Keycloak Adapter: Unable to invoke request: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

[Patrick29 Djomo]

Hey everyone,

I will describe my setup.

I have a Keycloak Server that is running on a server call connect-test

I have a Keyclaok Adapter (keycloak.json) that has been deployed with my backend running on the same server connect-test. Every time a request is send to the backend, the Keycloak Adapter, first receives the request, makes https request to Keycloak Server to check user authorization and if user is authorized, the Keycloak Adapter then submit the request to backend. And the backend handles the request and returns the response to the client.

I had a problem: each time I send a request with a valid access token to the server, the Keyclaok Adapter always returns forbidden response and throws this exception: 

[RESTEASY004655: Unable to invoke request: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated]: javax.ws.rs.ProcessingException: RESTEASY004655: Unable to invoke request: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated at org.jboss.restea...@3.12.1.Final//org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:327) at org.jboss.restea...@3.12.1.Final//org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:443) at org.jboss.restea...@3.12.1.Final//org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invokeSync(ClientInvoker.java:149) at org.jboss.restea...@3.12.1.Final//org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:112) at org.jboss.restea...@3.12.1.Final//org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76) at deployment.HamiltonConnectService.war//com.sun.proxy.$Proxy100.grantToken(Unknown Source) at deployment.HamiltonConnectService.war//org.keycloak.admin.client.token.TokenManager.grantToken(TokenManager.java:89) at deployment.HamiltonConnectService.war//org.keycloak.admin.client.token.TokenManager.getAccessToken(TokenManager.java:69) at deployment.HamiltonConnectService.war//org.keycloak.admin.client.token.TokenManager.getAccessTokenString(TokenManager.java:64) at deployment.HamiltonConnectService.war//org.keycloak.admin.client.resource.BearerAuthFilter.filter(BearerAuthFilter.java:52) 

As it was a certificate issue, I have configured the Keycloak adapter with a truststore that includes the certificate of the connect-test server to solve the problem above. Therefore, I created a truststore (cacets) file that contains the certificate of the connect-test server  and added it into src/main/resources folder.

Here is the my keyclaok.json file after adding the truststore.

{

  "realm": "Marin",

  "auth-server-url": "https://connect-test.marin.com/auth/",

  "autodetect-bearer-only": true,

  "ssl-required": "all",

  "resource": "connectMerin_71981bedc82a4ef0",

  "verify-token-audience": true,

  "credentials": {

    "secret": "6671f1234-365c-433b-860f-987670f8b414"

  },

  "use-resource-role-mappings": true,

  "truststore": "classpath:/cacerts",

  "truststore-password": "changeit",

  "confidential-port": 0,

  "policy-enforcer": {}

}

After deploy my solution, Keycloak Adapter don't through previous exception. But When I get a new access token and that I used it to send requests to the backend, during the first 10 minutes all the requests are handle by the backend and I receive 200 response for each request. But after 10 minutes any request that is send to the backend is returned with a forbidden response even thought the access token is till valid until next two weeks.

Please is there someone that can help me. I have already tried everything  but still having the same problem. 

Thanks.