-
Notifications
You must be signed in to change notification settings - Fork 80
Authentication fails, any ideas? #75
Comments
@LorCub For supporting OTP, you should setup a proxy before the Nexus3, please read more for Single Sign On (SSO). |
I may be having the same issue, so going to post here. My configuration contains a Apache httpd reverse proxy attached to an AWS Classic ELB that redirects authentication to a keycloak instance attached to a AWS ALB. These are the only two Public DNS entries if you will, the CLassic ELB and ALB. When I installed nexus3 version 3.33.1-01, I modified the configuration to use https/SSL rather than http. That all worked well, but just in case, this is what I changed in the userdata.sh on a RedHat 8.2 image. # Configure SSL
NEXUS_DATA_PATH=/data/1/sonatype-work
NEXUS_ETC_PATH=$NEXUS_DATA_PATH/nexus3/etc
JKS_FILE=/data/1/certs/keystore.jks # (the cert is generated using AWS ACM and CN=nexus.node.consul) as I have consul running on the nexus instance.
cp $JKS_FILE $NEXUS_ETC_PATH/ssl/keystore.jks
chown -R nexus:nexus $NEXUS_ETC_PATH/ssl
echo "application-port-ssl=8443" >> $NEXUS_ETC_PATH/nexus.properties
if [ `grep nexus-args $NEXUS_ETC_PATH/nexus.properties | grep "#" | wc -l` -eq 1 ]; then
echo "nexus-args=\${jetty.etc}/jetty.xml,\${jetty.etc}/jetty-https.xml,\${jetty.etc}/jetty-requestlog.xml" >> $NEXUS_ETC_PATH/nexus.properties
else
sed -i "s/jetty-http/jetty-https/g" $NEXUS_ETC_PATH/nexus.properties
fi
echo "ssl.etc=\${karaf.data}/etc/ssl" >> $NEXUS_ETC_PATH/nexus.properties
echo "nexus.security.anticsrftoken.enabled=false" >> $NEXUS_ETC_PATH/nexus.properties
NEXUS_JETTY_FILE="/${NEXUS_INSTALL_PATH}/nexus-${NEXUS_VERSION}/etc/jetty/jetty-https.xml"
cp $NEXUS_JETTY_FILE $NEXUS_JETTY_FILE.orig
KEYSTORE_PASS=$(getProperty $PROP_FILE "javax.net.ssl.keyStorePassword")
sed -i "s/password/$KEYSTORE_PASS/g" $NEXUS_JETTY_FILE
echo "Restarting Nexus with SSL"
service nexus restart That all works fine and I can log into nexus using the admin account and password and the connection shows secure. I then found this site, and I did the steps in the README.md. However, I am thinking I must still have something wrong in the $install_dir/keycloak.json. I created the client nexus3 as documented, and followed the other instructions. But when I try to add a user from Keycloak, I get the following error attached as nexusUIerror.txt Here is what I did to configure this plugin. PLUGIN_VERSION=0.6.0-SNAPSHOT
wget https://github.com/flytreeleft/nexus3-keycloak-plugin/releases/download/0.6.0-prev1-SNAPSHOT/nexus3-keycloak-plugin-0.6.0-SNAPSHOT.jar -O nexus3-keycloak-plugin-0.6.0-SNAPSHOT.jar
JARDIR="org/github/flytreeleft/nexus3-keycloak-plugin/$PLUGIN_VERSION"
NEXUS_INSTALL_PATH=/opt/nexus
NEXUS_VERSION=3.33.0-01
NEXUS_SYS_PATH="${NEXUS_INSTALL_PATH}/nexus-${NEXUS_VERSION}/system"
mkdir -p $NEXUS_SYS_PATH/$JARDIR
cp nexus3-keycloak-plugin-0.6.0-SNAPSHOT.jar $NEXUS_SYS_PATH/$JARDIR/
echo "mvn\\:org.github.flytreeleft/nexus3-keycloak-plugin/$PLUGIN_VERSION = 200" >> ${NEXUS_INSTALL_PATH}/nexus-${NEXUS_VERSION}/etc/karaf/startup.properties
echo '{
"realm": "xxx",
"auth-server-url": "https://sso.xxx.com/auth/",
"ssl-required": "all",
"resource": "nexus3",
"verify-token-audience": true,
"credentials": {
"secret": "secret"
},
"confidential-port": 0,
"policy-enforcer": {}
}' > ${NEXUS_INSTALL_PATH}/nexus-${NEXUS_VERSION}/etc/keycloak.json
chown -R nexus:nexus $NEXUS_INSTALL_PATH Here is the errors with the setting auth-server-url setting above set to sso.xxx.com. Sorry, the are not the same. I tried changing the redirect to use the nexus.node.consul as I saw local host in the README, but assuming perhaps keycloak was installed on the same server as nexus for the README. IMPORTANT: I did not use the eclipse method of creating the cert as mentioned above. I am trying to keep all services I deploy behind the gateway and use consul for DNS so that users only see the services they have permission for. In case it helps, here is the output of the cert.
I did add the alias entry to the jetty-https.xml file but it did not seem to make a difference and probably because there is only one cert in that keystore. I forgot to include the proxy entry, sorry, but reading some of the other closed issues. Is this perhaps because proxy does not support https?
|
@flytreeleft thanks for your previous answer, I have now the vhost configured and running in openresty (all openidc dependencies installed). But facing an interesting behavior:
This is leading to Nexus not being usable at all Is this the plugin's expected behavior? |
@gbellns2 There should be no problem for proxy with https. The error The NPE error in the You should make sure that |
@LorCub Please provide the log messages of Nexus and Keycloak, maybe there are some errors in the server-end. |
@LorCub @gbellns2 Please try to use nexus3-keycloak-plugin.zip which can log more details. |
Please find the logs after a clean start, both Nexus and Keycloak. clean start and login logs.zip @flytreeleft thanks again for your proactivity |
@flytreeleft I I downloded the zip file, install the jar in the appropriate system/dir. I installed the kar in the I went back to Keycloak and created a new nexus client and the new {
"realm": "realm",
"auth-server-url": "https://sso.xxx.com/auth/",
"ssl-required": "all",
"resource": "nexus",
"verify-token-audience": true,
"credentials": {
"secret": "123xxx"
},
"use-resource-role-mappings": true,
"confidential-port": 0,
"policy-enforcer": {}
} NOTE: I ran across the below in another closed post. Do I need to add this for my proxy: {
...,
"proxy-url": "http://<proxy-username>:<proxy-password>@<proxy-host>:<proxy-port>",
...
} Or would it be more like I am still getting a null pointer exception when I try to add an external role (admin in keycloak) for nexus client. Error is:
Here is what I am seeing in the apache httpd logs.
Not sure what redirect the nexus client in keycloak should be configured to, here is what I have today. |
@gbellns2 Please paste the stack trace which is following the error The |
@LorCub Your configuration should be right, and the user authenticating is OK too. I found the error |
I modified the nexus client to the following. I also tried Attached are the keycloak and nexus logs with redirect url set to In the nexus log, I restarted nexus and tried to sign in with my user name that you will see in the logs. Then I logged in as admin, and tried to map an external role to keycloak. I still must have something off in the config as I see.
When I logged in the first time as admin, I did select disable anonymous. Also, for what it is worth, my Keycloak Realm is mixed case: NS2labs. |
@gbellns2 What's version of the Keycloak? Maybe there is a compatibility problem, because I found the following error message in the Keycloak logs:
|
@flytreeleft Keycloak 13.0.0 is the version I have. I noticed that but thought it was a value I was not setting on the nexus config side. |
I think this error was do to the fact that the mapper I added to the nexus client "groups", I did not set the Token Claim Name to groups. |
@flytreeleft I upgraded keycloak to 15.0.2. I am still seeing the same behavior. Guess I should ask, what Keycloak version have you tested this with? |
@gbellns2 Sorry for reply late, I'm busy on other work, maybe after few days, I will check it more details. |
Hi there,
After following the guide, every auth attempt raises the following:
org.github.flytreeleft.nexus3.keycloak.plugin.ext.auth0.KeycloakAuthenticatingRealm - doGetAuthenticationInfo for username via org.apache.shiro.authc.UsernamePasswordToken: false
We use Keycloak 12 and plugin version 0.5.0. Could it be that this plugin does not support OTPs from Keycloak?
Thanks for checking and keep up the good work!
The text was updated successfully, but these errors were encountered: