[keycloak-dev] Social login provider for Microsoft Live

Vlastimil Elias velias at redhat.com
Tue Jan 19 07:36:59 EST 2016 


On 19.1.2016 12:54, Stian Thorgersen wrote:
> I wouldn't think it is. OpenID Connect usually is '.../userinfo'. As
> long as '/me' returns json you can use mappers to do whatever you'd
> like though.

But MS Live API /me operation do not accept Bearer Authorization header,
documentation says access token must be sent as GET param, so it looks
like User Info URL will not work as it sends Bearer header :-(


I tried to use general OIDC connector but I end up with
13:09:25,763 ERROR
[org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] Failed to make
identity provider oauth callback
org.keycloak.broker.provider.IdentityBrokerException: No access_token
from server.
    at
org.keycloak.broker.oidc.OIDCIdentityProvider.verifyAccessToken(OIDCIdentityProvider.java:269)
    at
org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedIdentity(OIDCIdentityProvider.java:206)
    at
org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:229)

It is strange, looks like Token URL doesn't return access_token, it only
returns id_token. Response is like
{"id_token":"eyJ0eXAiOiJKV1Qi....","id_token_expires_in":86400}

Any idea what may be wrong? Should this id_token be used instead of
access token? If yes then I can resolve this problem in custom social
provider.

Vlastimil

>
> On 19 January 2016 at 12:22, Vlastimil Elias <velias at redhat.com
> <mailto:velias at redhat.com>> wrote:
>
>
>
>     On 19.1.2016 12:09, Stian Thorgersen wrote:
>>
>>
>>     On 19 January 2016 at 12:06, Vlastimil Elias <velias at redhat.com
>>     <mailto:velias at redhat.com>> wrote:
>>
>>         Hi
>>
>>         On 19.1.2016 11:52, Stian Thorgersen wrote:
>>>         If you can get it in today or tomorrow (early) we can add it
>>>         to 1.8.0.CR2.
>>
>>         will try to do this, I will provide PR against branche and
>>         the another against master
>>
>>>         You should also be able to use the generic OpenID Connect
>>>         provider.
>>
>>         I though about it, but if I understand it correctly I will
>>         not be able to get users name, surname and email this way, as
>>         it is not provided in OAuth 2 and it requires another REST
>>         call in common social providers.
>>
>>
>>     Do they not have an userinfo endpoint?
>
>     They have some REST endpoint at /me path, see doc at
>     https://msdn.microsoft.com/en-us/library/hh826534.aspx
>     But I'm not sure if it match some standard or rules so generic
>     OpenID Connect provider can use it. What is format for UserInfo
>     endpoint to be useful for this provider? Keycloak documentation do
>     not provide any useful info about requirements for this URL (eg
>     link to some specification).
>
>     Vlastimil
>
>>      
>>
>>
>>
>>>
>>>         Adding it yourself would require also adding templates in
>>>         admin theme, shouldn't be a big deal as you only need that
>>>         one template and the rest you'd inherit from Keycloak theme.
>>
>>         I see
>>
>>         Thanks
>>
>>
>>>
>>>         On 19 January 2016 at 11:10, Vlastimil Elias
>>>         <velias at redhat.com <mailto:velias at redhat.com>> wrote:
>>>
>>>             Hi,
>>>
>>>             I need Social login provider for Microsoft Live account.
>>>             I can implement
>>>             it as I did few other social login providers already.
>>>
>>>             Problem is that I need it in Keycloak 1.8. Any chance to
>>>             add it to 1.8
>>>             if I will be quick enough (PR today or tomorrow)? It is
>>>             OAuth2 based
>>>             provider so impl should be easy.
>>>
>>>             If not in KC 1.8 release, is it possible to add social
>>>             provider as
>>>             customization to my KC instance only? It is common
>>>             provider factory so
>>>             it should be possible I hope, but it also requires some
>>>             template in
>>>             admin theme, so I'm not sure (probably I have to create
>>>             my customized
>>>             admin theme in this case).
>>>
>>>             I definitely prefer to have it in upstream if possible.
>>>
>>>             Vlastimil
>>>
>>>             --
>>>             Vlastimil Elias
>>>             Principal Software Engineer
>>>             Developer Portal Engineering Team
>>>
>>>
>>>
>>>             _______________________________________________
>>>             keycloak-dev mailing list
>>>             keycloak-dev at lists.jboss.org
>>>             <mailto:keycloak-dev at lists.jboss.org>
>>>             https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>>
>>
>>         -- 
>>         Vlastimil Elias
>>         Principal Software Engineer
>>         Developer Portal Engineering Team
>>
>>
>
>     -- 
>     Vlastimil Elias
>     Principal Software Engineer
>     Developer Portal Engineering Team
>
>

-- 
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160119/a4c7c6cd/attachment.html

More information about the keycloak-dev mailing list