java:103)
at org.keycloak.protocol.oidc.grants.ciba.endpoints.BackchannelAuthenticationEndpoint$quarkusrestinvoker$processGrantRequest_6408e15340992839b66447750c221d9aaa837bd7.invoke(Unknown Source)
at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141)
at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:582)
at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538)
at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:833)
Caused by: org.apache.http.conn.HttpHostConnectException: Connect to 127.0.0.1:8081 [/127.0.0.1] failed: Connection refused
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:156)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
at org.keycloak.broker.provider.util.SimpleHttp.makeRequest(SimpleHttp.java:299)
at org.keycloak.broker.provider.util.SimpleHttp.asResponse(SimpleHttp.java:229)
at org.keycloak.broker.provider.util.SimpleHttp.asStatus(SimpleHttp.java:225)
at org.keycloak.protocol.oidc.grants.ciba.channel.HttpAuthenticationChannelProvider.requestAuthentication(HttpAuthenticationChannelProvider.java:86)
… 12 more
Caused by: java.net.ConnectException: Connection refused
at java.base/sun.nio.ch.Net.connect0(Native Method)
at java.base/sun.nio.ch.Net.connect(Net.java:579)
at java.base/sun.nio.ch.Net.connect(Net.java:568)
at java.base/sun.nio.ch.NioSocketImpl.connect(NioSocketImpl.java:588)
at java.base/java.net.SocksSocketImpl.connect(SocksSocketImpl.java:327)
at java.base/java.net.Socket.connect(Socket.java:633)
at org.apache.http.conn.socket.PlainConnectionSocketFactory.connectSocket(PlainConnectionSocketFactory.java:75)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
… 26 more
I’m following some tutorials (https://www.janua.fr/client-initiated-backchannel-authentication-and-keycloak/) and I’m using a keycloak docker container:
docker run -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin --net=host quay.io/keycloak/keycloak:24.0.4 start-dev --spi-ciba-auth-channel-ciba-http-auth-channel-http-authentication-channel-uri=http://127.0.0.1:8082
This is from a Linux (Ubuntu) host, but I tried even in Windows 11 with the same problem.
I added the option --net=host for allowing the communication with my auth server on port 8082. I sniffed traffic with wireshark and it seems that when I try to reach with “POST /realms/SpringBoot/protocol/openid-connect/ext/ciba/auth HTTP/1.1”, there’s a “HTTP/1.1 503 Service Unavailable” error.
My SpringBoot client is configured with CIBA OIDC grant. Is docker container my problem? I think I’m missing something here. Thank you all for reading. 
[A brief summary on what I’m trying to do on my thesis. I want to authenticate passwordless without using a browser, so I’m relying to yubico’s python library (GitHub - Yubico/python-fido2: Provides library functionality for FIDO 2.0, including communication with a device over USB.) to do the authentication directly with fido devices. At the same time I want to maintain Keycloak as my authorization service. After trying other things, I found CIBA, which I think is suited for my scenarios.]