Keycloak, Apache Shiro and Pac4j installation / configuration

Question

I´m trying to implement for my JSF webapplication the Auth with Keycloak. I spent already many hours, but it´s still not working. After I login in the login screen from Keycloak, my login in Keycloak is working and I can see in the admin portal from Keycloak my Session. Afterwards I will be redirect to my Webapplication. But in my webapp I have still not authentification and cannot login in my webportal. So there seems some issue in my settings.

pom.xml:

<pac4jVersion>5.7.0</pac4jVersion>
<bujiVersion>8.0.0</bujiVersion>
<jeePac4jVersion>7.1.0</jeePac4jVersion>

         <dependency>
            <groupId>io.buji</groupId>
            <artifactId>buji-pac4j</artifactId>
            <version>${bujiVersion}</version>
        </dependency>

        <dependency>
            <groupId>org.pac4j</groupId>
            <artifactId>javaee-pac4j</artifactId>
            <version>${jeePac4jVersion}</version>
        </dependency>

        <dependency>
            <groupId>org.pac4j</groupId>
            <artifactId>pac4j-javaee</artifactId>
            <version>${pac4jVersion}</version>
        </dependency>
        <dependency>
            <groupId>org.pac4j</groupId>
            <artifactId>pac4j-core</artifactId>
            <version>${pac4jVersion}</version>
        </dependency>

        <dependency>
            <groupId>org.pac4j</groupId>
            <artifactId>pac4j-cas</artifactId>
            <version>${pac4jVersion}</version>
        </dependency>

        <dependency>
            <groupId>org.pac4j</groupId>
            <artifactId>pac4j-saml</artifactId>
            <version>${pac4jVersion}</version>
        </dependency>

        <dependency>
            <groupId>org.pac4j</groupId>
            <artifactId>pac4j-oidc</artifactId>
            <version>${pac4jVersion}</version>
        </dependency>

        <dependency>
            <groupId>org.pac4j</groupId>
            <artifactId>pac4j-http</artifactId>
            <version>${pac4jVersion}</version>
        </dependency>

Here is my shiro.ini

[main]

#Keycloack
oidcConfig = org.pac4j.oidc.config.OidcConfiguration
oidcConfig.discoveryURI = http://localhost:9009/auth/realms/myapp/.well-known/openid-configuration
oidcConfig.clientId = myapp-frontend
oidcConfig.secret = UMS5aWN4bnJ5Q0ZlOpEdn1tWcHlbx7H0
oidcConfig.clientAuthenticationMethodAsString = client_secret_basic
#oidcConfig.scope = openid
#oidcConfig.useNonce = true
#oidcConfig.responseType = code
oidcConfig.withState = false
oidcConfig.logoutUrl = http://localhost:9009/auth/realms/myapp/protocol/openid-connect/logout

oidcClient = org.pac4j.oidc.client.OidcClient
oidcClient.configuration = $oidcConfig

clients = org.pac4j.core.client.Clients
clients.callbackUrl = http://localhost:8080/myapp/callback
clients.clients = $oidcClient

pac4jRealm = io.buji.pac4j.realm.Pac4jRealm
pac4jRealm.principalNameAttribute = preferred_username

pac4jSubjectFactory = io.buji.pac4j.subject.Pac4jSubjectFactory
securityManager.subjectFactory = $pac4jSubjectFactory

config = org.pac4j.core.config.Config
config.clients = $clients

oidcSecurityFilter = org.pac4j.jee.filter.SecurityFilter
oidcSecurityFilter.config = $config
oidcSecurityFilter.clients = $oidcClient

callbackFilter = org.pac4j.jee.filter.CallbackFilter
callbackFilter.defaultUrl = http://localhost:8080/myapp
callbackFilter.config = $config

ajaxRequestResolver = org.pac4j.core.http.ajax.DefaultAjaxRequestResolver
ajaxRequestResolver.addRedirectionUrlAsHeader = true
oidcClient.ajaxRequestResolver = $ajaxRequestResolver

#logoutFilter = io.buji.pac4j.filter.LogoutFilter
#logoutFilter.defaultUrl = http://localhost:8080/myapp
#logoutFilter.localLogout = true
#logoutFilter.centralLogout = true
#logoutFilter.config = $config


# AuthStrategy
securityManager.realms = $pac4jRealm


# Using default form based security filter org.apache.shiro.web.filter.authc.FormAuthenticationFilter
authc = org.apache.shiro.web.filter.authc.FormAuthenticationFilter
authc.loginUrl = /common/login.jsf
authc.successUrl = /portal/dashboard.jsf


# Redirect to an access denied page if user does not have access rights
#[roles]
#roles.unauthorizedUrl = /common/access-denied.jsf
#perms.unauthorizedUrl = /accessdenied.jsp

anyofpermission = de.dpunkt.myaktion.util.CustomPermissionsAuthorizationFilter

# Protected URLs
[urls]
/callback = callbackFilter

## NO_SECURITY (Rendering)
#/portal/reporting/execution/** = authc, anon




## OTHER
/WEB-INF/layout/portal/** = authc
/portal/** = authc
/admin/** = authc
/community/** = authc

Also if I´m trying just to call from my browser: http://localhost:8080/myapp/callback

I got a NPE in org.pac4j.oidc.profile.creator.OidcProfileCreator.create() because getIdToken() is NULL...

My client in Keycloak has this setup:

I´m using Keycloak Version 22. Thanks for any help

Answer 1

According to the spec, it seems possible not to have an ID token: https://openid.net/specs/openid-connect-core-1_0.html#Authentication

I think we have a bug in pac4j here. I just committed: https://github.com/pac4j/pac4j/commit/24f263d2c1c50683243edd2413b20e365c127237

Can you test with version 5.7.2-SNAPSHOT? (Sonatype snapshots repository)