Hi Alex,

I have a docker based installation of alfresco community (https://github.com/Alfresco/acs-community-deployment/blob/master/docker-compose/docker-compose.yml) and I am also interested in trying your add-on, since I have a standalone installation of keycloak (version 9.0.3 also with docker).

I have successfully cloned and built both alfresco-keycloak and alfresco-utility and copied both amp files (de.acosix.alfresco.utility.share-1.2.3.amp and de.acosix.alfresco.keycloak.share-1.1.0-rc4.amp) inside my alfresco-share:6.2.1 container (and specifically under /usr/local/tomcat/amps_share/).

However, when I restart the container and I access the some_path:8080/share/page/console/admin-console/module-package I only see "Alfresco / Google Docs Share Module".

Am I doing something wrong with the installation?

Also, regarding configuration of alfresco-global.properties and share-config-custom.xml the hyperlinks you have point to other files and I am confused as to which files to change. Also where is the location of these 2 files?

thank you in advance
-Alkis

Originally posted by @ayian2004 in #1 (comment)

Hi @ayian2004

I have split this into a separate issue in order to avoid spamming the original poster of that other issue with updates. It is generally good practice to create new issues unless you have found a non-generic / non-personalised issue that matches your topic. The other issue was generic and personalised ("questions"), so should not be re-opened except by the original poster themselves.

You do not need to clone and build alfresco-utility - it is published to Maven Central. The newest version may not have been available at the time you tried it because I actually had just built a new release this week, and it takes some time to be published.

In order to include the AMPs in a Docker based deployment, you should build a custom Docker image with the modules included AND installed by running the alfresco-mmt tool. It is not correct to install the modules by copying them into an already existing container. You can check documentation in the ACS packaging project about creating customised images.

I have to admit that the documentation of the project has not yet been adapted. The current state is way further along than what the readme states. In order to use the Keycloak module fully/properly, you should install both the Repository- and Share-tier modules, not just the Share ones like you described. You can find some sample configuration files in my integration test setup, and I do hope to find some time in the near- to mid-term future to update the documentation, most definitely before marking version 1.1.0 as GA release instead of a release candidate that it currently is.

Hi @AFaust
Thank you for taking the time to reply to me. I will download the alfresco-utility from Maven Central.

In order to install both AMPs (alfresco-utility and alfresco-keycloak) in my Docker based deployment, I have used this post, where I have:

1. copied the ../alfresco-keycloak/repository/target/de.acosix.alfresco.keycloak.repo-1.1.0-rc4.amp and ../alfresco-utility/full/repository/target/de.acosix.alfresco.utility.repo-1.2.3.amp AMPs inside the alfresco-content-repository-community:6.2.1-A8 docker container and specifically under /usr/local/tomcat/amps
2. copied the ../alfresco-keycloak/share/target/de.acosix.alfresco.keycloak.share-1.1.0-rc4.amp and ../alfresco-utility/full/share/target/de.acosix.alfresco.utility.share-1.2.3.amp AMPs inside the alfresco-share:6.2.1 docker container and specifically under /usr/local/tomcat/amps_share
3. Applied alfresco-content-repository-community AMPs by using the Module Management Tool (/usr/local/tomcat/alfresco-mmt/alfresco-mmt-6.0.jar install /usr/local/tomcat/amps /usr/local/tomcat/webapps/alfresco -directory -nobackup -force) and then restarted the container.
4. Applied alfresco-share AMPs by using the Module Management Tool (/usr/local/tomcat/alfresco-mmt/alfresco-mmt-6.0.jar install /usr/local/tomcat/amps_share /usr/local/tomcat/webapps/share -directory -nobackup -force) and then restarted the container.

In any case I have managed to install, I think successfully, the alfresco-keycloak module as you can see in the following screenshot, taken from my Alfresco-Share instance.

Hence my next question is, how do I configure it to connect to my own Keycloak installation, using my specific realm, client, secret, etc? Is there a UI to do that? Is there a config file? Any help appreciated.

Finally, in order to create a custom docker image (as you suggested), for which component should I create it? The alfresco-content-repository or the alfresco-share? Or I have to create two custom images (both lfresco-content-repository and alfresco-share)?

Kind regards
-Alkis

Hi @AFaust,

I have followed the documentation in the ACS packaging project about creating customised images and I have created two custom images: custom-alfresco-repository:0.0.1 and custom-share-repository:0.0.1 using the attached dockerfiles.

custom-alfresco-repository-Dockerfile.txt
custom-share-repository-Dockerfile.txt

I have used this two docker images to launch my Alfresco instance and this is what I got:

Can you tell me what else I need to setup/configure to get a "login with keycloak" button in my Share page (somepath:8080/share)?

Kind regards
-Alkis

Hi @AFaust,

I have followed the documentation in the ACS packaging project about creating customised images and I have created two custom images: custom-alfresco-repository:0.0.1 and custom-share-repository:0.0.1 using the attached dockerfiles.

custom-alfresco-repository-Dockerfile.txt
custom-share-repository-Dockerfile.txt

I have used this two docker images to launch my Alfresco instance and this is what I got:

Can you tell me what else I need to setup/configure to get a "login with keycloak" button in my Share page (somepath:8080/share)?

Kind regards
-Alkis

Hi Alkis,

I followed the same setup you have and it looks like share is looking for keycloak on local host by default. I would check the docker logs for share to see if it's asking for keycloak on localhost:8180.

Hi @gsharma-jiggzy
I know that I have to configure some files (alfresco-global.properties and share-config-custom.xml) and this is why I have updated the dockerfiles as you can see bellow:
custom-alfresco-repository-Dockerfile.txt
custom-share-repository-Dockerfile.txt

However, when I start the docker I receive these errors:
custom-alfresco-repository-json.log

Moreover, I wonder can I change the Keycloak configuration without having to relaunch the custom-alfresco-repository:0.0.1 and custom-share-repository:0.0.1 images. Can I edit the two files on the go and simply restart the containers?

@AFaust if I change them directly on the docker images, do I need to restart them, or they will pick up the changes automatically?

thank you
-Alkis

You absolutely can change those configuration files in the container (for testing purposes) and restart to have them take effect. I have no idea why that error during startup would come up - it complains about not finding a context file in the keycloak subsystem, but such a file should be there (in webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/keycloak/) after installing the AMP, specifically the two files from this source tree

Hi @AFaust
I've just looked into my custom-alfresco-repository image and there is no such path webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication I only have webapps/alfresco/WEB-INF/classes/alfresco/subsystems/googledocs

Could it be that the AMP wasn't installed successfully?

Just for the sake of the discussion I am also attaching the docker-compose.yml.txt file

I am also including the custom docker projects
custom-share-repository.zip
custom-alfresco-repository.zip

I think that you now have all files to replicate my problem.

Thank you
-Alkis

@ayian2004
I don't think the AMP was installed correctly in the repository docker, I copied you docker build file and I didn't see any jar in /usr/local/tomcat/webapps/alfresco/WEB-INF/lib.

@gsharma-jiggzy
Yes that is what I also observed. However, if you see the amps folder (in the repository docker) and the amps_share folder (in the share docker) they do contain the amps and the dockerfiles also include the command to install AMPs on alfresco (according to the documentation in the ACS packaging project about creating customised images) and that is what puzzles me.
Any help appreciated.
-Alkis

@ayian2004
I had the same issue with the enterprise edition for latest, I back down to 6.2.2.1 for the content repository and that was able to load the jars/amps just fine. Try changing docker base image to 6.2.0-ga.

@gsharma-jiggzy
I've tried your suggestion.
However, I have just seen why the amps weren't install. The reason is that I have the -directory option in the custom-alfresco-repository-Dockerfile.txt resulting in the amps not being installed.

I will check now if I can successfully login with my keycloak credentials

@ayian2004
Ok that makes sense. You might need to fix some keycloak settings to get it to work.

Dear all,
thank you for your support.
After experimenting I have successfully managed to login to Alfresco using the realm/users from Keycloak.
@AFaust Thank you for the component. It works as I wanted.

One last question to @AFaust
Although the app seems to work find I do get these errors:
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989099517Z 2020-09-17 06:37:33,985 ERROR [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization aborted due to error
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989144078Z org.alfresco.error.AlfrescoRuntimeException: 08170038 Failed to retrieve access token due to HTTP error 401: Unauthorized
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989150840Z at de.acosix.alfresco.keycloak.repo.client.IDMClientImpl.getAccessTokenImpl(IDMClientImpl.java:737)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989154423Z at de.acosix.alfresco.keycloak.repo.client.IDMClientImpl.getAccessToken(IDMClientImpl.java:672)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989157437Z at de.acosix.alfresco.keycloak.repo.client.IDMClientImpl.obtainOrRefreshAccessToken(IDMClientImpl.java:612)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989160420Z at de.acosix.alfresco.keycloak.repo.client.IDMClientImpl.getValidAccessTokenForRequest(IDMClientImpl.java:582)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989163395Z at de.acosix.alfresco.keycloak.repo.client.IDMClientImpl.processGenericGet(IDMClientImpl.java:442)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989166329Z at de.acosix.alfresco.keycloak.repo.client.IDMClientImpl.countGroups(IDMClientImpl.java:157)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989169242Z at de.acosix.alfresco.keycloak.repo.sync.KeycloakUserRegistry.getGroups(KeycloakUserRegistry.java:181)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989172199Z at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.syncWithPlugin(ChainingUserRegistrySynchronizer.java:993)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989175293Z at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.synchronizeInternal(ChainingUserRegistrySynchronizer.java:739)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989178358Z at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.access$15(ChainingUserRegistrySynchronizer.java:474)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989181400Z at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer$7.doWork(ChainingUserRegistrySynchronizer.java:2138)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989184450Z at org.alfresco.repo.security.authentication.AuthenticationUtil.runAs(AuthenticationUtil.java:602)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989187388Z at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.onBootstrap(ChainingUserRegistrySynchronizer.java:2132)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989190354Z at org.springframework.extensions.surf.util.AbstractLifecycleBean.onApplicationEvent(AbstractLifecycleBean.java:56)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989193363Z at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.onApplicationEvent(ChainingUserRegistrySynchronizer.java:2495)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989197202Z at org.springframework.context.event.SimpleApplicationEventMulticaster.doInvokeListener(SimpleApplicationEventMulticaster.java:172)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989200292Z at org.springframework.context.event.SimpleApplicationEventMulticaster.invokeListener(SimpleApplicationEventMulticaster.java:165)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989203299Z at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:139)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989206324Z at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:127)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989209323Z at org.alfresco.repo.management.subsystems.ChildApplicationContextFactory$ChildApplicationContext.publishEvent(ChildApplicationContextFactory.java:569)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989214722Z at org.springframework.context.support.AbstractApplicationContext.finishRefresh(AbstractApplicationContext.java:896)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989217835Z at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:552)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989220846Z at org.alfresco.repo.management.subsystems.ChildApplicationContextFactory$ApplicationContextState.start(ChildApplicationContextFactory.java:824)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989223940Z at org.alfresco.repo.management.subsystems.AbstractPropertyBackedBean.start(AbstractPropertyBackedBean.java:1098)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989226886Z at org.alfresco.repo.management.subsystems.AbstractPropertyBackedBean.onApplicationEvent(AbstractPropertyBackedBean.java:637)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989229882Z at org.alfresco.repo.management.SafeApplicationEventMulticaster.multicastEventInternal(SafeApplicationEventMulticaster.java:221)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989232884Z at org.alfresco.repo.management.SafeApplicationEventMulticaster.multicastEvent(SafeApplicationEventMulticaster.java:186)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989235851Z at org.alfresco.repo.management.SafeApplicationEventMulticaster.multicastEvent(SafeApplicationEventMulticaster.java:206)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989238789Z at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:402)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989241724Z at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:359)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989244649Z at org.springframework.context.support.AbstractApplicationContext.finishRefresh(AbstractApplicationContext.java:896)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989247649Z at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:552)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989250984Z at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:401)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989253921Z at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:292)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989256807Z at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:103)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989259729Z at org.alfresco.web.app.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:70)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989262629Z at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4699)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989265491Z at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5165)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989268319Z at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989271153Z at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:743)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989274001Z at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:129)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989276821Z at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:150)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989284266Z at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:140)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989287259Z at java.base/java.security.AccessController.doPrivileged(Native Method)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989290078Z at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:717)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989292894Z at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:714)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989295703Z at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1125)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989298560Z at org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig.java:1859)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989301581Z at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989304482Z at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989307339Z at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989310225Z at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.989313126Z at java.base/java.lang.Thread.run(Thread.java:834)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.996079758Z 2020-09-17 06:37:33,992 WARN [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Failed initial synchronize with user registries
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.996106990Z org.alfresco.error.AlfrescoRuntimeException: 08170038 Failed to retrieve access token due to HTTP error 401: Unauthorized
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.996119425Z at de.acosix.alfresco.keycloak.repo.client.IDMClientImpl.getAccessTokenImpl(IDMClientImpl.java:737)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.996124411Z at de.acosix.alfresco.keycloak.repo.client.IDMClientImpl.getAccessToken(IDMClientImpl.java:672)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.996128805Z at de.acosix.alfresco.keycloak.repo.client.IDMClientImpl.obtainOrRefreshAccessToken(IDMClientImpl.java:612)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.996133149Z at de.acosix.alfresco.keycloak.repo.client.IDMClientImpl.getValidAccessTokenForRequest(IDMClientImpl.java:582)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.996137169Z at de.acosix.alfresco.keycloak.repo.client.IDMClientImpl.processGenericGet(IDMClientImpl.java:442)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.996141331Z at de.acosix.alfresco.keycloak.repo.client.IDMClientImpl.countGroups(IDMClientImpl.java:157)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.996145294Z at de.acosix.alfresco.keycloak.repo.sync.KeycloakUserRegistry.getGroups(KeycloakUserRegistry.java:181)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.996150081Z at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.syncWithPlugin(ChainingUserRegistrySynchronizer.java:993)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.996155501Z at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.synchronizeInternal(ChainingUserRegistrySynchronizer.java:739)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.996160774Z at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.access$15(ChainingUserRegistrySynchronizer.java:474)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.996164582Z at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer$7.doWork(ChainingUserRegistrySynchronizer.java:2138)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.996174660Z at org.alfresco.repo.security.authentication.AuthenticationUtil.runAs(AuthenticationUtil.java:602)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.996179061Z at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.onBootstrap(ChainingUserRegistrySynchronizer.java:2132)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.996183107Z at org.springframework.extensions.surf.util.AbstractLifecycleBean.onApplicationEvent(AbstractLifecycleBean.java:56)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.996187419Z at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.onApplicationEvent(ChainingUserRegistrySynchronizer.java:2495)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.996192131Z at org.springframework.context.event.SimpleApplicationEventMulticaster.doInvokeListener(SimpleApplicationEventMulticaster.java:172)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.996196963Z at org.springframework.context.event.SimpleApplicationEventMulticaster.invokeListener(SimpleApplicationEventMulticaster.java:165)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.996201449Z at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:139)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.996205040Z at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:127)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.996208850Z at org.alfresco.repo.management.subsystems.ChildApplicationContextFactory$ChildApplicationContext.publishEvent(ChildApplicationContextFactory.java:569)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.996212825Z at org.springframework.context.support.AbstractApplicationContext.finishRefresh(AbstractApplicationContext.java:896)
�[33malfresco_1 |�[0m 2020-09-17T06:37:33.996216825Z at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:552)

should I be worried?

thank you

@ayian2004 You should only be worried if you really intended / wanted for Alfresco to actively synch the users / groups from Keycloak. This feature is enabled by default and since I have not documented the various configuration options (yet), you may not have been aware that you need to either disable it or do some additional configuration in Keycloak to make it work properly.

You can disable synchronization by setting keycloak.synchronization.enabled=false either in the global or subsystem properties for the Keycloak subsystem instance. If you want to use synchronization, you need to configure your alfresco client in Keycloak appropriately. This means:

• setting serviceAccountsEnabled to true
• ensuring the service account of the client has the roles view-users and view-clients on the client realm-management
• ensuring the service account of the client has the roles manage-account and view-profile on the client account

You can see the service account configuration in the Keycloak realm template that I use for integration tests.

Hi @AFaust
I am coming back, because I think that my Keycloak/Alfresco integration didn't work as planned, meaning that I am actually still not abled to login using Keycloak users. I am attaching the log file. Hopefully you can help.
My application is facing the www, through a self-signed certificate from Let's Encrypt. If that is relevant...

ERROR [repo.authentication.KeycloakAuthenticationComponent] [http-nio-8080-exec-1] Error authenticating against Keycloak - unexpected IO exception
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at java.base/sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:526)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:113)
at org.apache.http.conn.ssl.SSLSocketFactory.verifyHostname(SSLSocketFactory.java:577)
at org.apache.http.conn.ssl.SSLSocketFactory.createLayeredSocket(SSLSocketFactory.java:571)
at de.acosix.alfresco.keycloak.repo.deps.keycloak.adapters.SniSSLSocketFactory.createLayeredSocket(SniSSLSocketFactory.java:119)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:554)
at de.acosix.alfresco.keycloak.repo.deps.keycloak.adapters.SniSSLSocketFactory.connectSocket(SniSSLSocketFactory.java:114)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:415)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144)
at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:134)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:605)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:440)
at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:835)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
at de.acosix.alfresco.keycloak.repo.authentication.KeycloakAuthenticationComponent.getAccessTokenImpl(KeycloakAuthenticationComponent.java:487)
at de.acosix.alfresco.keycloak.repo.authentication.KeycloakAuthenticationComponent.authenticateImpl(KeycloakAuthenticationComponent.java:319)
at org.alfresco.repo.security.authentication.AbstractAuthenticationComponent.authenticate(AbstractAuthenticationComponent.java:169)
at org.alfresco.repo.security.authentication.AuthenticationServiceImpl.authenticate(AuthenticationServiceImpl.java:138)
at de.acosix.alfresco.keycloak.repo.authentication.KeycloakAuthenticationServiceImpl.authenticate(KeycloakAuthenticationServiceImpl.java:99)
at org.alfresco.repo.security.authentication.AbstractChainingAuthenticationService.authenticate(AbstractChainingAuthenticationService.java:208)
at jdk.internal.reflect.GeneratedMethodAccessor691.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:343)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:198)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
at net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:80)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:53)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
at org.alfresco.repo.audit.AuditMethodInterceptor.invoke(AuditMethodInterceptor.java:166)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:295)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:98)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212)
at com.sun.proxy.$Proxy84.authenticate(Unknown Source)
at org.alfresco.repo.web.scripts.bean.AbstractLoginBean.login(AbstractLoginBean.java:86)
at org.alfresco.repo.web.scripts.bean.LoginPost.executeImpl(LoginPost.java:79)
at org.springframework.extensions.webscripts.DeclarativeWebScript.executeImpl(DeclarativeWebScript.java:235)
at org.springframework.extensions.webscripts.DeclarativeWebScript.execute(DeclarativeWebScript.java:64)
at org.alfresco.repo.web.scripts.RepositoryContainer$3.execute(RepositoryContainer.java:527)
at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:450)
at org.alfresco.repo.web.scripts.RepositoryContainer.transactionedExecute(RepositoryContainer.java:595)
at org.alfresco.repo.web.scripts.RepositoryContainer.transactionedExecuteAs(RepositoryContainer.java:664)
at org.alfresco.repo.web.scripts.RepositoryContainer.executeScriptInternal(RepositoryContainer.java:362)
at org.alfresco.repo.web.scripts.RepositoryContainer.executeScript(RepositoryContainer.java:315)
at de.acosix.alfresco.utility.repo.web.scripts.TenantExtensibilityContainer.executeScript(TenantExtensibilityContainer.java:206)
at org.springframework.extensions.webscripts.AbstractRuntime.executeScript(AbstractRuntime.java:399)
at org.springframework.extensions.webscripts.AbstractRuntime.executeScript(AbstractRuntime.java:210)
at org.springframework.extensions.webscripts.servlet.WebScriptServlet.service(WebScriptServlet.java:132)
at org.alfresco.repo.web.scripts.AlfrescoWebScriptServlet.service(AlfrescoWebScriptServlet.java:43)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
at jdk.internal.reflect.GeneratedMethodAccessor442.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:550)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at jdk.internal.reflect.GeneratedMethodAccessor438.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:550)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at org.alfresco.module.aosmodule.service.ContextRootFilter.doFilter(ContextRootFilter.java:93)
at jdk.internal.reflect.GeneratedMethodAccessor438.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:550)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at org.alfresco.web.app.servlet.GlobalLocalizationFilter.doFilter(GlobalLocalizationFilter.java:68)
at jdk.internal.reflect.GeneratedMethodAccessor438.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:550)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at org.alfresco.web.app.servlet.ClearSecurityContextFilter.doFilter(ClearSecurityContextFilter.java:53)
at jdk.internal.reflect.GeneratedMethodAccessor438.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:550)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:660)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:798)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:808)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:834)

Certificates by Let's Encrypt are not self signed - they are properly signed. From the stack trace it clearly appears that the peer (Keycloak) does not provide a certificate that can be properly authenticated. That may be because the URL used to call Keycloak does not use the same host as is present in the certificate.
Are you using the directAuthHost setting? Do you by any chance override the Java system property for the default (cacerts) truststore? Is Keycloak itself doing SSL termination or are you routing through a SSL-terminating HTTP proxy? Can you access the Keycloak UI with a browser and without any warnings about SSL issues?

Dear @AFaust
Thank you once again for your response and effort to support me. To answer your questions:

1. Yes I am using the keycloak.authentication.directAuthHost
2. I am not overriding any Java system properties
3. SSL termination is done at my nginx reverse proxy
4. I can access the keycloak UI without any issues

However, and here is the funny thing, minutes after I send you my initial error stack trace, I realized that the keycloak.adapter.credentials.secret value was wrong!!! After fixing that I managed to authenticate Alfresco through Keycloak, although I keep getting the same error messages:
ERROR [repo.authentication.KeycloakAuthenticationComponent] [http-nio-8080-exec-10] Error authenticating against Keycloak - unexpected IO exception
alfresco_1 | javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
alfresco_1 | at java.base/sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:526)
alfresco_1 | at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:113)
alfresco_1 | at org.apache.http.conn.ssl.SSLSocketFactory.verifyHostname(SSLSocketFactory.java:577)
alfresco_1 | at org.apache.http.conn.ssl.SSLSocketFactory.createLayeredSocket(SSLSocketFactory.java:571)
.....

However, it seems that I have another issue when I try to create my own custom data list. Can you point a location where I can find support to do that? I followed the approaches described:

1. here https://hub.alfresco.com/t5/alfresco-content-services-forum/custom-datalist-in-alfresco-community-6-2-0-ga/td-p/304158
2. and here https://docs.alfresco.com/5.2/references/dev-extension-points-data-lists.html
3. and here https://docs.alfresco.com/6.0/references/dev-extension-points-data-lists.html
4. and here https://hub.alfresco.com/t5/alfresco-content-services-forum/create-custom-datalist-in-alfresco-community-5-2/m-p/84812#M4783

but it seems that I can't make it right. Any help/support once again much appreciated.

Hmm... how can authentication work when you keep getting that error?

On the data list part: Data lists should be considered a deprecated / defunct feature, and not be relied upon anymore. Though technically still available, it may be removed in a future version. (A nice summary by Jeff Potts. https://ecmarchitect.com/archives/2017/12/02/4305 )

Closing as comment #12 (comment) indicates SSO with Alfresco Share has been achieved. Please reopen if this issue is still relevant somehow and provide an updated comment with any errors that may still persist.