0

I am using Keycloak for service authentication to generate an access token.

However, I am getting javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target when Keycloak attempts to load URLs from https://example.com/auth/realms/services/.well-known/openid-configuration.

This is from a Spring boot application connecting to a Keycloak server installed in the OpenShift Container Platform.

Everything works well when I test from the locally installed Keycloak and I can actually get the properties from https://example.com/auth/realms/services/.well-known/openid-configuration when I run a GET request from a postman client and or browser.

My application.properties file has the below configs

keycloak.realm=services
keycloak.resource=ms-test-service
keycloak.auth-server-url=https://example.com/auth
keycloak.ssl-required=none
keycloak.use-resource-role-mappings=false

Can I override the connection to trust all certs or what's the work around?

James
  • 89
  • 3

1 Answers1

2

No, don't try configure a JDK / JRE to trust all certificates with unknown root authorities.

Two solutions:

  • use a certificate with a trusted root authority for your Keycloak instance at https://example.com/auth (generate one with tools like letsencrypt and then point to it in keycloak.conf)
  • add the self-signed certificate used by the keycloak instance to the cacerts file of the JRE / JDK your spring application runs into

For the second option, make sure that the self-signed certificate is not generated on the fly when starting Keycloak (generate this certificate manually and point to it from the conf file)

P.S. n°1

when Keycloak attempts to load URLs from https://example.com/auth/realms/services/.well-known/openid-configuration

It is not Keycloak which sends a request, it is your Spring application which attempts to load the OpenID configuration from Keycloak (the error occurs in the JVM of the Spring app rejecting Keycloak server SSL certificate, not the opposite).

P.S. n°2

You are using the Keycloak adapters for Spring which were deprecated early 2022 and aren't compatible with Spring Security 6 / Boot 3. Don't do that. See Use Keycloak Spring Adapter with Spring Boot 3 for alternatives.

ch4mp
  • 6,622
  • 6
  • 29
  • 49
  • Thanks. How does the Spring application attempt to load the OpenID configuration from Keycloak? Any specific class/config I can look at? – James Mar 27 '23 at 05:21
  • The error you face has nothing to do with Spring configuration: as stated in my answer, it is a JVM level error. Currently in your app, this call is triggered when initiating the JWT decoder in the WebSecurityConfigurerAdapter (which has been removed in Spring Security 6). With Spring Security 6, the JWT decoder is configured with the security filter-chain bean. – ch4mp Mar 27 '23 at 06:40