I’m facing issues while trying to configure Apache Zeppelin with Shiro and Keycloak. When I attempt to log in using Keycloak, I receive the following error: Bad token response, error=invalid_grant.

I’m not sure what is failing. I haven’t been able to achieve it with the KeycloakOidcConfiguration library either, so I’m trying it with OidcConfiguration.

I have tried it with this shiro configuration

[main]
roleAdminAuthGenerator = org.pac4j.core.authorization.generator.FromAttributesAuthorizationGenerator
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.globalSessionTimeout = 86400000

### OIDC Pac4j Config
oidcConfig = org.pac4j.oidc.config.OidcConfiguration
oidcConfig.withState = false
oidcConfig.discoveryURI = https://mykeycloak.it/realms/zeppelin/.well-known/openid-configuration
oidcConfig.clientAuthenticationMethodAsString = client_secret_basic
oidcConfig.clientId = zeppelin-client
oidcConfig.secret = <zeppelin-secret>
oidcConfig.scope = openid
oidcConfig.useNonce = true
oidcConfig.responseType = code
oidcConfig.logoutUrl = https://mykeycloak.it/auth/realms/zeppelin/protocol/openid-connect/logout

oidcClient = org.pac4j.oidc.client.OidcClient
#oidcConfig.useNonce = true
oidcClient.configuration = $oidcConfig
oidcClient.authorizationGenerator = $roleAdminAuthGenerator

### Pac4J Client Details
clients = org.pac4j.core.client.Clients

requireRoleAdmin = org.pac4j.core.authorization.authorizer.RequireAnyRoleAuthorizer
requireRoleAdmin.elements = admin_role
requireRoleUser = org.pac4j.core.authorization.authorizer.RequireAnyRoleAuthorizer
requireRoleUser.elements = admin_role, user_role

### Pac4j Config
config = org.pac4j.core.config.Config
config.clients = $clients
config.authorizers = admin:$requireRoleAdmin, user:$requireRoleUser

### Pac4jRealm and SecurityFilter
pac4jRealm = io.buji.pac4j.realm.Pac4jRealm
pac4jRealm.principalNameAttribute = preferred_username
pac4jSubjectFactory = io.buji.pac4j.subject.Pac4jSubjectFactory

securityManager.realms = $pac4jRealm
securityManager.subjectFactory = $pac4jSubjectFactory
oidcSecurityFilter = io.buji.pac4j.filter.SecurityFilter
oidcSecurityFilter.clients = oidcClient
oidcSecurityFilter.config = $config

### Ajax Resolvers
ajaxRequestResolver = org.pac4j.core.http.ajax.DefaultAjaxRequestResolver
ajaxRequestResolver.addRedirectionUrlAsHeader = true
oidcClient.ajaxRequestResolver = $ajaxRequestResolver

### Callback Filters
callbackFilter = io.buji.pac4j.filter.CallbackFilter
callbackFilter.defaultUrl = http://172.26.153.118:8088
callbackFilter.config = $config

### Logout Filter
logoutFilter = io.buji.pac4j.filter.LogoutFilter
logoutFilter.localLogout = true
logoutFilter.centralLogout = true
logoutFilter.config = $config
logoutFilter.defaultUrl = https://mykeycloak.it/realms/zeppelin/protocol/openid-connect/logout

clients.callbackUrl = http://172.26.153.118:8088/api/callback
clients.clients = $oidcClient

[urls]
/api/version = anon
/api/callback = callbackFilter
/api/login/logout = logoutFilter
/** = oidcSecurityFilter

browser error message:

HTTP ERROR 500 javax.servlet.ServletException: org.pac4j.core.exception.TechnicalException: Bad token response, error=invalid_grant
URI: /api/callback
STATUS: 500
MESSAGE: javax.servlet.ServletException: org.pac4j.core.exception.TechnicalException: Bad token response, error=invalid_grant
SERVLET: rest
CAUSED BY: javax.servlet.ServletException: org.pac4j.core.exception.TechnicalException: Bad token response, error=invalid_grant
CAUSED BY: org.pac4j.core.exception.TechnicalException: Bad token response, error=invalid_grant
Log Trace:

Log

TRACE [2024-05-14 10:15:31,768] ({qtp557023567-73} OncePerRequestFilter.java[doFilter]:150) - Filter 'invalidRequest' not yet executed.  Executing now.
TRACE [2024-05-14 10:15:31,768] ({qtp557023567-73} PathMatchingFilter.java[pathsMatch]:126) - Attempting to match pattern '/api/version' with current requestURI '/api/callback'...
TRACE [2024-05-14 10:15:31,769] ({qtp557023567-73} PathMatchingFilter.java[pathsMatch]:160) - Pattern [/api/version] matches path [/api/callback] => [false]
TRACE [2024-05-14 10:15:31,769] ({qtp557023567-73} PathMatchingFilter.java[pathsMatch]:138) - Attempting to match pattern '/api/version' with current requestURI '/api/callback'...
TRACE [2024-05-14 10:15:31,769] ({qtp557023567-73} PathMatchingFilter.java[pathsMatch]:160) - Pattern [/api/version] matches path [/api/callback] => [false]
TRACE [2024-05-14 10:15:31,769] ({qtp557023567-73} PathMatchingFilter.java[pathsMatch]:126) - Attempting to match pattern '/api/callback' with current requestURI '/api/callback'...
TRACE [2024-05-14 10:15:31,769] ({qtp557023567-73} PathMatchingFilter.java[pathsMatch]:160) - Pattern [/api/callback] matches path [/api/callback] => [true]
TRACE [2024-05-14 10:15:31,770] ({qtp557023567-73} PathMatchingFilter.java[preHandle]:196) - Current requestURI matches pattern '/api/callback'.  Determining filter chain execution...
TRACE [2024-05-14 10:15:31,770] ({qtp557023567-73} PathMatchingFilter.java[isFilterChainContinued]:217) - Filter 'invalidRequest' is enabled for the current request under path '/api/callback' with config [null].  Delegating to subclass implementation for 'onPreHandle' check.
TRACE [2024-05-14 10:15:31,770] ({qtp557023567-73} AdviceFilter.java[doFilterInternal]:133) - Invoked preHandle method.  Continuing chain?: [true]
TRACE [2024-05-14 10:15:31,771] ({qtp557023567-73} ProxiedFilterChain.java[doFilter]:64) - Invoking wrapped filter at index [1]
TRACE [2024-05-14 10:15:31,771] ({qtp557023567-73} ThreadContext.java[get]:126) - get() - in thread [qtp557023567-73]
TRACE [2024-05-14 10:15:31,771] ({qtp557023567-73} ThreadContext.java[get]:133) - Retrieved value of type [org.apache.shiro.web.subject.support.WebDelegatingSubject] for key [org.apache.shiro.util.ThreadContext_SUBJECT_KEY] bound to thread [qtp557023567-73]
TRACE [2024-05-14 10:15:31,772] ({qtp557023567-73} DelegatingSubject.java[getSession]:321) - attempting to get session; create = false; session is null = true; session has id = false
TRACE [2024-05-14 10:15:31,922] ({qtp557023567-73} AdviceFilter.java[cleanup]:174) - Successfully invoked afterCompletion method.
DEBUG [2024-05-14 10:15:31,922] ({qtp557023567-73} AdviceFilter.java[cleanup]:194) - Filter execution resulted in an unexpected Exception (not IOException or ServletException as the Filter API recommends).  Wrapping in ServletException and propagating.
 WARN [2024-05-14 10:15:31,923] ({qtp557023567-73} HttpChannel.java[handleException]:776) - /api/callback
javax.servlet.ServletException: org.pac4j.core.exception.TechnicalException: Bad token response, error=invalid_grant

Does anyone have any suggestions to solve this problem? Thanks,