When opening my application link I get 403 Forbidden instead of the login page

aradicev · April 20, 2023, 4:08pm

Hi,
I have a primefaces application running on a Wildfly 26.1.3 server and I’m trying to secure it with Keycloak 21.0.1. I have successfully done it in development mode, however I cannot get it working in production mode. When I am opening the application link I am getting 403 forbidden instead of the login page.
So far, I have narrowed it down to the point that I have a trust store problem. At least it looks so.
If i put into the oidc.json

"disable-trust-manager": true

I get the login page, this is why I’m quite sure that it has to do with the trust manager

The client definition:

The oidc.json file that is placed in the WEB-INF folder:

{
  "realm": "concludit",
  "auth-server-url": "https://localhost:8543/auth/",
  "ssl-required": "external",
  "resource": "mis-client",
  "truststore": "application.keystore",
  "truststore-password" : "password",
  "public-client": true,
  "confidential-port": 0
}

The application.keystore file I have palced in configuration folder of the Wildfly server, and in it is the certificaton extracted from the server.keystore file that is in the keyloack conf folder.

The only thing what I get in the wildfly server.log is the following line:

18:00:25,924 WARN  [org.wildfly.security.http.oidc] (default task-1) ELY23005: Unable to load OpenID provider metadata from https://localhost:8543/auth/realms/concludit/.well-known/openid-configuration

Hope, someone can help me out.

Regards
Andrija

aradicev · April 25, 2023, 6:46pm

I have finally solved this and I hope this will help somebody. However I didn’t succeed to fix this on my development machine where I have self signed certs and keys. I got it working on my production machine where I have DigiCert certification and key.
The most important thing to get it working is to create the application.keystore file properly, and this is done by importing the certificates in correct order, first the ca.pem and then the crt.pem:

keytool -importcert -keystore application.keystore -file {your_domain}.ca.pem -alias root
keytool -importcert -keystore application.keystore -file {your_domain}.crt.pem -alias server

Also if you’d like to use server.keystore instead of setting up your paths to the cert and key files in the keycloak.conf file, you should crate a pkcs12 keystore from your pem files and than import it into a java keystore:

openssl pkcs12 -export -in  {your_domain}.fullchain.pem -inkey  {your_domain}.key.pem -out some_name.p12 -name some_name
keytool -importkeystore -deststorepass password -destkeystore server.keystore -srckeystore some_name.p12 -srcstoretype PKCS12

and you can leave out the truststore and trustsotre-password from the oidc.json file.

As I said, hope this help someone to save nerves and lot of time.

Andrija

Topic		Replies	Views
Problem with HTTPS, Wildfly and Java adapters not trusting the Keycloak server Securing applications	2	2381	October 13, 2021
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Securing applications	10	37714	April 17, 2023
Failure to secure a simple .war Securing applications	0	529	February 1, 2021
Fixed: Unable to locate keystore file Securing applications oidc	9	5585	October 8, 2021
Didn't find publicKey for kid Configuring the server	1	7440	November 12, 2020

When opening my application link I get 403 Forbidden instead of the login page

Related topics