<div dir="ltr">Well, when I put "<a href="https://accounts.google.com">https://accounts.google.com</a>" into the "Issuer" field I get the following exception:<div><br></div><div><div>16:53:37,502 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-37) Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: Wrong issuer from token. Got: <a href="http://accounts.google.com">accounts.google.com</a> expected: <a href="https://accounts.google.com">https://accounts.google.com</a></div><div> at org.keycloak.broker.oidc.OIDCIdentityProvider.validateToken(OIDCIdentityProvider.java:312)</div></div><div><br></div><div>The autoconfig stuff for the sign key issue is easy to reproduce:</div><div><br></div><div>- create realm</div><div>- add "OpenID Connect v1.0" provider</div><div>- on the bottom populate the "Import From Url" with "<a href="https://accounts.google.com/.well-known/openid-configuration">https://accounts.google.com/.well-known/openid-configuration</a>" and click "Import"</div><div>- add your "Client ID" and "Client secret" as provided in your Google Developer Console</div><div>- add scopes "openid profile email"</div><div>- click "Save"</div><div><br></div><div>(due to the aforementioned "Issuer" issue you may need to change "<a href="https://accounts.google.com">https://accounts.google.com</a>" to "<a href="http://accounts.google.com">accounts.google.com</a>" as well)</div><div><br></div><div>Try to login with your google account into the realm and it should give you the sig validation failure I posed.</div></div><div class="gmail_extra"><br><div class="gmail_quote">2015-05-13 17:25 GMT+02:00 Bill Burke <span dir="ltr"><<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Why do you think the issuer should be changed to <a href="http://accounts.google.com" target="_blank">accounts.google.com</a>?<br>
<br>
I'm not sure about the keys as our code eats the error. How can I<br>
reproduce this? Meaning how can I set up my google account and such?<br>
Same as regular social provider stuff?<br>
<span class=""><br>
<br>
<br>
On 5/12/2015 5:37 PM, Thorsten wrote:<br>
> I tried to import the basic IDP config for a custom "OpenID Connect<br>
> v1.0" provider from the published Google autoconf URL:<br>
> <a href="https://accounts.google.com/.well-known/openid-configuration" target="_blank">https://accounts.google.com/.well-known/openid-configuration</a><br>
><br>
> The URLs are picked up fine but there seem to be two issues:<br>
><br>
> 1.) the "Issuer" is imported as "<a href="https://accounts.google.com" target="_blank">https://accounts.google.com</a>" when it<br>
</span>> should be "<a href="http://accounts.google.com" target="_blank">accounts.google.com</a> <<a href="http://accounts.google.com" target="_blank">http://accounts.google.com</a>>"<br>
<span class="">> 2.) the public validation keys are not imported correctly. The always<br>
> produce<br>
><br>
> 12:09:40,416 ERROR<br>
> [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default<br>
> task-17) Failed to make identity provider oauth callback:<br>
> org.keycloak.broker.provider.IdentityBrokerException: token signature<br>
> validation failed<br>
> at<br>
> org.keycloak.broker.oidc.OIDCIdentityProvider.validateToken(OIDCIdentityProvider.java:286)<br>
><br>
> when authentication is being performed.<br>
><br>
> Are these bugs or is the published discovery document from Google not<br>
> standard compliant?<br>
><br>
> Thanks<br>
><br>
><br>
</span>> _______________________________________________<br>
> keycloak-user mailing list<br>
> <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
><br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Bill Burke<br>
JBoss, a division of Red Hat<br>
<a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a><br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</font></span></blockquote></div><br></div>