[keycloak-user] KeyCloak and Azure Active Directory / response_type

Robin Diederen diederen at nlcom.nl
Thu May 24 17:04:03 EDT 2018 

Hello Stefan,



A few weeks after I asked this question we got this working. A Microsoft support engineer solved the issue – turns out that by using different endpoints for AAD, the issue was resolved. We’re using https://login.microsoftonline.com/<id goes here>/oauth2/authorize and https://login.microsoftonline.com/<id goes here>/oauth2/token as auth and token URLs. 



Furthermore, we have:

- logout url = blank

- backchannel logout = off

- disable user info = off

- user info url = blank

- issuer = blank

- default scopes = blank

- validate signatures = off



Cliend ID and secret should be filled with the corresponding data from the MS portal. 



Hope this helps! If not, feel free to drop me a line ☺.



Best, Robin



Van: Stefan Engstrom <sengstrom at ena.com>



Datum: donderdag 24 mei 2018 om 20:58



Aan: "diederen at nlcom.nl" <diederen at nlcom.nl>, "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>



Onderwerp: Re: KeyCloak and Azure Active Directory / response_type







I'm running in to this exact issue - curious if there are any insights? The redirect from microsoftonline.com contains a "code" element but keycloak chokes on trading this for an access_token. I have a parallel IDP to google which returns an element of that name (code) and that piece works just fine.







From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> on behalf of Robin Diederen <diederen at nlcom.nl>



Sent: Monday, January 8, 2018 5:03:53 AM



To: keycloak-user at lists.jboss.org



Subject: [keycloak-user] KeyCloak and Azure Active Directory / response_type 



 



Hello all,







I’m trying to make KeyCloak (3.4.0 Final) work with Microsoft Azure AD using the OpenID Connect protocol (OIDC). My goal is for KeyCloak to be an identity broker between a number of in-house clients and Azure AD as identity backend.







After configuring the appropriate endpoints for OIDC / oAuth v2.0 and some clients, upon hitting my client with my browser, KeyCloak redirects me to the Microsoft login page. Logging in works fine and my client / app is correctly recognized by Microsoft. However, when redirected back to KeyCloak, I’m presented with an error.







Upon further investigation I’ve noticed that KeyCloak reports this error in its logs: “Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: No access_token from server.”. This seems to be related to the response_type attribute, which is to be set from KeyCloak upon calling the Microsoft login page. Up till now, I did not find any way to make KeyCloak include this parameter with the preffered value, being “response_type=token_id”. KeyCloak however does include “response_type=code”, yet Microsoft doesn’t seem to like this.







So here’s my question: how can I instruct KeyCloak to include this parameter to make it work with AzureAD? I’ve tried a number of settings in the client page, such as implicit and standard flow enabed / disabled, however, to no avail.







Any help is greatly appreciated.



Best, Robin



_______________________________________________



keycloak-user mailing list



keycloak-user at lists.jboss.org



https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list