<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Did you enable Google+ API in Google
admin console? Configuration of this is on Google side, not scopes
on Keycloak side on identityProvider page.<br>
<br>
Marek<br>
<br>
On 10/08/16 10:47, Sigbjørn Dybdahl wrote:<br>
</div>
<blockquote
cite="mid:CAJatmLFxFgDZOP_Z=Z9zv323L_yMJ4=afionayxARD=JNAePfA@mail.gmail.com"
type="cite">
<div dir="ltr">Hello,
<div><br>
</div>
<div>I'm trying to configure an instance of Keycloak using
version 2.1.0.CR1 and I've run into a problem when using the
Google Identity Provider with the default configuration. That
is, during the callback I observe
a org.keycloak.broker.provider.IdentityBrokerException: Could
not fetch attributes (see complete stacktrace below for
details) from userinfo endpoint which seems to be linked to
the 403 Forbidden return code when calling <a
moz-do-not-send="true"
href="https://www.googleapis.com/plus/v1/people/me/openIdConnect"><a class="moz-txt-link-freetext" href="https://www.googleapis.com/plus/v1/people/me/openIdConnect">https://www.googleapis.com/plus/v1/people/me/openIdConnect</a></a>. </div>
<div><br>
</div>
<div>This seems to be similar to <a moz-do-not-send="true"
href="https://issues.jboss.org/browse/KEYCLOAK-2942">https://issues.jboss.org/browse/KEYCLOAK-2942</a>,
but even when adding the additional Google+ scopes (making
scope=openid profile email <a moz-do-not-send="true"
href="https://www.googleapis.com/auth/plus.me">https://www.googleapis.com/auth/plus.me</a>
<a moz-do-not-send="true"
href="https://www.googleapis.com/auth/plus.login">https://www.googleapis.com/auth/plus.login</a>)
the call fails. As for JIRA-2942, I've tried setting up a
user-defined OpenId Connect provider with the default scope,
which works just fine.</div>
<div><br>
</div>
<div>Have I forgotten any important parameter while configuring
the standard Google support? Or is this a regression for this
release?</div>
<div><br>
</div>
<div><br>
</div>
<div>Regards,</div>
<div>Sigbjørn Dybdahl</div>
<div><br>
</div>
<div>---</div>
<div><br>
</div>
<div>Here's the complete stacktrace for the exception:</div>
<div>
<div><br>
</div>
<div>
<div>20:07:12,247 ERROR
[org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider]
(default task-20) Failed to make identity provider oauth
callback:
org.keycloak.broker.provider.IdentityBrokerException:
Could not fetch attributes from userinfo endpoint.</div>
<div> at
org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedIdentity(OIDCIdentityProvider.java:304)</div>
<div> at
org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:230)</div>
<div> at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)</div>
<div> at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)</div>
<div> at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)</div>
<div> at java.lang.reflect.Method.invoke(Method.java:498)</div>
<div> at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)</div>
<div> at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)</div>
<div> at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)</div>
<div> at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)</div>
<div> at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)</div>
<div> at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)</div>
<div> at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)</div>
<div> at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)</div>
<div> at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)</div>
<div> at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)</div>
<div> at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)</div>
<div> at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)</div>
<div> at
javax.servlet.http.HttpServlet.service(HttpServlet.java:790)</div>
<div> at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)</div>
<div> at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)</div>
<div> at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)</div>
<div> at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)</div>
<div> at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)</div>
<div> at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)</div>
<div> at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)</div>
<div> at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)</div>
<div> at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)</div>
<div> at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</div>
<div> at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)</div>
<div> at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)</div>
<div> at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</div>
<div> at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)</div>
<div> at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)</div>
<div> at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)</div>
<div> at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)</div>
<div> at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)</div>
<div> at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)</div>
<div> at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</div>
<div> at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)</div>
<div> at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</div>
<div> at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</div>
<div> at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)</div>
<div> at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)</div>
<div> at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)</div>
<div> at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)</div>
<div> at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)</div>
<div> at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)</div>
<div> at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)</div>
<div> at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)</div>
<div> at java.lang.Thread.run(Thread.java:745)</div>
<div>Caused by: java.io.IOException: Server returned HTTP
response code: 403 for URL: <a moz-do-not-send="true"
href="https://www.googleapis.com/plus/v1/people/me/openIdConnect">https://www.googleapis.com/plus/v1/people/me/openIdConnect</a></div>
<div> at
sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method)</div>
<div> at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)</div>
<div> at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)</div>
<div> at
java.lang.reflect.Constructor.newInstance(Constructor.java:423)</div>
<div> at
sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLConnection.java:1890)</div>
<div> at
sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLConnection.java:1885)</div>
<div> at
java.security.AccessController.doPrivileged(Native Method)</div>
<div> at
sun.net.www.protocol.http.HttpURLConnection.getChainedException(HttpURLConnection.java:1884)</div>
<div> at
sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1457)</div>
<div> at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441)</div>
<div> at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)</div>
<div> at
org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:148)</div>
<div> at
org.keycloak.broker.oidc.util.JsonSimpleHttp.asJson(JsonSimpleHttp.java:46)</div>
<div> at
org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedIdentity(OIDCIdentityProvider.java:267)</div>
<div> ... 50 more</div>
<div>Caused by: java.io.IOException: Server returned HTTP
response code: 403 for URL: <a moz-do-not-send="true"
href="https://www.googleapis.com/plus/v1/people/me/openIdConnect">https://www.googleapis.com/plus/v1/people/me/openIdConnect</a></div>
<div> at
sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1840)</div>
<div> at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441)</div>
<div> at
sun.net.www.protocol.http.HttpURLConnection.getHeaderField(HttpURLConnection.java:2943)</div>
<div> at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getHeaderField(HttpsURLConnectionImpl.java:291)</div>
<div> at
org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:147)</div>
<div> ... 52 more</div>
<div><br>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</body>
</html>