[keycloak-user] Import IDP config from URL not working?
Thorsten
thorsten315 at gmx.de
Wed May 13 13:01:16 EDT 2015
Well, when I put "https://accounts.google.com" into the "Issuer" field I
get the following exception:
16:53:37,502 ERROR
[org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-37)
Failed to make identity provider oauth callback:
org.keycloak.broker.provider.IdentityBrokerException: Wrong issuer from
token. Got: accounts.google.com expected: https://accounts.google.com
at
org.keycloak.broker.oidc.OIDCIdentityProvider.validateToken(OIDCIdentityProvider.java:312)
The autoconfig stuff for the sign key issue is easy to reproduce:
- create realm
- add "OpenID Connect v1.0" provider
- on the bottom populate the "Import From Url" with "
https://accounts.google.com/.well-known/openid-configuration" and click
"Import"
- add your "Client ID" and "Client secret" as provided in your Google
Developer Console
- add scopes "openid profile email"
- click "Save"
(due to the aforementioned "Issuer" issue you may need to change "
https://accounts.google.com" to "accounts.google.com" as well)
Try to login with your google account into the realm and it should give you
the sig validation failure I posed.
2015-05-13 17:25 GMT+02:00 Bill Burke <bburke at redhat.com>:
> Why do you think the issuer should be changed to accounts.google.com?
>
> I'm not sure about the keys as our code eats the error. How can I
> reproduce this? Meaning how can I set up my google account and such?
> Same as regular social provider stuff?
>
>
>
> On 5/12/2015 5:37 PM, Thorsten wrote:
> > I tried to import the basic IDP config for a custom "OpenID Connect
> > v1.0" provider from the published Google autoconf URL:
> > https://accounts.google.com/.well-known/openid-configuration
> >
> > The URLs are picked up fine but there seem to be two issues:
> >
> > 1.) the "Issuer" is imported as "https://accounts.google.com" when it
> > should be "accounts.google.com <http://accounts.google.com>"
> > 2.) the public validation keys are not imported correctly. The always
> > produce
> >
> > 12:09:40,416 ERROR
> > [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default
> > task-17) Failed to make identity provider oauth callback:
> > org.keycloak.broker.provider.IdentityBrokerException: token signature
> > validation failed
> > at
> >
> org.keycloak.broker.oidc.OIDCIdentityProvider.validateToken(OIDCIdentityProvider.java:286)
> >
> > when authentication is being performed.
> >
> > Are these bugs or is the published discovery document from Google not
> > standard compliant?
> >
> > Thanks
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150513/12c1e865/attachment.html
More information about the keycloak-user
mailing list