[keycloak-user] GoogleIdentityProvider seems to be broken for Keycloak 2.1.0.CR1
Sigbjørn Dybdahl
sigbjorn at fifty-five.com
Wed Aug 10 06:03:31 EDT 2016
Thanks for you quick reply, Marek!
When re-reading the documentation now I see the part on enabling the
Google+ API in the Google Developer console, which I apparently didn't pay
attention to. It all works smoothly now, and I can remove the user-defined
OpenId Connect provider.
Regards,
Sigbjørn
On 10 August 2016 at 11:49, Marek Posolda <mposolda at redhat.com> wrote:
> Did you enable Google+ API in Google admin console? Configuration of this
> is on Google side, not scopes on Keycloak side on identityProvider page.
>
> Marek
>
>
> On 10/08/16 10:47, Sigbjørn Dybdahl wrote:
>
> Hello,
>
> I'm trying to configure an instance of Keycloak using version 2.1.0.CR1
> and I've run into a problem when using the Google Identity Provider with
> the default configuration. That is, during the callback I observe
> a org.keycloak.broker.provider.IdentityBrokerException: Could not fetch
> attributes (see complete stacktrace below for details) from userinfo
> endpoint which seems to be linked to the 403 Forbidden return code when
> calling <https://www.googleapis.com/plus/v1/people/me/openIdConnect>
> https://www.googleapis.com/plus/v1/people/me/openIdConnect.
>
> This seems to be similar to https://issues.jboss.org/browse/KEYCLOAK-2942,
> but even when adding the additional Google+ scopes (making scope=openid
> profile email https://www.googleapis.com/auth/plus.me
> https://www.googleapis.com/auth/plus.login) the call fails. As for
> JIRA-2942, I've tried setting up a user-defined OpenId Connect provider
> with the default scope, which works just fine.
>
> Have I forgotten any important parameter while configuring the standard
> Google support? Or is this a regression for this release?
>
>
> Regards,
> Sigbjørn Dybdahl
>
> ---
>
> Here's the complete stacktrace for the exception:
>
> 20:07:12,247 ERROR [org.keycloak.broker.oidc.
> AbstractOAuth2IdentityProvider] (default task-20) Failed to make identity
> provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException:
> Could not fetch attributes from userinfo endpoint.
> at org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedIdentity(
> OIDCIdentityProvider.java:304)
> at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider
> $Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:230)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(
> NativeMethodAccessorImpl.java:62)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(
> DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.jboss.resteasy.core.MethodInjectorImpl.invoke(
> MethodInjectorImpl.java:139)
> at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(
> ResourceMethodInvoker.java:295)
> at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(
> ResourceMethodInvoker.java:249)
> at org.jboss.resteasy.core.ResourceLocatorInvoker.
> invokeOnTargetObject(ResourceLocatorInvoker.java:138)
> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
> ResourceLocatorInvoker.java:107)
> at org.jboss.resteasy.core.ResourceLocatorInvoker.
> invokeOnTargetObject(ResourceLocatorInvoker.java:133)
> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
> ResourceLocatorInvoker.java:101)
> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
> SynchronousDispatcher.java:395)
> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
> SynchronousDispatcher.java:202)
> at org.jboss.resteasy.plugins.server.servlet.
> ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
> at org.jboss.resteasy.plugins.server.servlet.
> HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> at org.jboss.resteasy.plugins.server.servlet.
> HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> at io.undertow.servlet.handlers.ServletHandler.handleRequest(
> ServletHandler.java:85)
> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
> doFilter(FilterHandler.java:129)
> at org.keycloak.services.filters.KeycloakSessionServletFilter.
> doFilter(KeycloakSessionServletFilter.java:90)
> at io.undertow.servlet.core.ManagedFilter.doFilter(
> ManagedFilter.java:60)
> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
> doFilter(FilterHandler.java:131)
> at io.undertow.servlet.handlers.FilterHandler.handleRequest(
> FilterHandler.java:84)
> at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.
> handleRequest(ServletSecurityRoleHandler.java:62)
> at io.undertow.servlet.handlers.ServletDispatchingHandler.
> handleRequest(ServletDispatchingHandler.java:36)
> at org.wildfly.extension.undertow.security.
> SecurityContextAssociationHandler.handleRequest(
> SecurityContextAssociationHandler.java:78)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
> at io.undertow.servlet.handlers.security.
> SSLInformationAssociationHandler.handleRequest(
> SSLInformationAssociationHandler.java:131)
> at io.undertow.servlet.handlers.security.
> ServletAuthenticationCallHandler.handleRequest(
> ServletAuthenticationCallHandler.java:57)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
> at io.undertow.security.handlers.AbstractConfidentialityHandler
> .handleRequest(AbstractConfidentialityHandler.java:46)
> at io.undertow.servlet.handlers.security.
> ServletConfidentialityConstraintHandler.handleRequest(
> ServletConfidentialityConstraintHandler.java:64)
> at io.undertow.security.handlers.AuthenticationMechanismsHandle
> r.handleRequest(AuthenticationMechanismsHandler.java:60)
> at io.undertow.servlet.handlers.security.
> CachedAuthenticatedSessionHandler.handleRequest(
> CachedAuthenticatedSessionHandler.java:77)
> at io.undertow.security.handlers.NotificationReceiverHandler.
> handleRequest(NotificationReceiverHandler.java:50)
> at io.undertow.security.handlers.AbstractSecurityContextAssocia
> tionHandler.handleRequest(AbstractSecurityContextAssocia
> tionHandler.java:43)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.
> handleRequest(JACCContextIdHandler.java:61)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
> at io.undertow.servlet.handlers.ServletInitialHandler.
> handleFirstRequest(ServletInitialHandler.java:284)
> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(
> ServletInitialHandler.java:263)
> at io.undertow.servlet.handlers.ServletInitialHandler.access$
> 000(ServletInitialHandler.java:81)
> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(
> ServletInitialHandler.java:174)
> at io.undertow.server.Connectors.executeRootHandler(Connectors.
> java:202)
> at io.undertow.server.HttpServerExchange$1.run(
> HttpServerExchange.java:793)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(
> ThreadPoolExecutor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(
> ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: java.io.IOException: Server returned HTTP response code: 403
> for URL: https://www.googleapis.com/plus/v1/people/me/openIdConnect
> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
> Method)
> at sun.reflect.NativeConstructorAccessorImpl.newInstance(
> NativeConstructorAccessorImpl.java:62)
> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(
> DelegatingConstructorAccessorImpl.java:45)
> at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
> at sun.net.www.protocol.http.HttpURLConnection$10.run(
> HttpURLConnection.java:1890)
> at sun.net.www.protocol.http.HttpURLConnection$10.run(
> HttpURLConnection.java:1885)
> at java.security.AccessController.doPrivileged(Native Method)
> at sun.net.www.protocol.http.HttpURLConnection.getChainedException(
> HttpURLConnection.java:1884)
> at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(
> HttpURLConnection.java:1457)
> at sun.net.www.protocol.http.HttpURLConnection.getInputStream(
> HttpURLConnection.java:1441)
> at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(
> HttpsURLConnectionImpl.java:254)
> at org.keycloak.broker.provider.util.SimpleHttp.asString(
> SimpleHttp.java:148)
> at org.keycloak.broker.oidc.util.JsonSimpleHttp.asJson(
> JsonSimpleHttp.java:46)
> at org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedIdentity(
> OIDCIdentityProvider.java:267)
> ... 50 more
> Caused by: java.io.IOException: Server returned HTTP response code: 403
> for URL: https://www.googleapis.com/plus/v1/people/me/openIdConnect
> at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(
> HttpURLConnection.java:1840)
> at sun.net.www.protocol.http.HttpURLConnection.getInputStream(
> HttpURLConnection.java:1441)
> at sun.net.www.protocol.http.HttpURLConnection.getHeaderField(
> HttpURLConnection.java:2943)
> at sun.net.www.protocol.https.HttpsURLConnectionImpl.getHeaderField(
> HttpsURLConnectionImpl.java:291)
> at org.keycloak.broker.provider.util.SimpleHttp.asString(
> SimpleHttp.java:147)
> ... 52 more
>
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160810/7db12d6b/attachment-0001.html
More information about the keycloak-user
mailing list