[keycloak-user] GoogleIdentityProvider seems to be broken for Keycloak 2.1.0.CR1

Bill Burke bburke at redhat.com
Wed Aug 10 10:50:32 EDT 2016


So the docs are ok then?


On 8/10/16 6:17 AM, Paulo Pires wrote:
> Ah, nice tip. My tests were made with a corporate account which has no 
> permissions to enable such API, but I too slipped that part in docs.
>
> Thanks
>
> On Wed, Aug 10, 2016 at 11:03 AM, Sigbjørn Dybdahl 
> <sigbjorn at fifty-five.com <mailto:sigbjorn at fifty-five.com>> wrote:
>
>     Thanks for you quick reply, Marek!
>
>     When re-reading the documentation now I see the part on enabling
>     the Google+ API in the Google Developer console, which I
>     apparently didn't pay attention to. It all works smoothly now, and
>     I can remove the user-defined OpenId Connect provider.
>
>
>     Regards,
>     Sigbjørn
>
>     On 10 August 2016 at 11:49, Marek Posolda <mposolda at redhat.com
>     <mailto:mposolda at redhat.com>> wrote:
>
>         Did you enable Google+ API in Google admin console?
>         Configuration of this is on Google side, not scopes on
>         Keycloak side on identityProvider page.
>
>         Marek
>
>
>         On 10/08/16 10:47, Sigbjørn Dybdahl wrote:
>>         Hello,
>>
>>         I'm trying to configure an instance of Keycloak using version
>>         2.1.0.CR1 and I've run into a problem when using the Google
>>         Identity Provider with the default configuration. That is,
>>         during the callback I observe
>>         a org.keycloak.broker.provider.IdentityBrokerException: Could
>>         not fetch attributes (see complete stacktrace below for
>>         details) from userinfo endpoint which seems to be linked to
>>         the 403 Forbidden return code when calling
>>         https://www.googleapis.com/plus/v1/people/me/openIdConnect
>>         <https://www.googleapis.com/plus/v1/people/me/openIdConnect>.
>>
>>         This seems to be similar to
>>         https://issues.jboss.org/browse/KEYCLOAK-2942
>>         <https://issues.jboss.org/browse/KEYCLOAK-2942>, but even
>>         when adding the additional Google+ scopes (making
>>         scope=openid profile email
>>         https://www.googleapis.com/auth/plus.me
>>         <https://www.googleapis.com/auth/plus.me>
>>         https://www.googleapis.com/auth/plus.login
>>         <https://www.googleapis.com/auth/plus.login>) the call fails.
>>         As for JIRA-2942, I've tried setting up a user-defined OpenId
>>         Connect provider with the default scope, which works just fine.
>>
>>         Have I forgotten any important parameter while configuring
>>         the standard Google support? Or is this a regression for this
>>         release?
>>
>>
>>         Regards,
>>         Sigbjørn Dybdahl
>>
>>         ---
>>
>>         Here's the complete stacktrace for the exception:
>>
>>         20:07:12,247 ERROR
>>         [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider]
>>         (default task-20) Failed to make identity provider oauth
>>         callback:
>>         org.keycloak.broker.provider.IdentityBrokerException: Could
>>         not fetch attributes from userinfo endpoint.
>>             at
>>         org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedIdentity(OIDCIdentityProvider.java:304)
>>             at
>>         org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:230)
>>             at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
>>         Method)
>>             at
>>         sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>>             at
>>         sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>             at java.lang.reflect.Method.invoke(Method.java:498)
>>             at
>>         org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
>>             at
>>         org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
>>             at
>>         org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
>>             at
>>         org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
>>             at
>>         org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
>>             at
>>         org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
>>             at
>>         org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
>>             at
>>         org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
>>             at
>>         org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
>>             at
>>         org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
>>             at
>>         org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>>             at
>>         org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>>             at
>>         javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>>             at
>>         io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
>>             at
>>         io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>>             at
>>         org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>>             at
>>         io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>>             at
>>         io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>>             at
>>         io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>>             at
>>         io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>>             at
>>         io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>>             at
>>         org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>>             at io.undertow.server.handlers.Pr
>>         <http://io.undertow.server.handlers.Pr>edicateHandler.handleRequest(PredicateHandler.java:43)
>>             at
>>         io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>>             at
>>         io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>>             at io.undertow.server.handlers.Pr
>>         <http://io.undertow.server.handlers.Pr>edicateHandler.handleRequest(PredicateHandler.java:43)
>>             at
>>         io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>>             at
>>         io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>>             at
>>         io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>>             at
>>         io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>             at
>>         io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>>             at
>>         io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>>             at io.undertow.server.handlers.Pr
>>         <http://io.undertow.server.handlers.Pr>edicateHandler.handleRequest(PredicateHandler.java:43)
>>             at
>>         org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>>             at io.undertow.server.handlers.Pr
>>         <http://io.undertow.server.handlers.Pr>edicateHandler.handleRequest(PredicateHandler.java:43)
>>             at io.undertow.server.handlers.Pr
>>         <http://io.undertow.server.handlers.Pr>edicateHandler.handleRequest(PredicateHandler.java:43)
>>             at
>>         io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
>>             at
>>         io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
>>             at
>>         io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>>             at
>>         io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
>>             at
>>         io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>>             at
>>         io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
>>             at
>>         java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>             at
>>         java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>             at java.lang.Thread.run(Thread.java:745)
>>         Caused by: java.io.IOException: Server returned HTTP response
>>         code: 403 for URL:
>>         https://www.googleapis.com/plus/v1/people/me/openIdConnect
>>         <https://www.googleapis.com/plus/v1/people/me/openIdConnect>
>>             at
>>         sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
>>         Method)
>>             at
>>         sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
>>             at
>>         sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>>             at
>>         java.lang.reflect.Constructor.newInstance(Constructor.java:423)
>>             at
>>         sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLConnection.java:1890)
>>             at
>>         sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLConnection.java:1885)
>>             at java.security.AccessController.doPrivileged(Native Method)
>>             at
>>         sun.net.www.protocol.http.HttpURLConnection.getChainedException(HttpURLConnection.java:1884)
>>             at
>>         sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1457)
>>             at
>>         sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441)
>>             at
>>         sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
>>             at
>>         org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:148)
>>             at
>>         org.keycloak.broker.oidc.util.JsonSimpleHttp.asJson(JsonSimpleHttp.java:46)
>>             at
>>         org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedIdentity(OIDCIdentityProvider.java:267)
>>             ... 50 more
>>         Caused by: java.io.IOException: Server returned HTTP response
>>         code: 403 for URL:
>>         https://www.googleapis.com/plus/v1/people/me/openIdConnect
>>         <https://www.googleapis.com/plus/v1/people/me/openIdConnect>
>>             at
>>         sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1840)
>>             at
>>         sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441)
>>             at
>>         sun.net.www.protocol.http.HttpURLConnection.getHeaderField(HttpURLConnection.java:2943)
>>             at
>>         sun.net.www.protocol.https.HttpsURLConnectionImpl.getHeaderField(HttpsURLConnectionImpl.java:291)
>>             at
>>         org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:147)
>>             ... 52 more
>>
>>
>>
>>         _______________________________________________
>>         keycloak-user mailing list
>>         keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>
>>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>>         <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>     _______________________________________________ keycloak-user
>     mailing list keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>     <https://lists.jboss.org/mailman/listinfo/keycloak-user> 
>
> -- 
>
> *Paulo Pires*
>
> senior infrastructure engineer | littleBits 
> <http://www.google.com/url?q=http%3A%2F%2Flittlebits.cc%2F&sa=D&sntz=1&usg=AFrqEzdmD1TfneYzn_vRGBO0a4wHpG-Ivg>
>
> *T* (917) 464-4577unleash your inner inventor. 
> <https://youtu.be/fMg5QPQQOOI>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160810/a1ffa818/attachment-0001.html 


More information about the keycloak-user mailing list