You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
running a spring-boot application with keycloak security (token validation via configured public key)
export KEYCLOAK_REALM_KEY="-----BEGIN PUBLIC KEY-----[PEM]-----END PUBLIC KEY-----"
java -jar spring-boot-with-keycloak-security.jar
What did I expect?
the application is up and running (success)
the endpoints are protected by keycloak security
but it's failed on first request
What do I see instead?
exception on first request
java.lang.RuntimeException: org.keycloak.common.util.PemException: java.security.spec.InvalidKeySpecException: encoded key spec not recognized: null
at org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:71) ~[keycloak-adapter-core-11.0.2.jar:11.0.2]
at org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:202) ~[keycloak-adapter-core-11.0.2.jar:11.0.2]
at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:41) ~[keycloak-spring-boot-adapter-core-11.0.2.jar:11.0.2]
at org.keycloak.adapters.springsecurity.config.KeycloakSpringConfigResolverWrapper.resolve(KeycloakSpringConfigResolverWrapper.java:40) ~[keycloak-spring-security-adapter-11.0.2.jar:11.0.2]
at org.keycloak.adapters.AdapterDeploymentContext.resolveDeployment(AdapterDeploymentContext.java:89) ~[keycloak-adapter-core-11.0.2.jar:11.0.2]
at org.keycloak.adapters.PreAuthActionsHandler.preflightCors(PreAuthActionsHandler.java:100) ~[keycloak-adapter-core-11.0.2.jar:11.0.2]
at org.keycloak.adapters.PreAuthActionsHandler.handleRequest(PreAuthActionsHandler.java:75) ~[keycloak-adapter-core-11.0.2.jar:11.0.2]
at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:177) ~[spring-boot-container-bundle-11.0.2.jar:11.0.2]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143) ~[tomcat-embed-core-9.0.50.jar:9.0.50]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) ~[tomcat-embed-core-9.0.50.jar:9.0.50]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) ~[tomcat-embed-core-9.0.50.jar:9.0.50]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357) ~[tomcat-embed-core-9.0.50.jar:9.0.50]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:382) ~[tomcat-embed-core-9.0.50.jar:9.0.50]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) ~[tomcat-embed-core-9.0.50.jar:9.0.50]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:893) ~[tomcat-embed-core-9.0.50.jar:9.0.50]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1723) ~[tomcat-embed-core-9.0.50.jar:9.0.50]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) ~[tomcat-embed-core-9.0.50.jar:9.0.50]
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) ~[na:na]
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) ~[na:na]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-embed-core-9.0.50.jar:9.0.50]
at java.base/java.lang.Thread.run(Thread.java:830) ~[na:na]
Caused by: org.keycloak.common.util.PemException: java.security.spec.InvalidKeySpecException: encoded key spec not recognized: null
at org.keycloak.common.util.PemUtils.decodePublicKey(PemUtils.java:82) ~[keycloak-common-11.0.2.jar:11.0.2]
at org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:67) ~[keycloak-adapter-core-11.0.2.jar:11.0.2]
... 20 common frames omitted
Caused by: java.security.spec.InvalidKeySpecException: encoded key spec not recognized: null
at org.bouncycastle.jcajce.provider.asymmetric.util.BaseKeyFactorySpi.engineGeneratePublic(Unknown Source) ~[bcprov-jdk15on-1.65.jar:1.65.0]
at org.bouncycastle.jcajce.provider.asymmetric.rsa.KeyFactorySpi.engineGeneratePublic(Unknown Source) ~[bcprov-jdk15on-1.65.jar:1.65.0]
at java.base/java.security.KeyFactory.generatePublic(KeyFactory.java:346) ~[na:na]
at org.keycloak.common.util.DerUtils.decodePublicKey(DerUtils.java:66) ~[keycloak-common-11.0.2.jar:11.0.2]
at org.keycloak.common.util.PemUtils.decodePublicKey(PemUtils.java:80) ~[keycloak-common-11.0.2.jar:11.0.2]
... 21 common frames omitted
Why is that bad?
I cannot provide the REALM_KEY as environment variable in a containerized environment e.g. kubernetes
Workaround in spring-boot context
@Autowired
fun configureAdapterConfig(adapterConfig: AdapterConfig) {
if(adapterConfig.realmKey != null) {
adapterConfig.realmKey = adapterConfig.realmKey
.replace("-----BEGIN PUBLIC KEY-----", "-----BEGIN PUBLIC KEY-----\n")
.replace("-----END PUBLIC KEY-----", "\n-----END PUBLIC KEY-----")
}
}
Additional information
It seems to be not a bug in the PemUtil. Because the PEM format has separate header and footer lines (rfc-link). But ...
Wouldn't it be nice to simplify a container runtime configuration?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
What I want todo?
What did I expect?
What do I see instead?
Why is that bad?
I cannot provide the REALM_KEY as environment variable in a containerized environment e.g. kubernetes
Workaround in spring-boot context
Additional information
It seems to be not a bug in the PemUtil. Because the PEM format has separate header and footer lines (rfc-link). But ...
Wouldn't it be nice to simplify a container runtime configuration?
Beta Was this translation helpful? Give feedback.
All reactions