Error with keycloak openid-connect when update to vertx 4

[Jonad García San Martín]

(Sorry for my english) - Hello, I am new to vertx and in my current job there is an api developed with vertx. They want to migrate to vertx 4 and asign me the task. In this moment and facing an issue with Authentication.

I make this call 

OAuth2Auth oauth2 = KeycloakAuth.create(vertx, OAuth2FlowType.PASSWORD, keycloakJson);

oauth2.authenticate(userJson).onSuccess(...).onFailure(...)

it captures this exception:

io.vertx.core.impl.NoStackTraceThrowable: Used is expired.

But the response of keycloak openid-connect/token seems to be OK:

HTTP/1.1 200 OK..Cache-Control: no-store..Set-Cookie: KEYCLOAK_LOCALE=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/XXX/; Secure; HttpOnly..Set-Cookie: KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/XXX/; Secure; HttpOnly..X-XSS-Protection: 1; mode=block..Pragma: no-cache..X-Frame-Options: SAMEORIGIN..Referrer-Policy: no-referrer..Date: Wed, 03 Feb 2021 19:21:29 GMT..Strict-Transport-Security: max-age=31536000; includeSubDomains..X-Content-Type-Options: nosniff..Content-Type: application/json..Content-Length: 2134....."access_token":"ZZZ","expires_in":300,"refresh_expires_in":1800,"refresh_token":"YYY","token_type":"Bearer","not-before-policy":0,"session_state":"6f9dd3a9-91fd-4be5-a139-d81584eddae6","scope":"profile email".

I can't find where and why that exception  throws.

Thanks for the help.

[Lars Mårelius]

Hi Jonad!

It looks like the token you receive from Keycloak is expired: Expires=Thu, 01-Jan-1970 00:00:10

It might be a matter of configuration of Keycloak and/or the clock settings on the server and/or client.

Sorry for a brief answer but it is hard to say with the little information provided.

/Morre

----
Lars Mårelius <mo...@tentixo.com> direct: +46 70-867 09 01
Tentixo NG AB
Törnbacken 7, 170 67 Solna

> --
> You received this message because you are subscribed to the Google Groups "vert.x" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to vertx+un...@googlegroups.com.
> To view this discussion on the web, visit https://groups.google.com/d/msgid/vertx/e642754e-2e8f-4843-9f82-923c0c0e8939n%40googlegroups.com.

[Jonad García San Martín]

Thank you for the fast response Lars.

I think that isn't the problem. The "Expires=Thu, 01-Jan-1970 00:00:10" text that you refer is the expiration of 2 cookies (KEYCLOAK_LOCALE  and KC_RESTART that put the date in the past to delete them). If you look deeper you will see that both, access_token and refresh_token has valid expiration times (300 and 1800)

Also, I didn't mention that with vertx 3.9.4 the api receive the same response and works properly. And this is the last  log before the error log:

2021-02-08 01:53:22.572 [vert.x-eventloop-thread-7] DEBUG i.v.e.a.oauth2.impl.OAuth2Response.?(?) - New response: statusCode: 200

Please if you or any other in the group need more information I will give it. I really need help with this because I couldn't find where this error is throwing and my boss is pushing me to resolve this issue.

Thanks again.

[Jonad García San Martín]

Hello Lars,

I found the problem and was something similar to the cause that you suspected but not because of the dates that you mention of the cookies (I explained that in previous comment).

Anybody (except you) answer to my question then I downloaded the code of vertx-auth-jwt project and searched for the place where that exception was thrown. I found that was because a little difference with the synchronization  between my machine with Windows 10 (where it was executing the api developed with vertx) and the server where keycloak is deployed. The difference was minimum but with vertx 4 was added a validation that fails if the 2 machines are not synchronized. 

A User is created when keycloak send the OK Response (200). But that User is considered expired if it contains an expiration time and the current clock time is post the expiration date and then throws that exception.

I fix the problem updating the time of my PC automatically by internet because it was 1 second greater than the expiration time.

I think this is an error because in the io.vertx.ext.auth.User class there is a method (expired()) that make the validation and takes in count a property of the User (leeway) and the javadoc says: "Implementations of this interface might relax this rule to account for a leeway to safeguard against clock drifting." but in the case of  keycloak password flow  vertx 4 implementation (maybe in others too) that property is leeway = 0. 

I think that there must be a way of configure that property. For example, in development I want to make leeway = 2 because I am remote and the connection could be inestable. I live in Cuba where the connection is slow. I am new to the group ¿How can I ask to one of the developers of vertx if there is any way for doing that?

Thanks for your help.

El viernes, 5 de febrero de 2021 a las 16:17:59 UTC-5, mo...@tentixo.com escribió:

[Lars Mårelius]

Hi Jonad!

Glad you could narrow down the problem. I am not that deep into those parts of the code but I have some general comments:
In any token (JWT/OAuth2) or ticket (Kerberos) security system time synchronisation is very important.
Default in Windows (at least in older version - might have been updates) a Kerberos/AD domain could only drift 15 minutes between servers until you got locked out.
I did a quick googling to find if OAuth2 has any standard regarding leeway and found at least a recommendation: 30 seconds.
One should always use NTP with time servers (more than one!) as close as possible to any server's location. That should take care of the drifting problem even if the internet connection is slow. 1 second drift is a lot in NTP.

As any security system, setting it up having all levels thought trough is vital - one does not to open up for attacks because of mistakes in lower layers.

I do not know how to get a core developer answer but I will have a look on this in a week or two when my team will start implementing things with OAuth 2 again.
Feel free to ping me again if you find some good settings and post some code snippet.

/Morre

----
Lars Mårelius <mo...@tentixo.com> direct: +46 70-867 09 01
Tentixo NG AB
Törnbacken 7, 170 67 Solna

> To view this discussion on the web, visit https://groups.google.com/d/msgid/vertx/793e5c8e-6a0c-4740-aecb-fa99ad45f7f9n%40googlegroups.com.