<div dir="ltr">Ah, nice tip. My tests were made with a corporate account which has no permissions to enable such API, but I too slipped that part in docs.<div><br></div><div>Thanks</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Aug 10, 2016 at 11:03 AM, Sigbjørn Dybdahl <span dir="ltr"><<a href="mailto:sigbjorn@fifty-five.com" target="_blank">sigbjorn@fifty-five.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Thanks for you quick reply, Marek! <div><br></div><div>When re-reading the documentation now I see the part on enabling the Google+ API in the Google Developer console, which I apparently didn't pay attention to. It all works smoothly now, and I can remove the user-defined OpenId Connect provider.</div><div><br></div><div><br></div><div>Regards,</div><div>Sigbjørn</div><div><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On 10 August 2016 at 11:49, Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Did you enable Google+ API in Google
admin console? Configuration of this is on Google side, not scopes
on Keycloak side on identityProvider page.<br>
<br>
Marek<div><div><br>
<br>
On 10/08/16 10:47, Sigbjørn Dybdahl wrote:<br>
</div></div></div>
<blockquote type="cite"><div><div>
<div dir="ltr">Hello,
<div><br>
</div>
<div>I'm trying to configure an instance of Keycloak using
version 2.1.0.CR1 and I've run into a problem when using the
Google Identity Provider with the default configuration. That
is, during the callback I observe
a org.keycloak.broker.provider<wbr>.IdentityBrokerException: Could
not fetch attributes (see complete stacktrace below for
details) from userinfo endpoint which seems to be linked to
the 403 Forbidden return code when calling <a href="https://www.googleapis.com/plus/v1/people/me/openIdConnect" target="_blank"></a><a href="https://www.googleapis.com/plus/v1/people/me/openIdConnect" target="_blank">https://www.googleapis<wbr>.com/plus/v1/people/me/<wbr>openIdConnect</a>. </div>
<div><br>
</div>
<div>This seems to be similar to <a href="https://issues.jboss.org/browse/KEYCLOAK-2942" target="_blank">https://issues.jboss.org/br<wbr>owse/KEYCLOAK-2942</a>,
but even when adding the additional Google+ scopes (making
scope=openid profile email <a href="https://www.googleapis.com/auth/plus.me" target="_blank">https://www.googleapis.com/aut<wbr>h/plus.me</a>
<a href="https://www.googleapis.com/auth/plus.login" target="_blank">https://www.googleapis.com/aut<wbr>h/plus.login</a>)
the call fails. As for JIRA-2942, I've tried setting up a
user-defined OpenId Connect provider with the default scope,
which works just fine.</div>
<div><br>
</div>
<div>Have I forgotten any important parameter while configuring
the standard Google support? Or is this a regression for this
release?</div>
<div><br>
</div>
<div><br>
</div>
<div>Regards,</div>
<div>Sigbjørn Dybdahl</div>
<div><br>
</div>
<div>---</div>
<div><br>
</div>
<div>Here's the complete stacktrace for the exception:</div>
<div>
<div><br>
</div>
<div>
<div>20:07:12,247 ERROR
[org.keycloak.broker.oidc.Abst<wbr>ractOAuth2IdentityProvider]
(default task-20) Failed to make identity provider oauth
callback:
org.keycloak.broker.provider.I<wbr>dentityBrokerException:
Could not fetch attributes from userinfo endpoint.</div>
<div> at
org.keycloak.broker.oidc.OIDCI<wbr>dentityProvider.getFederatedId<wbr>entity(OIDCIdentityProvider.<wbr>java:304)</div>
<div> at
org.keycloak.broker.oidc.Abstr<wbr>actOAuth2IdentityProvider$<wbr>Endpoint.authResponse(Abstract<wbr>OAuth2IdentityProvider.java:<wbr>230)</div>
<div> at
sun.reflect.NativeMethodAccess<wbr>orImpl.invoke0(Native
Method)</div>
<div> at
sun.reflect.NativeMethodAccess<wbr>orImpl.invoke(NativeMethodAcce<wbr>ssorImpl.java:62)</div>
<div> at
sun.reflect.DelegatingMethodAc<wbr>cessorImpl.invoke(DelegatingMe<wbr>thodAccessorImpl.java:43)</div>
<div> at java.lang.reflect.Method.invok<wbr>e(Method.java:498)</div>
<div> at
org.jboss.resteasy.core.Method<wbr>InjectorImpl.invoke(MethodInje<wbr>ctorImpl.java:139)</div>
<div> at
org.jboss.resteasy.core.Resour<wbr>ceMethodInvoker.invokeOnTarget<wbr>(ResourceMethodInvoker.java:29<wbr>5)</div>
<div> at
org.jboss.resteasy.core.Resour<wbr>ceMethodInvoker.invoke(Resourc<wbr>eMethodInvoker.java:249)</div>
<div> at
org.jboss.resteasy.core.Resour<wbr>ceLocatorInvoker.invokeOnTarge<wbr>tObject(ResourceLocatorInvoker<wbr>.java:138)</div>
<div> at
org.jboss.resteasy.core.Resour<wbr>ceLocatorInvoker.invoke(Resour<wbr>ceLocatorInvoker.java:107)</div>
<div> at
org.jboss.resteasy.core.Resour<wbr>ceLocatorInvoker.invokeOnTarge<wbr>tObject(ResourceLocatorInvoker<wbr>.java:133)</div>
<div> at
org.jboss.resteasy.core.Resour<wbr>ceLocatorInvoker.invoke(Resour<wbr>ceLocatorInvoker.java:101)</div>
<div> at
org.jboss.resteasy.core.Synchr<wbr>onousDispatcher.invoke(Synchro<wbr>nousDispatcher.java:395)</div>
<div> at
org.jboss.resteasy.core.Synchr<wbr>onousDispatcher.invoke(Synchro<wbr>nousDispatcher.java:202)</div>
<div> at
org.jboss.resteasy.plugins.ser<wbr>ver.servlet.ServletContainerDi<wbr>spatcher.service(ServletContai<wbr>nerDispatcher.java:221)</div>
<div> at
org.jboss.resteasy.plugins.ser<wbr>ver.servlet.HttpServletDispatc<wbr>her.service(HttpServletDispatc<wbr>her.java:56)</div>
<div> at
org.jboss.resteasy.plugins.ser<wbr>ver.servlet.HttpServletDispatc<wbr>her.service(HttpServletDispatc<wbr>her.java:51)</div>
<div> at
javax.servlet.http.HttpServlet<wbr>.service(HttpServlet.java:790)</div>
<div> at
io.undertow.servlet.handlers.S<wbr>ervletHandler.handleRequest(Se<wbr>rvletHandler.java:85)</div>
<div> at
io.undertow.servlet.handlers.F<wbr>ilterHandler$FilterChainImpl.d<wbr>oFilter(FilterHandler.java:129<wbr>)</div>
<div> at
org.keycloak.services.filters.<wbr>KeycloakSessionServletFilter.d<wbr>oFilter(KeycloakSessionServlet<wbr>Filter.java:90)</div>
<div> at
io.undertow.servlet.core.Manag<wbr>edFilter.doFilter(ManagedFilte<wbr>r.java:60)</div>
<div> at
io.undertow.servlet.handlers.F<wbr>ilterHandler$FilterChainImpl.d<wbr>oFilter(FilterHandler.java:131<wbr>)</div>
<div> at
io.undertow.servlet.handlers.F<wbr>ilterHandler.handleRequest(Fil<wbr>terHandler.java:84)</div>
<div> at
io.undertow.servlet.handlers.s<wbr>ecurity.ServletSecurityRoleHan<wbr>dler.handleRequest(ServletSecu<wbr>rityRoleHandler.java:62)</div>
<div> at
io.undertow.servlet.handlers.S<wbr>ervletDispatchingHandler.handl<wbr>eRequest(ServletDispatchingHan<wbr>dler.java:36)</div>
<div> at
org.wildfly.extension.undertow<wbr>.security.SecurityContextAssoc<wbr>iationHandler.handleRequest(Se<wbr>curityContextAssociationHandle<wbr>r.java:78)</div>
<div> at
<a href="http://io.undertow.server.handlers.Pr">io.undertow.server.handlers.Pr</a><wbr>edicateHandler.handleRequest(P<wbr>redicateHandler.java:43)</div>
<div> at
io.undertow.servlet.handlers.s<wbr>ecurity.SSLInformationAssociat<wbr>ionHandler.handleRequest(SSLIn<wbr>formationAssociationHandler.<wbr>java:131)</div>
<div> at
io.undertow.servlet.handlers.s<wbr>ecurity.ServletAuthenticationC<wbr>allHandler.handleRequest(Servl<wbr>etAuthenticationCallHandler.<wbr>java:57)</div>
<div> at
<a href="http://io.undertow.server.handlers.Pr">io.undertow.server.handlers.Pr</a><wbr>edicateHandler.handleRequest(P<wbr>redicateHandler.java:43)</div>
<div> at
io.undertow.security.handlers.<wbr>AbstractConfidentialityHandler<wbr>.handleRequest(AbstractConfide<wbr>ntialityHandler.java:46)</div>
<div> at
io.undertow.servlet.handlers.s<wbr>ecurity.ServletConfidentiality<wbr>ConstraintHandler.<wbr>handleRequest(ServletConfident<wbr>ialityConstraintHandler.java:<wbr>64)</div>
<div> at
io.undertow.security.handlers.<wbr>AuthenticationMechanismsHandle<wbr>r.handleRequest(Authentication<wbr>MechanismsHandler.java:60)</div>
<div> at
io.undertow.servlet.handlers.s<wbr>ecurity.CachedAuthenticatedSes<wbr>sionHandler.handleRequest(Cach<wbr>edAuthenticatedSessionHandler.<wbr>java:77)</div>
<div> at
io.undertow.security.handlers.<wbr>NotificationReceiverHandler.ha<wbr>ndleRequest(NotificationReceiv<wbr>erHandler.java:50)</div>
<div> at
io.undertow.security.handlers.<wbr>AbstractSecurityContextAssocia<wbr>tionHandler.handleRequest(Abst<wbr>ractSecurityContextAssociation<wbr>Handler.java:43)</div>
<div> at
<a href="http://io.undertow.server.handlers.Pr">io.undertow.server.handlers.Pr</a><wbr>edicateHandler.handleRequest(P<wbr>redicateHandler.java:43)</div>
<div> at
org.wildfly.extension.undertow<wbr>.security.jacc.JACCContextIdHa<wbr>ndler.handleRequest(JACCContex<wbr>tIdHandler.java:61)</div>
<div> at
<a href="http://io.undertow.server.handlers.Pr">io.undertow.server.handlers.Pr</a><wbr>edicateHandler.handleRequest(P<wbr>redicateHandler.java:43)</div>
<div> at
<a href="http://io.undertow.server.handlers.Pr">io.undertow.server.handlers.Pr</a><wbr>edicateHandler.handleRequest(P<wbr>redicateHandler.java:43)</div>
<div> at
io.undertow.servlet.handlers.S<wbr>ervletInitialHandler.handleFir<wbr>stRequest(ServletInitialHandle<wbr>r.java:284)</div>
<div> at
io.undertow.servlet.handlers.S<wbr>ervletInitialHandler.dispatchR<wbr>equest(ServletInitialHandler.<wbr>java:263)</div>
<div> at
io.undertow.servlet.handlers.S<wbr>ervletInitialHandler.access$00<wbr>0(ServletInitialHandler.java:<wbr>81)</div>
<div> at
io.undertow.servlet.handlers.S<wbr>ervletInitialHandler$1.handleR<wbr>equest(ServletInitialHandler.<wbr>java:174)</div>
<div> at
io.undertow.server.Connectors.<wbr>executeRootHandler(Connectors.<wbr>java:202)</div>
<div> at
io.undertow.server.HttpServerE<wbr>xchange$1.run(HttpServerExchan<wbr>ge.java:793)</div>
<div> at
java.util.concurrent.ThreadPoo<wbr>lExecutor.runWorker(ThreadPool<wbr>Executor.java:1142)</div>
<div> at
java.util.concurrent.ThreadPoo<wbr>lExecutor$Worker.run(ThreadPoo<wbr>lExecutor.java:617)</div>
<div> at java.lang.Thread.run(Thread.ja<wbr>va:745)</div>
<div>Caused by: java.io.IOException: Server returned HTTP
response code: 403 for URL: <a href="https://www.googleapis.com/plus/v1/people/me/openIdConnect" target="_blank">https://www.googleapis.com/plu<wbr>s/v1/people/me/openIdConnect</a></div>
<div> at
sun.reflect.NativeConstructorA<wbr>ccessorImpl.newInstance0(<wbr>Native
Method)</div>
<div> at
sun.reflect.NativeConstructorA<wbr>ccessorImpl.newInstance(Native<wbr>ConstructorAccessorImpl.java:<wbr>62)</div>
<div> at
sun.reflect.DelegatingConstruc<wbr>torAccessorImpl.newInstance(De<wbr>legatingConstructorAccessorImp<wbr>l.java:45)</div>
<div> at
java.lang.reflect.Constructor.<wbr>newInstance(Constructor.java:4<wbr>23)</div>
<div> at
sun.net.www.protocol.http.Http<wbr>URLConnection$10.run(HttpURLCo<wbr>nnection.java:1890)</div>
<div> at
sun.net.www.protocol.http.Http<wbr>URLConnection$10.run(HttpURLCo<wbr>nnection.java:1885)</div>
<div> at
java.security.AccessController<wbr>.doPrivileged(Native Method)</div>
<div> at
sun.net.www.protocol.http.Http<wbr>URLConnection.getChainedExcept<wbr>ion(HttpURLConnection.java:<wbr>1884)</div>
<div> at
sun.net.www.protocol.http.Http<wbr>URLConnection.getInputStream0(<wbr>HttpURLConnection.java:1457)</div>
<div> at
sun.net.www.protocol.http.Http<wbr>URLConnection.getInputStream(H<wbr>ttpURLConnection.java:1441)</div>
<div> at
sun.net.www.protocol.https.Htt<wbr>psURLConnectionImpl.getInputSt<wbr>ream(HttpsURLConnectionImpl.<wbr>java:254)</div>
<div> at
org.keycloak.broker.provider.u<wbr>til.SimpleHttp.asString(Simple<wbr>Http.java:148)</div>
<div> at
org.keycloak.broker.oidc.util.<wbr>JsonSimpleHttp.asJson(JsonSimp<wbr>leHttp.java:46)</div>
<div> at
org.keycloak.broker.oidc.OIDCI<wbr>dentityProvider.getFederatedId<wbr>entity(OIDCIdentityProvider.<wbr>java:267)</div>
<div> ... 50 more</div>
<div>Caused by: java.io.IOException: Server returned HTTP
response code: 403 for URL: <a href="https://www.googleapis.com/plus/v1/people/me/openIdConnect" target="_blank">https://www.googleapis.com/plu<wbr>s/v1/people/me/openIdConnect</a></div>
<div> at
sun.net.www.protocol.http.Http<wbr>URLConnection.getInputStream0(<wbr>HttpURLConnection.java:1840)</div>
<div> at
sun.net.www.protocol.http.Http<wbr>URLConnection.getInputStream(H<wbr>ttpURLConnection.java:1441)</div>
<div> at
sun.net.www.protocol.http.Http<wbr>URLConnection.getHeaderField(H<wbr>ttpURLConnection.java:2943)</div>
<div> at
sun.net.www.protocol.https.Htt<wbr>psURLConnectionImpl.getHeaderF<wbr>ield(HttpsURLConnectionImpl.<wbr>java:291)</div>
<div> at
org.keycloak.broker.provider.u<wbr>til.SimpleHttp.asString(Simple<wbr>Http.java:147)</div>
<div> ... 52 more</div>
<div><br>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div></div><pre>______________________________<wbr>_________________
keycloak-user mailing list
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailma<wbr>n/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</div>
</blockquote></div><div><br></div>
</div></div></div></div>
<br>______________________________<wbr>_________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/keycloak-user</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div class="gmail_signature" data-smartmail="gmail_signature"><p style="font-size:13px;color:rgb(80,0,80);font-family:'Times New Roman',serif;margin:0in 0in 0.0001pt"><b style="line-height:11.25pt;background-color:transparent"><span style="font-family:Helvetica,sans-serif;color:rgb(61,55,50)">Paulo Pires</span></b></p><p style="font-size:13px;font-family:'Times New Roman',serif;color:rgb(80,0,80);margin:0in 0in 0.0001pt;line-height:12pt"><span style="font-family:Helvetica,sans-serif;color:rgb(61,55,50)">senior infrastructure engineer | </span><a href="http://www.google.com/url?q=http%3A%2F%2Flittlebits.cc%2F&sa=D&sntz=1&usg=AFrqEzdmD1TfneYzn_vRGBO0a4wHpG-Ivg" style="color:rgb(120,43,144);font-family:Helvetica" target="_blank">littleBits</a></p><p style="font-size:12.8px;margin:0in 0in 0.0001pt;line-height:12pt"><font face="arial, helvetica, sans-serif" size="1"><b><font color="#212121">T</font></b> (917) 464-4577</font><font face="arial, helvetica, sans-serif" size="1"><br></font><a href="https://youtu.be/fMg5QPQQOOI" style="font-family:Helvetica,sans-serif;font-size:x-small" target="_blank">unleash your inner inventor.</a></p></div></div></div>
</div>