<div dir="ltr">Ah, nice tip. My tests were made with a corporate account which has no permissions to enable such API, but I too slipped that part in docs.<div><br></div><div>Thanks</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Aug 10, 2016 at 11:03 AM, Sigbjørn Dybdahl <span dir="ltr">&lt;<a href="mailto:sigbjorn@fifty-five.com" target="_blank">sigbjorn@fifty-five.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Thanks for you quick reply, Marek! <div><br></div><div>When re-reading the documentation now I see the part on enabling the Google+ API in the Google Developer console, which I apparently didn&#39;t pay attention to. It all works smoothly now, and I can remove the user-defined OpenId Connect provider.</div><div><br></div><div><br></div><div>Regards,</div><div>Sigbjørn</div><div><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On 10 August 2016 at 11:49, Marek Posolda <span dir="ltr">&lt;<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    <div>Did you enable Google+ API in Google
      admin console? Configuration of this is on Google side, not scopes
      on Keycloak side on identityProvider page.<br>
      <br>
      Marek<div><div><br>
      <br>
      On 10/08/16 10:47, Sigbjørn Dybdahl wrote:<br>
    </div></div></div>
    <blockquote type="cite"><div><div>
      <div dir="ltr">Hello,
        <div><br>
        </div>
        <div>I&#39;m trying to configure an instance of Keycloak using
          version 2.1.0.CR1 and I&#39;ve run into a problem when using the
          Google Identity Provider with the default configuration. That
          is, during the callback I observe
          a org.keycloak.broker.provider<wbr>.IdentityBrokerException: Could
          not fetch attributes (see complete stacktrace below for
          details) from userinfo endpoint which seems to be linked to
          the 403 Forbidden return code when calling <a href="https://www.googleapis.com/plus/v1/people/me/openIdConnect" target="_blank"></a><a href="https://www.googleapis.com/plus/v1/people/me/openIdConnect" target="_blank">https://www.googleapis<wbr>.com/plus/v1/people/me/<wbr>openIdConnect</a>. </div>
        <div><br>
        </div>
        <div>This seems to be similar to <a href="https://issues.jboss.org/browse/KEYCLOAK-2942" target="_blank">https://issues.jboss.org/br<wbr>owse/KEYCLOAK-2942</a>,
          but even when adding the additional Google+ scopes (making
          scope=openid profile email <a href="https://www.googleapis.com/auth/plus.me" target="_blank">https://www.googleapis.com/aut<wbr>h/plus.me</a>
          <a href="https://www.googleapis.com/auth/plus.login" target="_blank">https://www.googleapis.com/aut<wbr>h/plus.login</a>)
          the call fails. As for JIRA-2942, I&#39;ve tried setting up a
          user-defined OpenId Connect provider with the default scope,
          which works just fine.</div>
        <div><br>
        </div>
        <div>Have I forgotten any important parameter while configuring
          the standard Google support? Or is this a regression for this
          release?</div>
        <div><br>
        </div>
        <div><br>
        </div>
        <div>Regards,</div>
        <div>Sigbjørn Dybdahl</div>
        <div><br>
        </div>
        <div>---</div>
        <div><br>
        </div>
        <div>Here&#39;s the complete stacktrace for the exception:</div>
        <div>
          <div><br>
          </div>
          <div>
            <div>20:07:12,247 ERROR
              [org.keycloak.broker.oidc.Abst<wbr>ractOAuth2IdentityProvider]
              (default task-20) Failed to make identity provider oauth
              callback:
              org.keycloak.broker.provider.I<wbr>dentityBrokerException:
              Could not fetch attributes from userinfo endpoint.</div>
            <div>    at
org.keycloak.broker.oidc.OIDCI<wbr>dentityProvider.getFederatedId<wbr>entity(OIDCIdentityProvider.<wbr>java:304)</div>
            <div>    at
org.keycloak.broker.oidc.Abstr<wbr>actOAuth2IdentityProvider$<wbr>Endpoint.authResponse(Abstract<wbr>OAuth2IdentityProvider.java:<wbr>230)</div>
            <div>    at
              sun.reflect.NativeMethodAccess<wbr>orImpl.invoke0(Native
              Method)</div>
            <div>    at
sun.reflect.NativeMethodAccess<wbr>orImpl.invoke(NativeMethodAcce<wbr>ssorImpl.java:62)</div>
            <div>    at
sun.reflect.DelegatingMethodAc<wbr>cessorImpl.invoke(DelegatingMe<wbr>thodAccessorImpl.java:43)</div>
            <div>    at java.lang.reflect.Method.invok<wbr>e(Method.java:498)</div>
            <div>    at
org.jboss.resteasy.core.Method<wbr>InjectorImpl.invoke(MethodInje<wbr>ctorImpl.java:139)</div>
            <div>    at
org.jboss.resteasy.core.Resour<wbr>ceMethodInvoker.invokeOnTarget<wbr>(ResourceMethodInvoker.java:29<wbr>5)</div>
            <div>    at
org.jboss.resteasy.core.Resour<wbr>ceMethodInvoker.invoke(Resourc<wbr>eMethodInvoker.java:249)</div>
            <div>    at
org.jboss.resteasy.core.Resour<wbr>ceLocatorInvoker.invokeOnTarge<wbr>tObject(ResourceLocatorInvoker<wbr>.java:138)</div>
            <div>    at
org.jboss.resteasy.core.Resour<wbr>ceLocatorInvoker.invoke(Resour<wbr>ceLocatorInvoker.java:107)</div>
            <div>    at
org.jboss.resteasy.core.Resour<wbr>ceLocatorInvoker.invokeOnTarge<wbr>tObject(ResourceLocatorInvoker<wbr>.java:133)</div>
            <div>    at
org.jboss.resteasy.core.Resour<wbr>ceLocatorInvoker.invoke(Resour<wbr>ceLocatorInvoker.java:101)</div>
            <div>    at
org.jboss.resteasy.core.Synchr<wbr>onousDispatcher.invoke(Synchro<wbr>nousDispatcher.java:395)</div>
            <div>    at
org.jboss.resteasy.core.Synchr<wbr>onousDispatcher.invoke(Synchro<wbr>nousDispatcher.java:202)</div>
            <div>    at
org.jboss.resteasy.plugins.ser<wbr>ver.servlet.ServletContainerDi<wbr>spatcher.service(ServletContai<wbr>nerDispatcher.java:221)</div>
            <div>    at
org.jboss.resteasy.plugins.ser<wbr>ver.servlet.HttpServletDispatc<wbr>her.service(HttpServletDispatc<wbr>her.java:56)</div>
            <div>    at
org.jboss.resteasy.plugins.ser<wbr>ver.servlet.HttpServletDispatc<wbr>her.service(HttpServletDispatc<wbr>her.java:51)</div>
            <div>    at
              javax.servlet.http.HttpServlet<wbr>.service(HttpServlet.java:790)</div>
            <div>    at
io.undertow.servlet.handlers.S<wbr>ervletHandler.handleRequest(Se<wbr>rvletHandler.java:85)</div>
            <div>    at
io.undertow.servlet.handlers.F<wbr>ilterHandler$FilterChainImpl.d<wbr>oFilter(FilterHandler.java:129<wbr>)</div>
            <div>    at
org.keycloak.services.filters.<wbr>KeycloakSessionServletFilter.d<wbr>oFilter(KeycloakSessionServlet<wbr>Filter.java:90)</div>
            <div>    at
              io.undertow.servlet.core.Manag<wbr>edFilter.doFilter(ManagedFilte<wbr>r.java:60)</div>
            <div>    at
io.undertow.servlet.handlers.F<wbr>ilterHandler$FilterChainImpl.d<wbr>oFilter(FilterHandler.java:131<wbr>)</div>
            <div>    at
io.undertow.servlet.handlers.F<wbr>ilterHandler.handleRequest(Fil<wbr>terHandler.java:84)</div>
            <div>    at
io.undertow.servlet.handlers.s<wbr>ecurity.ServletSecurityRoleHan<wbr>dler.handleRequest(ServletSecu<wbr>rityRoleHandler.java:62)</div>
            <div>    at
io.undertow.servlet.handlers.S<wbr>ervletDispatchingHandler.handl<wbr>eRequest(ServletDispatchingHan<wbr>dler.java:36)</div>
            <div>    at
org.wildfly.extension.undertow<wbr>.security.SecurityContextAssoc<wbr>iationHandler.handleRequest(Se<wbr>curityContextAssociationHandle<wbr>r.java:78)</div>
            <div>    at
<a href="http://io.undertow.server.handlers.Pr">io.undertow.server.handlers.Pr</a><wbr>edicateHandler.handleRequest(P<wbr>redicateHandler.java:43)</div>
            <div>    at
io.undertow.servlet.handlers.s<wbr>ecurity.SSLInformationAssociat<wbr>ionHandler.handleRequest(SSLIn<wbr>formationAssociationHandler.<wbr>java:131)</div>
            <div>    at
io.undertow.servlet.handlers.s<wbr>ecurity.ServletAuthenticationC<wbr>allHandler.handleRequest(Servl<wbr>etAuthenticationCallHandler.<wbr>java:57)</div>
            <div>    at
<a href="http://io.undertow.server.handlers.Pr">io.undertow.server.handlers.Pr</a><wbr>edicateHandler.handleRequest(P<wbr>redicateHandler.java:43)</div>
            <div>    at
io.undertow.security.handlers.<wbr>AbstractConfidentialityHandler<wbr>.handleRequest(AbstractConfide<wbr>ntialityHandler.java:46)</div>
            <div>    at
io.undertow.servlet.handlers.s<wbr>ecurity.ServletConfidentiality<wbr>ConstraintHandler.<wbr>handleRequest(ServletConfident<wbr>ialityConstraintHandler.java:<wbr>64)</div>
            <div>    at
io.undertow.security.handlers.<wbr>AuthenticationMechanismsHandle<wbr>r.handleRequest(Authentication<wbr>MechanismsHandler.java:60)</div>
            <div>    at
io.undertow.servlet.handlers.s<wbr>ecurity.CachedAuthenticatedSes<wbr>sionHandler.handleRequest(Cach<wbr>edAuthenticatedSessionHandler.<wbr>java:77)</div>
            <div>    at
io.undertow.security.handlers.<wbr>NotificationReceiverHandler.ha<wbr>ndleRequest(NotificationReceiv<wbr>erHandler.java:50)</div>
            <div>    at
io.undertow.security.handlers.<wbr>AbstractSecurityContextAssocia<wbr>tionHandler.handleRequest(Abst<wbr>ractSecurityContextAssociation<wbr>Handler.java:43)</div>
            <div>    at
<a href="http://io.undertow.server.handlers.Pr">io.undertow.server.handlers.Pr</a><wbr>edicateHandler.handleRequest(P<wbr>redicateHandler.java:43)</div>
            <div>    at
org.wildfly.extension.undertow<wbr>.security.jacc.JACCContextIdHa<wbr>ndler.handleRequest(JACCContex<wbr>tIdHandler.java:61)</div>
            <div>    at
<a href="http://io.undertow.server.handlers.Pr">io.undertow.server.handlers.Pr</a><wbr>edicateHandler.handleRequest(P<wbr>redicateHandler.java:43)</div>
            <div>    at
<a href="http://io.undertow.server.handlers.Pr">io.undertow.server.handlers.Pr</a><wbr>edicateHandler.handleRequest(P<wbr>redicateHandler.java:43)</div>
            <div>    at
io.undertow.servlet.handlers.S<wbr>ervletInitialHandler.handleFir<wbr>stRequest(ServletInitialHandle<wbr>r.java:284)</div>
            <div>    at
io.undertow.servlet.handlers.S<wbr>ervletInitialHandler.dispatchR<wbr>equest(ServletInitialHandler.<wbr>java:263)</div>
            <div>    at
io.undertow.servlet.handlers.S<wbr>ervletInitialHandler.access$00<wbr>0(ServletInitialHandler.java:<wbr>81)</div>
            <div>    at
io.undertow.servlet.handlers.S<wbr>ervletInitialHandler$1.handleR<wbr>equest(ServletInitialHandler.<wbr>java:174)</div>
            <div>    at
              io.undertow.server.Connectors.<wbr>executeRootHandler(Connectors.<wbr>java:202)</div>
            <div>    at
              io.undertow.server.HttpServerE<wbr>xchange$1.run(HttpServerExchan<wbr>ge.java:793)</div>
            <div>    at
java.util.concurrent.ThreadPoo<wbr>lExecutor.runWorker(ThreadPool<wbr>Executor.java:1142)</div>
            <div>    at
java.util.concurrent.ThreadPoo<wbr>lExecutor$Worker.run(ThreadPoo<wbr>lExecutor.java:617)</div>
            <div>    at java.lang.Thread.run(Thread.ja<wbr>va:745)</div>
            <div>Caused by: java.io.IOException: Server returned HTTP
              response code: 403 for URL: <a href="https://www.googleapis.com/plus/v1/people/me/openIdConnect" target="_blank">https://www.googleapis.com/plu<wbr>s/v1/people/me/openIdConnect</a></div>
            <div>    at
              sun.reflect.NativeConstructorA<wbr>ccessorImpl.newInstance0(<wbr>Native
              Method)</div>
            <div>    at
sun.reflect.NativeConstructorA<wbr>ccessorImpl.newInstance(Native<wbr>ConstructorAccessorImpl.java:<wbr>62)</div>
            <div>    at
sun.reflect.DelegatingConstruc<wbr>torAccessorImpl.newInstance(De<wbr>legatingConstructorAccessorImp<wbr>l.java:45)</div>
            <div>    at
              java.lang.reflect.Constructor.<wbr>newInstance(Constructor.java:4<wbr>23)</div>
            <div>    at
sun.net.www.protocol.http.Http<wbr>URLConnection$10.run(HttpURLCo<wbr>nnection.java:1890)</div>
            <div>    at
sun.net.www.protocol.http.Http<wbr>URLConnection$10.run(HttpURLCo<wbr>nnection.java:1885)</div>
            <div>    at
              java.security.AccessController<wbr>.doPrivileged(Native Method)</div>
            <div>    at
sun.net.www.protocol.http.Http<wbr>URLConnection.getChainedExcept<wbr>ion(HttpURLConnection.java:<wbr>1884)</div>
            <div>    at
sun.net.www.protocol.http.Http<wbr>URLConnection.getInputStream0(<wbr>HttpURLConnection.java:1457)</div>
            <div>    at
sun.net.www.protocol.http.Http<wbr>URLConnection.getInputStream(H<wbr>ttpURLConnection.java:1441)</div>
            <div>    at
sun.net.www.protocol.https.Htt<wbr>psURLConnectionImpl.getInputSt<wbr>ream(HttpsURLConnectionImpl.<wbr>java:254)</div>
            <div>    at
org.keycloak.broker.provider.u<wbr>til.SimpleHttp.asString(Simple<wbr>Http.java:148)</div>
            <div>    at
org.keycloak.broker.oidc.util.<wbr>JsonSimpleHttp.asJson(JsonSimp<wbr>leHttp.java:46)</div>
            <div>    at
org.keycloak.broker.oidc.OIDCI<wbr>dentityProvider.getFederatedId<wbr>entity(OIDCIdentityProvider.<wbr>java:267)</div>
            <div>    ... 50 more</div>
            <div>Caused by: java.io.IOException: Server returned HTTP
              response code: 403 for URL: <a href="https://www.googleapis.com/plus/v1/people/me/openIdConnect" target="_blank">https://www.googleapis.com/plu<wbr>s/v1/people/me/openIdConnect</a></div>
            <div>    at
sun.net.www.protocol.http.Http<wbr>URLConnection.getInputStream0(<wbr>HttpURLConnection.java:1840)</div>
            <div>    at
sun.net.www.protocol.http.Http<wbr>URLConnection.getInputStream(H<wbr>ttpURLConnection.java:1441)</div>
            <div>    at
sun.net.www.protocol.http.Http<wbr>URLConnection.getHeaderField(H<wbr>ttpURLConnection.java:2943)</div>
            <div>    at
sun.net.www.protocol.https.Htt<wbr>psURLConnectionImpl.getHeaderF<wbr>ield(HttpsURLConnectionImpl.<wbr>java:291)</div>
            <div>    at
org.keycloak.broker.provider.u<wbr>til.SimpleHttp.asString(Simple<wbr>Http.java:147)</div>
            <div>    ... 52 more</div>
            <div><br>
            </div>
          </div>
        </div>
      </div>
      <br>
      <fieldset></fieldset>
      <br>
      </div></div><pre>______________________________<wbr>_________________
keycloak-user mailing list
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailma<wbr>n/listinfo/keycloak-user</a></pre>
    </blockquote>
    <br>
  </div>

</blockquote></div><div><br></div>
</div></div></div></div>
<br>______________________________<wbr>_________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/keycloak-user</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div class="gmail_signature" data-smartmail="gmail_signature"><p style="font-size:13px;color:rgb(80,0,80);font-family:&#39;Times New Roman&#39;,serif;margin:0in 0in 0.0001pt"><b style="line-height:11.25pt;background-color:transparent"><span style="font-family:Helvetica,sans-serif;color:rgb(61,55,50)">Paulo Pires</span></b></p><p style="font-size:13px;font-family:&#39;Times New Roman&#39;,serif;color:rgb(80,0,80);margin:0in 0in 0.0001pt;line-height:12pt"><span style="font-family:Helvetica,sans-serif;color:rgb(61,55,50)">senior infrastructure engineer | </span><a href="http://www.google.com/url?q=http%3A%2F%2Flittlebits.cc%2F&amp;sa=D&amp;sntz=1&amp;usg=AFrqEzdmD1TfneYzn_vRGBO0a4wHpG-Ivg" style="color:rgb(120,43,144);font-family:Helvetica" target="_blank">littleBits</a></p><p style="font-size:12.8px;margin:0in 0in 0.0001pt;line-height:12pt"><font face="arial, helvetica, sans-serif" size="1"><b><font color="#212121">T</font></b> (917) 464-4577</font><font face="arial, helvetica, sans-serif" size="1"><br></font><a href="https://youtu.be/fMg5QPQQOOI" style="font-family:Helvetica,sans-serif;font-size:x-small" target="_blank">unleash your inner inventor.</a></p></div></div></div>
</div>