Unexpected type of JSON object member with key mtls_endpoint_aliases

[jsm174]

When trying to launch the control center via docker-compose, the following error is displayed:

Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.security.oauth2.client.registration.InMemoryReactiveClientRegistrationRepository]: Factory method 'clientRegistrationRepository' threw exception; nested exception is java.lang.IllegalArgumentException: Unable to resolve Configuration with the provided Issuer of "http://keycloak:9080/auth/realms/jhipster"
docker-jhipster-control-center-1  | 	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:185)
docker-jhipster-control-center-1  | 	at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)
docker-jhipster-control-center-1  | 	... 40 common frames omitted
docker-jhipster-control-center-1  | Caused by: java.lang.IllegalArgumentException: Unable to resolve Configuration with the provided Issuer of "http://keycloak:9080/auth/realms/jhipster"
docker-jhipster-control-center-1  | 	at org.springframework.security.oauth2.client.registration.ClientRegistrations.getBuilder(ClientRegistrations.java:221)
docker-jhipster-control-center-1  | 	at org.springframework.security.oauth2.client.registration.ClientRegistrations.fromIssuerLocation(ClientRegistrations.java:145)
docker-jhipster-control-center-1  | 	at org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientPropertiesRegistrationAdapter.getBuilderFromIssuerIfPossible(OAuth2ClientPropertiesRegistrationAdapter.java:83)
docker-jhipster-control-center-1  | 	at org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientPropertiesRegistrationAdapter.getClientRegistration(OAuth2ClientPropertiesRegistrationAdapter.java:59)
docker-jhipster-control-center-1  | 	at org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientPropertiesRegistrationAdapter.lambda$getClientRegistrations$0(OAuth2ClientPropertiesRegistrationAdapter.java:53)
docker-jhipster-control-center-1  | 	at java.base/java.util.HashMap.forEach(Unknown Source)
docker-jhipster-control-center-1  | 	at org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientPropertiesRegistrationAdapter.getClientRegistrations(OAuth2ClientPropertiesRegistrationAdapter.java:52)
docker-jhipster-control-center-1  | 	at org.springframework.boot.autoconfigure.security.oauth2.client.reactive.ReactiveOAuth2ClientConfigurations$ReactiveClientRegistrationRepositoryConfiguration.clientRegistrationRepository(ReactiveOAuth2ClientConfigurations.java:56)
docker-jhipster-control-center-1  | 	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
docker-jhipster-control-center-1  | 	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
docker-jhipster-control-center-1  | 	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
docker-jhipster-control-center-1  | 	at java.base/java.lang.reflect.Method.invoke(Unknown Source)
docker-jhipster-control-center-1  | 	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:154)
docker-jhipster-control-center-1  | 	... 41 common frames omitted
docker-jhipster-control-center-1  | Caused by: java.lang.RuntimeException: com.nimbusds.oauth2.sdk.ParseException: Unexpected type of JSON object member with key mtls_endpoint_aliases
docker-jhipster-control-center-1  | 	at org.springframework.security.oauth2.client.registration.ClientRegistrations.parse(ClientRegistrations.java:232)
docker-jhipster-control-center-1  | 	at org.springframework.security.oauth2.client.registration.ClientRegistrations.lambda$oidc$0(ClientRegistrations.java:157)
docker-jhipster-control-center-1  | 	at org.springframework.security.oauth2.client.registration.ClientRegistrations.getBuilder(ClientRegistrations.java:209)
docker-jhipster-control-center-1  | 	... 53 common frames omitted
docker-jhipster-control-center-1  | Caused by: com.nimbusds.oauth2.sdk.ParseException: Unexpected type of JSON object member with key mtls_endpoint_aliases
docker-jhipster-control-center-1  | 	at com.nimbusds.oauth2.sdk.util.JSONObjectUtils.getGeneric(JSONObjectUtils.java:161)
docker-jhipster-control-center-1  | 	at com.nimbusds.oauth2.sdk.util.JSONObjectUtils.getJSONObject(JSONObjectUtils.java:827)
docker-jhipster-control-center-1  | 	at com.nimbusds.oauth2.sdk.as.AuthorizationServerMetadata.parse(AuthorizationServerMetadata.java:2042)
docker-jhipster-control-center-1  | 	at com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata.parse(OIDCProviderMetadata.java:1362)
docker-jhipster-control-center-1  | 	at org.springframework.security.oauth2.client.registration.ClientRegistrations.parse(ClientRegistrations.java:229)
docker-jhipster-control-center-1  | 	... 55 common frames omitted

The top of the stack trace is misleading, because I was thinking the container couldn't reach the keycloak container. After adding a delay, connecting, and running curl, it definitely can connect:

docker ps
CONTAINER ID   IMAGE                                     COMMAND                   CREATED         STATUS         PORTS                                                                                                NAMES
7970d9c8fa91   jhipster/jhipster-control-center:v0.5.0   "/bin/sh -c 'echo \"`…"   5 seconds ago   Up 4 seconds   127.0.0.1:7419->7419/tcp                                                                             docker-jhipster-control-center-1
79d813a80176   jboss/keycloak:15.0.2                     "/opt/jboss/tools/do…"    6 seconds ago   Up 5 seconds   8080/tcp, 127.0.0.1:9080->9080/tcp, 127.0.0.1:9443->9443/tcp, 8443/tcp, 127.0.0.1:10990->10990/tcp   docker-keycloak-1
➜  ~ docker exec -it 7970d9c8fa91  /bin/bash
root@7970d9c8fa91:/# curl http://keycloak:9080/auth/realms/jhipster
{"realm":"jhipster","public_key":"....","token-service":"http://keycloak:9080/auth/realms/jhipster/protocol/openid-connect","account-service":"http://keycloak:9080/auth/realms/jhipster/account","tokens-not-before":0}
root@7970d9c8fa91:/#

Further down the stack trace:

docker-jhipster-control-center-1  | Caused by: java.lang.RuntimeException: com.nimbusds.oauth2.sdk.ParseException: Unexpected type of JSON object member with key mtls_endpoint_aliases

I think this could be similar to: jhipster/generator-jhipster#15836 (comment)

[pascalgrimaud]

Oh, I think it's because we didn't upgrade this project, to match with Keycloak 15
Adding a bounty to motivate someone

cc @nassimerrahoui @PierreBesson @avdev4j ?

[nassimerrahoui]

@pascalgrimaud : I can take this one

[pascalgrimaud]

Increasing the bounty

[DDOUP]

Is somebody working on it?

[nassimerrahoui]

@DDOUP I was working on it but I didn't have time to continue for the moment. You can take the issue if you want ?

[Walnussbaer]

The solution is simple. In my case the dependency org.springframework.security.oauth::spring-security-oauth2 imported the dependency com.nimbusds::oauth2-oidc-sdk , but a very old version of it, 6. something.

I'm not aware of your project structure here, because I just stumbled accross this thread, but if you are using Maven, just do the following:

Update the version of com.nimbusds::oauth2-oidc-sdk in your dependencyManagement tag to version 9.22.2.

Or just import the new version in your dependencies tag.

Then you should be good to go!

[nassimerrahoui]

@Walnussbaer Thank you for your help ! I will try your solution. The other thing is that we have to update the whole application to get all JHipster dependencies.

[Walnussbaer]

You are welcome, I'm curious whether it works out for you too!

[fchiri]

The problem is in the incompatibility between minbus-jose-jwt 7.1 and the 9.15. Specifically, the call to the json parser in 7.1 is an JsonObject:
public JSONObject toJSONObject()

in 9.15 is a map:
public Map<String, Object> toJSONObject()

So, minbus-jose-jwt 9.15 and spring-security-oauth2-jose 5.2.2.RELEASE are incompatibility.

The solution is using the the 5.4.5 of spring-security-oauth2-jose.

Here the dependencies to add to the pom:

org.springframework.security spring-security-oauth2-jose 5.4.5 com.nimbusds oauth2-oidc-sdk 9.15 runtime

[floreez237]

@fchiri Tried your answer and it was on spot
Thank you very much
PLease Jhispter should think about updating image so that it can run as this error prevent the image from running with oauth2

[ManjunathRNuvepro]

@Walnussbaer Thanks for the help.

com.nimbusds.oauth2.sdk.ParseException: Unexpected type of JSON object member with key "mtls_endpoint_aliases" this issue is ressolved as I updated the nimbusds to the 9.34

[kanuwana]

As Great Thanks! @[Walnussbaer] (https://github.com/Walnussbaer) It worked.
Simplest solution.
Update the version of com.nimbusds::oauth2-oidc-sdk in your dependencyManagement tag to version 9.22.2 or higher.

[MingtaoSun]

The problem is in the incompatibility between minbus-jose-jwt 7.1 and the 9.15. Specifically, the call to the json parser in 7.1 is an JsonObject: public JSONObject toJSONObject()

in 9.15 is a map: public Map<String, Object> toJSONObject()

So, minbus-jose-jwt 9.15 and spring-security-oauth2-jose 5.2.2.RELEASE are incompatibility.

The solution is using the the 5.4.5 of spring-security-oauth2-jose.

Here the dependencies to add to the pom:

org.springframework.security spring-security-oauth2-jose 5.4.5 com.nimbusds oauth2-oidc-sdk 9.15 runtime

spring-security-oauth2-jose 5.4.5 (https://mvnrepository.com/artifact/org.springframework.security/spring-security-oauth2-jose/5.4.5) depends on nimbus-jose-jwt 8.20.2, in which the toJSONObject() method still returns a JSONObject .

spring-security-oauth2-jose 5.5 depends on nimbus-jose-jwt 9.8.1, in which the toJSONObject() method returns a Map.

And I recommend using com.nimbusds oauth2-oidc-sdk 9.4, which happens to depend on nimbus-jose-jwt 9.8.1 as well.

<dependency>
	<groupId>com.nimbusds</groupId>
	<artifactId>oauth2-oidc-sdk</artifactId>
	<version>9.4</version>
</dependency>
<dependency>
	<groupId>org.springframework.security</groupId>
	<artifactId>spring-security-oauth2-jose</artifactId>
	<version>5.5.0</version>
</dependency>