Keycloak Bad token response, error=not_allowed when user doesn't have the offline_access role
We have a JSF Application running on a tomcat 9 and we are using keycloak (v10.0.2) for login.
Because keycloak deprecated their tomcat-adapter we would like to switch from the keycloak tomcat-adapter to pac4j.
So I've created the following configuration.
import org.pac4j.core.client.Clients;
import org.pac4j.core.config.Config;
import org.pac4j.core.config.ConfigFactory;
import org.pac4j.oidc.client.KeycloakOidcClient;
import org.pac4j.oidc.config.KeycloakOidcConfiguration;
import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
public class SecurityConfigFactory implements ConfigFactory {
@Override
public Config build(final Object... parameters) {
System.out.print("Building Security configuration...\n");
final KeycloakOidcConfiguration keycloak = new KeycloakOidcConfiguration();
keycloak.setBaseUri("http://localhost:8180/auth");
keycloak.setRealm("testRealm");
keycloak.setClientId("local-test");
keycloak.setSecret("abc-xyz");
keycloak.setClientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
keycloak.setLogoutUrl("http://localhost:8180/auth/realms/testRealm/protocol/openid-connect/logout");
final KeycloakOidcClient keycloakClient = new KeycloakOidcClient(keycloak);
keycloakClient.setName("keycloakClient");
final String callbackUrl = "http://localhost:8080/callback";
final Clients clients = new Clients(callbackUrl, keycloakClient/* , new AnonymousClient() */);
final Config config = new Config(clients);
return config;
}
}
and added the following to my web.xml
<filter>
<filter-name>callbackFilter</filter-name>
<filter-class>org.pac4j.j2e.filter.CallbackFilter</filter-class>
<init-param>
<param-name>defaultUrl</param-name>
<param-value>/</param-value>
</init-param>
<init-param>
<param-name>renewSession</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>multiProfile</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>saveInSession</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>callbackFilter</filter-name>
<url-pattern>/callback</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
<filter>
<filter-name>OidcFilter</filter-name>
<filter-class>org.pac4j.j2e.filter.SecurityFilter</filter-class>
<init-param>
<param-name>configFactory</param-name>
<param-value>abc.xyz.SecurityConfigFactory</param-value>
</init-param>
<init-param>
<param-name>clients</param-name>
<param-value>keycloakClient</param-value>
</init-param>
<init-param>
<param-name>authorizers</param-name>
<param-value>securityHeaders</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>OidcFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
So now my problem is that when a user has the offline_access role he is able to login into keycloak. But as soon as I remove the offline_access role I get this exception if I click the login button at keycloak.
2022-12-14 10:19:11,304 DEBUG [http-nio-8080-exec-10] - authenticator.OidcAuthenticator.validate - Token response: status=400, content={"error":"not_allowed",
"error_description":"Offline tokens not allowed for the user or client"}
...
org.pac4j.core.exception.TechnicalException: Bad token response, error=not_allowed
at org.pac4j.oidc.credentials.authenticator.OidcAuthenticator.validate(OidcAuthenticator.java:147)
at org.pac4j.oidc.credentials.authenticator.OidcAuthenticator.validate(OidcAuthenticator.java:35)
at org.pac4j.core.client.BaseClient.retrieveCredentials(BaseClient.java:71)
at org.pac4j.core.client.IndirectClient.getCredentials(IndirectClient.java:140)
at org.pac4j.core.engine.DefaultCallbackLogic.perform(DefaultCallbackLogic.java:89)
at org.pac4j.j2e.filter.CallbackFilter.internalFilter(CallbackFilter.java:84)
at org.pac4j.j2e.filter.AbstractConfigFilter.doFilter(AbstractConfigFilter.java:84)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:360)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:399)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:890)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1743)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
So I think that I have to tell the config to not use a offline token, or is their something obvious that I'm missing?
In keycloak I see the following events 
My Pom.xml includes (we are using Java 8 and I couldn't get a newer pac4j version to compile)
<dependency>
<groupId>org.pac4j</groupId>
<artifactId>j2e-pac4j</artifactId>
<version>4.1.0</version>
</dependency>
<dependency>
<groupId>org.pac4j</groupId>
<artifactId>pac4j-oidc</artifactId>
<version>3.9.0</version>
</dependency>
Solution
My problem was a keycloak misconfiguration in my keycloak test instance.
I had the "offline-access" Client Scope added to my Default Client Scopes.
- Replacement for the deprecated URL(URL context, String spec) constructor that also works with older Java versions
- How to use WebClient to execute synchronous request?
- SpringBoot 2 the elements were left unbound
- Manually converting a string to an integer in Java
- Java is asking to return a value even when the value is returned in the if-else ladder
- Bounded PriorityBlockingQueue
- HSEARCH000151: Unable to get input stream from object of type byte
- How to get a resources path after jlink-ing?
- Error - trustAnchors parameter must be non-empty
- Build WHERE clause dynamically based on filter in queryDSL
- Best practice to select data using Spring JdbcTemplate
- Doubling each letter in a String
- To find the next work day
- Create advanced search in JPA through user defined dynamic where clause conditions
- Flink task manager does not unload classes
- Implicit casts in Java (passing value type wrappers to methods expecting a regular Integer or Long)
- How do I send an e-mail in Java?
- In Java Failing to invoke method with parameters even though seems to match the getMethod() call
- SQL server hanged suddenly - all DB connections are active but no response - SQL server 2016
- In Java how to synchronize cache read and write operations
- Unable to connect to the remote Cassandra datacenter with the options provided in error
- Creating a hierarchy of Java subclasses
- how to return a list of employee's names with the highest pay rate in java
- "Unsupported class file error" on a Vaadin 14 project
- Does Spring @Transactional attribute work on a private method?
- How to create a BKS (BouncyCastle) format Java Keystore that contains a client certificate chain
- Prevent Kafka Streams Consumer from writing offsets / wait for one stream to consume all records before starting the second stream
- Why does my SQL while(set.next()) skips the first element?
- Combine multiple lists in Java
- How to map from Page<ObjectOne> to Page<ObjectTwo> in Spring Data 2?