Integrating Keycloak with Spring Boot hit Exception

444 views
Skip to first unread message

james jodan

unread,
Sep 7, 2023, 7:42:16 PM9/7/23
to Keycloak User
I am trying quay.io/keycloak/keycloak:17.0.0. with a resource server running on Spring Boot. With the unsecured keycloak port 8080, token verification is fine. With secured 8443 link, when trying to get access to a resource, I got the following exception,

org.springframework.security.authentication.AuthenticationServiceException: An error occurred while attempting to decode the Jwt: Couldn't retrieve remote JWK set: org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://192.168.100.10:8443/realms/external/protocol/openid-connect/certs": No subject alternative names present
        at org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider.getJwt(JwtAuthenticationProvider.java:106) ~[spring-security-oauth2-resource-server-6.1.2.jar!/:6.1.2]
        at org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider.authenticate(JwtAuthenticationProvider.java:88) ~[spring-security-oauth2-resource-server-6.1.2.jar!/:6.1.2]
        at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:182) ~[spring-security-core-6.1.2.jar!/:6.1.2]
        at org.springframework.security.oauth2.server.resource.web.authentication.BearerTokenAuthenticationFilter.doFilterInternal(BearerTokenAuthenticationFilter.java:137) ~[spring-security-oauth2-resource-server-6.1.2.jar!/:6.1.2]
 ........

Caused by: java.security.cert.CertificateException: No subject alternative names present
        at java.base/sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:142) ~[na:na]
        at java.base/sun.security.util.HostnameChecker.match(HostnameChecker.java:101) ~[na:na]
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:458) ~[na:na]
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:432) ~[na:na]
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:238) ~[na:na]
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132) ~[na:na]
        at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1341) ~[na:na]

Could anybody help whether this is a configuration issue? I have changed nothing but http to https and 8080 to 8443. 

Thanks,

James

Ajmal Khalil

unread,
Jan 29, 2024, 1:21:45 PMJan 29
to Keycloak User
Hello James, I am getting the same issue. Could you please tell me if you already solved this issue. 

Thanks

Tony Harris

unread,
Jan 29, 2024, 4:46:05 PMJan 29
to Ajmal Khalil, Keycloak User
You are using an IP address to reference an HTTPS endpoint, it can't find a certificate in your keystore to match too. Try using a host name that matches the alias in the keystore

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/c72eb853-9475-48ca-b213-91d7eb0115d1n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages