[keycloak-dev] Social login provider for Microsoft Live

Stian Thorgersen sthorger at redhat.com
Tue Jan 19 07:54:02 EST 2016 

According to
https://msdn.microsoft.com/en-us/library/hh243649.aspx#get_access_rest it
should return an access_token. Then there's
https://msdn.microsoft.com/en-us/library/hh243649.aspx#use_access_rest to
get the user info, but you're right it's being included as a query param
(which is stupid btw).

As they are not doing OIDC I guess you'll have to do a social provider for
it.

On 19 January 2016 at 13:36, Vlastimil Elias <velias at redhat.com> wrote:

>
>
> On 19.1.2016 12:54, Stian Thorgersen wrote:
>
> I wouldn't think it is. OpenID Connect usually is '.../userinfo'. As long
> as '/me' returns json you can use mappers to do whatever you'd like though.
>
>
> But MS Live API /me operation do not accept Bearer Authorization header,
> documentation says access token must be sent as GET param, so it looks like
> User Info URL will not work as it sends Bearer header :-(
>
>
> I tried to use general OIDC connector but I end up with
> 13:09:25,763 ERROR
> [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] Failed to make
> identity provider oauth callback
> org.keycloak.broker.provider.IdentityBrokerException: No access_token from
> server.
>     at
> org.keycloak.broker.oidc.OIDCIdentityProvider.verifyAccessToken(OIDCIdentityProvider.java:269)
>     at
> org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedIdentity(OIDCIdentityProvider.java:206)
>     at
> org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:229)
>
> It is strange, looks like Token URL doesn't return access_token, it only
> returns id_token. Response is like
> {"id_token":"eyJ0eXAiOiJKV1Qi....","id_token_expires_in":86400}
>
> Any idea what may be wrong? Should this id_token be used instead of access
> token? If yes then I can resolve this problem in custom social provider.
>
> Vlastimil
>
>
>
> On 19 January 2016 at 12:22, Vlastimil Elias <velias at redhat.com> wrote:
>
>>
>>
>> On 19.1.2016 12:09, Stian Thorgersen wrote:
>>
>>
>>
>> On 19 January 2016 at 12:06, Vlastimil Elias < <velias at redhat.com>
>> velias at redhat.com> wrote:
>>
>>> Hi
>>>
>>> On 19.1.2016 11:52, Stian Thorgersen wrote:
>>>
>>> If you can get it in today or tomorrow (early) we can add it to
>>> 1.8.0.CR2.
>>>
>>>
>>> will try to do this, I will provide PR against branche and the another
>>> against master
>>>
>>> You should also be able to use the generic OpenID Connect provider.
>>>
>>>
>>> I though about it, but if I understand it correctly I will not be able
>>> to get users name, surname and email this way, as it is not provided in
>>> OAuth 2 and it requires another REST call in common social providers.
>>>
>>
>> Do they not have an userinfo endpoint?
>>
>>
>> They have some REST endpoint at /me path, see doc at
>> https://msdn.microsoft.com/en-us/library/hh826534.aspx
>> But I'm not sure if it match some standard or rules so generic OpenID
>> Connect provider can use it. What is format for UserInfo endpoint to be
>> useful for this provider? Keycloak documentation do not provide any useful
>> info about requirements for this URL (eg link to some specification).
>>
>> Vlastimil
>>
>>
>>
>>>
>>>
>>>
>>> Adding it yourself would require also adding templates in admin theme,
>>> shouldn't be a big deal as you only need that one template and the rest
>>> you'd inherit from Keycloak theme.
>>>
>>>
>>> I see
>>>
>>> Thanks
>>>
>>>
>>>
>>> On 19 January 2016 at 11:10, Vlastimil Elias < <velias at redhat.com>
>>> velias at redhat.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> I need Social login provider for Microsoft Live account. I can implement
>>>> it as I did few other social login providers already.
>>>>
>>>> Problem is that I need it in Keycloak 1.8. Any chance to add it to 1.8
>>>> if I will be quick enough (PR today or tomorrow)? It is OAuth2 based
>>>> provider so impl should be easy.
>>>>
>>>> If not in KC 1.8 release, is it possible to add social provider as
>>>> customization to my KC instance only? It is common provider factory so
>>>> it should be possible I hope, but it also requires some template in
>>>> admin theme, so I'm not sure (probably I have to create my customized
>>>> admin theme in this case).
>>>>
>>>> I definitely prefer to have it in upstream if possible.
>>>>
>>>> Vlastimil
>>>>
>>>> --
>>>> Vlastimil Elias
>>>> Principal Software Engineer
>>>> Developer Portal Engineering Team
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>
>>>
>>>
>>> --
>>> Vlastimil Elias
>>> Principal Software Engineer
>>> Developer Portal Engineering Team
>>>
>>>
>>
>> --
>> Vlastimil Elias
>> Principal Software Engineer
>> Developer Portal Engineering Team
>>
>>
>
> --
> Vlastimil Elias
> Principal Software Engineer
> Developer Portal Engineering Team
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160119/57fe2801/attachment-0001.html

More information about the keycloak-dev mailing list