[keycloak-dev] Social login provider for Microsoft Live
Vlastimil Elias
velias at redhat.com
Tue Jan 19 10:49:32 EST 2016
Hi
Custom social provider works like a charm, I created PR #2058 for KC 1.8
branch. I'll provide another PR for master branch later once module
re-org will be done.
Vlastimil
On 19.1.2016 13:54, Stian Thorgersen wrote:
> According
> to https://msdn.microsoft.com/en-us/library/hh243649.aspx#get_access_rest
> it should return an access_token. Then
> there's https://msdn.microsoft.com/en-us/library/hh243649.aspx#use_access_rest
> to get the user info, but you're right it's being included as a query
> param (which is stupid btw).
:-D
>
> As they are not doing OIDC I guess you'll have to do a social provider
> for it.
>
> On 19 January 2016 at 13:36, Vlastimil Elias <velias at redhat.com
> <mailto:velias at redhat.com>> wrote:
>
>
>
> On 19.1.2016 12:54, Stian Thorgersen wrote:
>> I wouldn't think it is. OpenID Connect usually is '.../userinfo'.
>> As long as '/me' returns json you can use mappers to do whatever
>> you'd like though.
>
> But MS Live API /me operation do not accept Bearer Authorization
> header, documentation says access token must be sent as GET param,
> so it looks like User Info URL will not work as it sends Bearer
> header :-(
>
>
> I tried to use general OIDC connector but I end up with
> 13:09:25,763 ERROR
> [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] Failed
> to make identity provider oauth callback
> org.keycloak.broker.provider.IdentityBrokerException: No
> access_token from server.
> at
> org.keycloak.broker.oidc.OIDCIdentityProvider.verifyAccessToken(OIDCIdentityProvider.java:269)
> at
> org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedIdentity(OIDCIdentityProvider.java:206)
> at
> org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:229)
>
> It is strange, looks like Token URL doesn't return access_token,
> it only returns id_token. Response is like
> {"id_token":"eyJ0eXAiOiJKV1Qi....","id_token_expires_in":86400}
>
> Any idea what may be wrong? Should this id_token be used instead
> of access token? If yes then I can resolve this problem in custom
> social provider.
>
> Vlastimil
>
>
>>
>> On 19 January 2016 at 12:22, Vlastimil Elias <velias at redhat.com
>> <mailto:velias at redhat.com>> wrote:
>>
>>
>>
>> On 19.1.2016 12:09, Stian Thorgersen wrote:
>>>
>>>
>>> On 19 January 2016 at 12:06, Vlastimil Elias
>>> <velias at redhat.com <mailto:velias at redhat.com>> wrote:
>>>
>>> Hi
>>>
>>> On 19.1.2016 11:52, Stian Thorgersen wrote:
>>>> If you can get it in today or tomorrow (early) we can
>>>> add it to 1.8.0.CR2.
>>>
>>> will try to do this, I will provide PR against branche
>>> and the another against master
>>>
>>>> You should also be able to use the generic OpenID
>>>> Connect provider.
>>>
>>> I though about it, but if I understand it correctly I
>>> will not be able to get users name, surname and email
>>> this way, as it is not provided in OAuth 2 and it
>>> requires another REST call in common social providers.
>>>
>>>
>>> Do they not have an userinfo endpoint?
>>
>> They have some REST endpoint at /me path, see doc at
>> https://msdn.microsoft.com/en-us/library/hh826534.aspx
>> But I'm not sure if it match some standard or rules so
>> generic OpenID Connect provider can use it. What is format
>> for UserInfo endpoint to be useful for this provider?
>> Keycloak documentation do not provide any useful info about
>> requirements for this URL (eg link to some specification).
>>
>> Vlastimil
>>
>>>
>>>
>>>
>>>
>>>>
>>>> Adding it yourself would require also adding templates
>>>> in admin theme, shouldn't be a big deal as you only
>>>> need that one template and the rest you'd inherit from
>>>> Keycloak theme.
>>>
>>> I see
>>>
>>> Thanks
>>>
>>>
>>>>
>>>> On 19 January 2016 at 11:10, Vlastimil Elias
>>>> <velias at redhat.com <mailto:velias at redhat.com>> wrote:
>>>>
>>>> Hi,
>>>>
>>>> I need Social login provider for Microsoft Live
>>>> account. I can implement
>>>> it as I did few other social login providers already.
>>>>
>>>> Problem is that I need it in Keycloak 1.8. Any
>>>> chance to add it to 1.8
>>>> if I will be quick enough (PR today or tomorrow)?
>>>> It is OAuth2 based
>>>> provider so impl should be easy.
>>>>
>>>> If not in KC 1.8 release, is it possible to add
>>>> social provider as
>>>> customization to my KC instance only? It is common
>>>> provider factory so
>>>> it should be possible I hope, but it also requires
>>>> some template in
>>>> admin theme, so I'm not sure (probably I have to
>>>> create my customized
>>>> admin theme in this case).
>>>>
>>>> I definitely prefer to have it in upstream if possible.
>>>>
>>>> Vlastimil
>>>>
>>>> --
>>>> Vlastimil Elias
>>>> Principal Software Engineer
>>>> Developer Portal Engineering Team
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev at lists.jboss.org
>>>> <mailto:keycloak-dev at lists.jboss.org>
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>
>>>>
>>>
>>> --
>>> Vlastimil Elias
>>> Principal Software Engineer
>>> Developer Portal Engineering Team
>>>
>>>
>>
>> --
>> Vlastimil Elias
>> Principal Software Engineer
>> Developer Portal Engineering Team
>>
>>
>
> --
> Vlastimil Elias
> Principal Software Engineer
> Developer Portal Engineering Team
>
>
--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160119/506f9772/attachment.html
More information about the keycloak-dev
mailing list