<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hmm... is github working for you if you
omit the "truststore" configuration in keycloak-server.json and
use the default java cacerts file without any changes?<br>
<br>
Marek<br>
<br>
On 07/06/16 09:38, LI Ming wrote:<br>
</div>
<blockquote
cite="mid:81FBAB8F05BC6F418853660D9326281E1F142885@cnshjmbx03"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
        {font-family:SimSun;
        panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
        {font-family:SimSun;
        panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
        {font-family:SimSun;
        panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        text-align:justify;
        text-justify:inter-ideograph;
        font-size:10.5pt;
        font-family:"Calibri","sans-serif";
        color:black;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
pre
        {mso-style-priority:99;
        mso-style-link:"HTML Preformatted Char";
        margin:0cm;
        margin-bottom:.0001pt;
        font-size:10.0pt;
        font-family:"Courier New";
        color:black;}
span.EmailStyle17
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:windowtext;}
span.HTMLPreformattedChar
        {mso-style-name:"HTML Preformatted Char";
        mso-style-priority:99;
        mso-style-link:"HTML Preformatted";
        font-family:"Courier New";
        color:black;}
span.EmailStyle20
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:612.0pt 792.0pt;
        margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">Marek,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-indent:9.6pt"><span
style="color:#1F497D" lang="EN-US">I already set truststore
file to the default java certificates file path in keycloak
configuration file
$KEYCLOAK_HOME/standalone/configuration/keycloak-server.json
as below:<o:p></o:p></span></p>
<p class="MsoNormal" style="text-indent:9.6pt"><span
style="color:#1F497D" lang="EN-US"> "truststore": {<o:p></o:p></span></p>
<p class="MsoNormal" style="text-indent:9.6pt"><span
style="color:#1F497D" lang="EN-US"> "file": {<o:p></o:p></span></p>
<p class="MsoNormal" style="text-indent:9.6pt"><span
style="color:#1F497D" lang="EN-US"> "file":
"/usr/java/jre/lib/security/cacerts",<o:p></o:p></span></p>
<p class="MsoNormal" style="text-indent:9.6pt"><span
style="color:#1F497D" lang="EN-US"> "password":
"changeit",<o:p></o:p></span></p>
<p class="MsoNormal" style="text-indent:9.6pt"><span
style="color:#1F497D" lang="EN-US">
"hostname-verification-policy": "ANY",<o:p></o:p></span></p>
<p class="MsoNormal" style="text-indent:9.6pt"><span
style="color:#1F497D" lang="EN-US"> "disabled": false<o:p></o:p></span></p>
<p class="MsoNormal" style="text-indent:9.6pt"><span
style="color:#1F497D" lang="EN-US"> }<o:p></o:p></span></p>
<p class="MsoNormal" style="text-indent:9.6pt"><span
style="color:#1F497D" lang="EN-US"> }<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">
And I put my customer certificate file in it also.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">Ming
Li<o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal" style="text-align:left" align="left"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"
lang="EN-US">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"
lang="EN-US"> Marek Posolda [<a class="moz-txt-link-freetext" href="mailto:mposolda@redhat.com">mailto:mposolda@redhat.com</a>]
<br>
<b>Sent:</b> Tuesday, June 07, 2016 3:17 PM<br>
<b>To:</b> LI Ming; <a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<b>Subject:</b> Re: [keycloak-user] When using Social
Identity Provider, it failed with failure "Connection
timed out"<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal" style="text-align:left" align="left"><span
lang="EN-US"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span lang="EN-US">It seems that's
because Keycloak is not able to send backchannel request
to github due to github certificate not trusted.
<br>
<br>
Are you using custom truststore set with truststore SPI or
with "javax.net.ssl.truststore" system property? I think
that by default github SSL certificate is verified by
well-known CA, so it shouldn't be the issue to connect to
that if you use default Java file with certificates
(cacerts). However if you have custom trustore set, then
default java cacerts file is possibly not used, so
well-known certificates like the one from github are not
trusted. We should likely have a solution, which will
allow to set custom truststore in addition to default java
cacerts file. But until we have it, you probably need to
manually create truststore file, where you import both the
"well-known" certificates together with your custom
certificates.<br>
<br>
Marek<br>
<br>
On 07/06/16 08:02, LI Ming wrote:<o:p></o:p></span></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span lang="EN-US">Hi,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> When I setup social
identity provider (GitHub) to authenticate the user, it
always failed with the below error:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">2016-06-07
00:49:05,349 ERROR
[org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider]
(default task-9) Failed to make identity provider oauth
callback: java.net.ConnectException: Connection timed out<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
java.net.PlainSocketImpl.socketConnect(Native Method)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
java.net.Socket.connect(Socket.java:589)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
sun.security.ssl.BaseSSLSocketImpl.connect(BaseSSLSocketImpl.java:173)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
sun.net.NetworkClient.doConnect(NetworkClient.java:180)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
sun.net.www.http.HttpClient.openServer(HttpClient.java:432)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
sun.net.www.http.HttpClient.openServer(HttpClient.java:527)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:264)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1105)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:999)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1283)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1258)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:141)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> …<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">2016-06-07
00:49:05,355 WARN [org.keycloak.events] (default task-9)
type=LOGIN_ERROR, realmId=demo, clientId=null,
userId=null, ipAddress=135.252.159.35,
error=identity_provider_login_failure<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> Can you help to
identity the failure reason?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> Thanks,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Ming Li<o:p></o:p></span></p>
<p class="MsoNormal" style="text-align:left" align="left"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif"" lang="EN-US"><br>
<br>
<br>
<o:p></o:p></span></p>
<pre><span lang="EN-US">_______________________________________________<o:p></o:p></span></pre>
<pre><span lang="EN-US">keycloak-user mailing list<o:p></o:p></span></pre>
<pre><span lang="EN-US"><a moz-do-not-send="true" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><o:p></o:p></span></pre>
<pre><span lang="EN-US"><a moz-do-not-send="true" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><o:p></o:p></span></pre>
</blockquote>
<p class="MsoNormal" style="text-align:left" align="left"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif"" lang="EN-US"><o:p> </o:p></span></p>
</div>
</blockquote>
<br>
</body>
</html>