Error with specific client secret
dhilgarth opened this issue · 0 comments
dhilgarth commented
My client secret is P(0%:5clH8{eu4Xx9g@cPc@X**@h)G]@.
The verifyToken function returns false, nil and the debug log shows ok = false.
In the log of keycloak, I can see this:
024-06-03 16:49:06,156 ERROR [org.keycloak.services] (executor-thread-1) KC-SERVICES0015: Unexpected error when authenticating client: java.lang.IllegalArgumentException: URLDecoder: Illegal hex characters in escape (%) pattern - Error at index 0 in: ":5"
at java.base/java.net.URLDecoder.decode(URLDecoder.java:237)
at java.base/java.net.URLDecoder.decode(URLDecoder.java:147)
at org.keycloak.util.BasicAuthHelper$RFC6749.parseHeader(BasicAuthHelper.java:87)
at org.keycloak.authentication.authenticators.client.ClientIdAndSecretAuthenticator.authenticateClient(ClientIdAndSecretAuthenticator.java:67)
at org.keycloak.authentication.ClientAuthenticationFlow.processFlow(ClientAuthenticationFlow.java:72)
at org.keycloak.authentication.AuthenticationProcessor.authenticateClient(AuthenticationProcessor.java:901)
at org.keycloak.protocol.oidc.utils.AuthorizeClientUtil.authorizeClient(AuthorizeClientUtil.java:50)
at org.keycloak.protocol.oidc.endpoints.TokenIntrospectionEndpoint.authorizeClient(TokenIntrospectionEndpoint.java:124)
at org.keycloak.protocol.oidc.endpoints.TokenIntrospectionEndpoint.introspect(TokenIntrospectionEndpoint.java:77)
at org.keycloak.protocol.oidc.endpoints.TokenIntrospectionEndpoint$quarkusrestinvoker$introspect_0bb1325243a357cd7bd1081cdfd9564b03f4eef1.invoke(Unknown Source)
at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141)
at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:582)
at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538)
at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:840)
2024-06-03 16:49:06,158 WARN [org.keycloak.events] (executor-thread-1) type="INTROSPECT_TOKEN_ERROR", realmId="app-infrastructure", clientId="null", userId="null", ipAddress="XXX", error="invalid_client_credentials"
2024-06-03 16:49:06,159 WARN [org.keycloak.events] (executor-thread-1) type="INTROSPECT_TOKEN_ERROR", realmId="app-infrastructure", clientId="null", userId="null", ipAddress="XXX", error="invalid_request", detail="Authentication failed."
The interesting part:
Unexpected error when authenticating client: java.lang.IllegalArgumentException: URLDecoder: Illegal hex characters in escape (%) pattern - Error at index 0 in: ":5"
And my client secret contains exactly this substring %:5
Is this an issue in how you send that client secret to keycloak? Does it need to be made URL safe first?