<div dir="ltr">According to <a href="https://msdn.microsoft.com/en-us/library/hh243649.aspx#get_access_rest">https://msdn.microsoft.com/en-us/library/hh243649.aspx#get_access_rest</a> it should return an access_token. Then there's <a href="https://msdn.microsoft.com/en-us/library/hh243649.aspx#use_access_rest">https://msdn.microsoft.com/en-us/library/hh243649.aspx#use_access_rest</a> to get the user info, but you're right it's being included as a query param (which is stupid btw).<div><br></div><div>As they are not doing OIDC I guess you'll have to do a social provider for it.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 19 January 2016 at 13:36, Vlastimil Elias <span dir="ltr"><<a href="mailto:velias@redhat.com" target="_blank">velias@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><span class="">
<br>
<br>
<div>On 19.1.2016 12:54, Stian Thorgersen
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">I wouldn't think it is. OpenID Connect usually is
'.../userinfo'. As long as '/me' returns json you can use
mappers to do whatever you'd like though.</div>
</blockquote>
<br></span>
But MS Live API /me operation do not accept Bearer Authorization
header, documentation says access token must be sent as GET param,
so it looks like User Info URL will not work as it sends Bearer
header :-(<br>
<br>
<br>
I tried to use general OIDC connector but I end up with<br>
13:09:25,763 ERROR
[org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] Failed to
make identity provider oauth callback<br>
org.keycloak.broker.provider.IdentityBrokerException: No
access_token from server.<br>
at
org.keycloak.broker.oidc.OIDCIdentityProvider.verifyAccessToken(OIDCIdentityProvider.java:269)<br>
at
org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedIdentity(OIDCIdentityProvider.java:206)<br>
at
org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:229)<br>
<br>
It is strange, looks like Token URL doesn't return access_token, it
only returns id_token. Response is like<br>
{"id_token":"eyJ0eXAiOiJKV1Qi....","id_token_expires_in":86400}<br>
<br>
Any idea what may be wrong? Should this id_token be used instead of
access token? If yes then I can resolve this problem in custom
social provider.<span class="HOEnZb"><font color="#888888"><br>
<br>
Vlastimil</font></span><div><div class="h5"><br>
<br>
<blockquote type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">On 19 January 2016 at 12:22, Vlastimil
Elias <span dir="ltr"><<a href="mailto:velias@redhat.com" target="_blank">velias@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><span> <br>
<br>
<div>On 19.1.2016 12:09, Stian Thorgersen wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 19 January 2016 at
12:06, Vlastimil Elias <span dir="ltr"><<a href="mailto:velias@redhat.com" target="_blank"></a><a href="mailto:velias@redhat.com" target="_blank">velias@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> Hi<span><br>
<br>
<div>On 19.1.2016 11:52, Stian Thorgersen
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">If you can get it in
today or tomorrow (early) we can add
it to 1.8.0.CR2.</div>
</blockquote>
<br>
</span> will try to do this, I will provide
PR against branche and the another against
master<span><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>You should also be able to use
the generic OpenID Connect provider.</div>
</div>
</blockquote>
<br>
</span> I though about it, but if I
understand it correctly I will not be able
to get users name, surname and email this
way, as it is not provided in OAuth 2 and it
requires another REST call in common social
providers.</div>
</blockquote>
<div><br>
</div>
<div>Do they not have an userinfo endpoint?</div>
</div>
</div>
</div>
</blockquote>
<br>
</span> They have some REST endpoint at /me path, see doc
at <a href="https://msdn.microsoft.com/en-us/library/hh826534.aspx" target="_blank">https://msdn.microsoft.com/en-us/library/hh826534.aspx</a><br>
But I'm not sure if it match some standard or rules so <span>generic
OpenID Connect provider can use it. What is format for
UserInfo endpoint to be useful for this provider?
Keycloak documentation do not provide any useful info
about requirements for this URL (eg link to some
specification).<span><font color="#888888"><br>
<br>
Vlastimil<br>
</font></span></span>
<div>
<div><br>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><span><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Adding it yourself would
require also adding templates in
admin theme, shouldn't be a big
deal as you only need that one
template and the rest you'd
inherit from Keycloak theme.</div>
</div>
</blockquote>
<br>
</span> I see<br>
<br>
Thanks
<div>
<div><br>
<br>
<blockquote type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">On 19
January 2016 at 11:10, Vlastimil
Elias <span dir="ltr"><<a href="mailto:velias@redhat.com" target="_blank"></a><a href="mailto:velias@redhat.com" target="_blank">velias@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<br>
I need Social login provider
for Microsoft Live account. I
can implement<br>
it as I did few other social
login providers already.<br>
<br>
Problem is that I need it in
Keycloak 1.8. Any chance to
add it to 1.8<br>
if I will be quick enough (PR
today or tomorrow)? It is
OAuth2 based<br>
provider so impl should be
easy.<br>
<br>
If not in KC 1.8 release, is
it possible to add social
provider as<br>
customization to my KC
instance only? It is common
provider factory so<br>
it should be possible I hope,
but it also requires some
template in<br>
admin theme, so I'm not sure
(probably I have to create my
customized<br>
admin theme in this case).<br>
<br>
I definitely prefer to have it
in upstream if possible.<br>
<span><font color="#888888"><br>
Vlastimil<br>
<br>
--<br>
Vlastimil Elias<br>
Principal Software
Engineer<br>
Developer Portal
Engineering Team<br>
<br>
<br>
<br>
_______________________________________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</font></span></blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<pre cols="72">--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team</pre>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
<pre cols="72">--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team</pre>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<pre cols="72">--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team</pre>
</div></div></div>
</blockquote></div><br></div>