<div dir="ltr">It has been broken for a while. Here's what works for me:<div><br></div><div><div>* Login to Keycloak's Admin console and select the Identity</div><div>Providers tab. Click Add provider and select OpenID Connect v1.0.</div><div><div>* Set Alias to google</div><div>* Set Authorization URL to <a href="https://accounts.google.com/o/oauth2/auth">https://accounts.google.com/o/oauth2/auth</a></div><div>* Set User Info URL to <a href="https://www.googleapis.com/oauth2/v3/userinfo">https://www.googleapis.com/oauth2/v3/userinfo</a></div><div>* Set Token URL to <a href="https://accounts.google.com/o/oauth2/token">https://accounts.google.com/o/oauth2/token</a></div><div>* Fill in the client id and client secret with the ones provided by Google</div><div>* Set Default Scopes to openid profile email</div><div>* Click Save</div><div>* Copy the Redirect URL go back to Google API Manager and add it to the Authorized redirect URIs list.</div></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Aug 10, 2016 at 9:47 AM, Sigbjørn Dybdahl <span dir="ltr"><<a href="mailto:sigbjorn@fifty-five.com" target="_blank">sigbjorn@fifty-five.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hello,<div><br></div><div>I'm trying to configure an instance of Keycloak using version 2.1.0.CR1 and I've run into a problem when using the Google Identity Provider with the default configuration. That is, during the callback I observe a org.keycloak.broker.<wbr>provider.<wbr>IdentityBrokerException: Could not fetch attributes (see complete stacktrace below for details) from userinfo endpoint which seems to be linked to the 403 Forbidden return code when calling <a href="https://www.googleapis.com/plus/v1/people/me/openIdConnect" target="_blank">https://www.<wbr>googleapis.com/plus/v1/people/<wbr>me/openIdConnect</a>. </div><div><br></div><div>This seems to be similar to <a href="https://issues.jboss.org/browse/KEYCLOAK-2942" target="_blank">https://issues.jboss.org/<wbr>browse/KEYCLOAK-2942</a>, but even when adding the additional Google+ scopes (making scope=openid profile email <a href="https://www.googleapis.com/auth/plus.me" target="_blank">https://www.googleapis.com/<wbr>auth/plus.me</a> <a href="https://www.googleapis.com/auth/plus.login" target="_blank">https://www.googleapis.com/<wbr>auth/plus.login</a>) the call fails. As for JIRA-2942, I've tried setting up a user-defined OpenId Connect provider with the default scope, which works just fine.</div><div><br></div><div>Have I forgotten any important parameter while configuring the standard Google support? Or is this a regression for this release?</div><div><br></div><div><br></div><div>Regards,</div><div>Sigbjørn Dybdahl</div><div><br></div><div>---</div><div><br></div><div>Here's the complete stacktrace for the exception:</div><div><div><br></div><div><div>20:07:12,247 ERROR [org.keycloak.broker.oidc.<wbr>AbstractOAuth2IdentityProvider<wbr>] (default task-20) Failed to make identity provider oauth callback: org.keycloak.broker.provider.<wbr>IdentityBrokerException: Could not fetch attributes from userinfo endpoint.</div><div> at org.keycloak.broker.oidc.<wbr>OIDCIdentityProvider.<wbr>getFederatedIdentity(<wbr>OIDCIdentityProvider.java:304)</div><div> at org.keycloak.broker.oidc.<wbr>AbstractOAuth2IdentityProvider<wbr>$Endpoint.authResponse(<wbr>AbstractOAuth2IdentityProvider<wbr>.java:230)</div><div> at sun.reflect.<wbr>NativeMethodAccessorImpl.<wbr>invoke0(Native Method)</div><div> at sun.reflect.<wbr>NativeMethodAccessorImpl.<wbr>invoke(<wbr>NativeMethodAccessorImpl.java:<wbr>62)</div><div> at sun.reflect.<wbr>DelegatingMethodAccessorImpl.<wbr>invoke(<wbr>DelegatingMethodAccessorImpl.<wbr>java:43)</div><div> at java.lang.reflect.Method.<wbr>invoke(Method.java:498)</div><div> at org.jboss.resteasy.core.<wbr>MethodInjectorImpl.invoke(<wbr>MethodInjectorImpl.java:139)</div><div> at org.jboss.resteasy.core.<wbr>ResourceMethodInvoker.<wbr>invokeOnTarget(<wbr>ResourceMethodInvoker.java:<wbr>295)</div><div> at org.jboss.resteasy.core.<wbr>ResourceMethodInvoker.invoke(<wbr>ResourceMethodInvoker.java:<wbr>249)</div><div> at org.jboss.resteasy.core.<wbr>ResourceLocatorInvoker.<wbr>invokeOnTargetObject(<wbr>ResourceLocatorInvoker.java:<wbr>138)</div><div> at org.jboss.resteasy.core.<wbr>ResourceLocatorInvoker.invoke(<wbr>ResourceLocatorInvoker.java:<wbr>107)</div><div> at org.jboss.resteasy.core.<wbr>ResourceLocatorInvoker.<wbr>invokeOnTargetObject(<wbr>ResourceLocatorInvoker.java:<wbr>133)</div><div> at org.jboss.resteasy.core.<wbr>ResourceLocatorInvoker.invoke(<wbr>ResourceLocatorInvoker.java:<wbr>101)</div><div> at org.jboss.resteasy.core.<wbr>SynchronousDispatcher.invoke(<wbr>SynchronousDispatcher.java:<wbr>395)</div><div> at org.jboss.resteasy.core.<wbr>SynchronousDispatcher.invoke(<wbr>SynchronousDispatcher.java:<wbr>202)</div><div> at org.jboss.resteasy.plugins.<wbr>server.servlet.<wbr>ServletContainerDispatcher.<wbr>service(<wbr>ServletContainerDispatcher.<wbr>java:221)</div><div> at org.jboss.resteasy.plugins.<wbr>server.servlet.<wbr>HttpServletDispatcher.service(<wbr>HttpServletDispatcher.java:56)</div><div> at org.jboss.resteasy.plugins.<wbr>server.servlet.<wbr>HttpServletDispatcher.service(<wbr>HttpServletDispatcher.java:51)</div><div> at javax.servlet.http.<wbr>HttpServlet.service(<wbr>HttpServlet.java:790)</div><div> at io.undertow.servlet.handlers.<wbr>ServletHandler.handleRequest(<wbr>ServletHandler.java:85)</div><div> at io.undertow.servlet.handlers.<wbr>FilterHandler$FilterChainImpl.<wbr>doFilter(FilterHandler.java:<wbr>129)</div><div> at org.keycloak.services.filters.<wbr>KeycloakSessionServletFilter.<wbr>doFilter(<wbr>KeycloakSessionServletFilter.<wbr>java:90)</div><div> at io.undertow.servlet.core.<wbr>ManagedFilter.doFilter(<wbr>ManagedFilter.java:60)</div><div> at io.undertow.servlet.handlers.<wbr>FilterHandler$FilterChainImpl.<wbr>doFilter(FilterHandler.java:<wbr>131)</div><div> at io.undertow.servlet.handlers.<wbr>FilterHandler.handleRequest(<wbr>FilterHandler.java:84)</div><div> at io.undertow.servlet.handlers.<wbr>security.<wbr>ServletSecurityRoleHandler.<wbr>handleRequest(<wbr>ServletSecurityRoleHandler.<wbr>java:62)</div><div> at io.undertow.servlet.handlers.<wbr>ServletDispatchingHandler.<wbr>handleRequest(<wbr>ServletDispatchingHandler.<wbr>java:36)</div><div> at org.wildfly.extension.<wbr>undertow.security.<wbr>SecurityContextAssociationHand<wbr>ler.handleRequest(<wbr>SecurityContextAssociationHand<wbr>ler.java:78)</div><div> at io.undertow.server.handlers.<wbr>PredicateHandler.<wbr>handleRequest(<wbr>PredicateHandler.java:43)</div><div> at io.undertow.servlet.handlers.<wbr>security.<wbr>SSLInformationAssociationHandl<wbr>er.handleRequest(<wbr>SSLInformationAssociationHandl<wbr>er.java:131)</div><div> at io.undertow.servlet.handlers.<wbr>security.<wbr>ServletAuthenticationCallHandl<wbr>er.handleRequest(<wbr>ServletAuthenticationCallHandl<wbr>er.java:57)</div><div> at io.undertow.server.handlers.<wbr>PredicateHandler.<wbr>handleRequest(<wbr>PredicateHandler.java:43)</div><div> at io.undertow.security.handlers.<wbr>AbstractConfidentialityHandler<wbr>.handleRequest(<wbr>AbstractConfidentialityHandler<wbr>.java:46)</div><div> at io.undertow.servlet.handlers.<wbr>security.<wbr>ServletConfidentialityConstrai<wbr>ntHandler.handleRequest(<wbr>ServletConfidentialityConstrai<wbr>ntHandler.java:64)</div><div> at io.undertow.security.handlers.<wbr>AuthenticationMechanismsHandle<wbr>r.handleRequest(<wbr>AuthenticationMechanismsHandle<wbr>r.java:60)</div><div> at io.undertow.servlet.handlers.<wbr>security.<wbr>CachedAuthenticatedSessionHand<wbr>ler.handleRequest(<wbr>CachedAuthenticatedSessionHand<wbr>ler.java:77)</div><div> at io.undertow.security.handlers.<wbr>NotificationReceiverHandler.<wbr>handleRequest(<wbr>NotificationReceiverHandler.<wbr>java:50)</div><div> at io.undertow.security.handlers.<wbr>AbstractSecurityContextAssocia<wbr>tionHandler.handleRequest(<wbr>AbstractSecurityContextAssocia<wbr>tionHandler.java:43)</div><div> at io.undertow.server.handlers.<wbr>PredicateHandler.<wbr>handleRequest(<wbr>PredicateHandler.java:43)</div><div> at org.wildfly.extension.<wbr>undertow.security.jacc.<wbr>JACCContextIdHandler.<wbr>handleRequest(<wbr>JACCContextIdHandler.java:61)</div><div> at io.undertow.server.handlers.<wbr>PredicateHandler.<wbr>handleRequest(<wbr>PredicateHandler.java:43)</div><div> at io.undertow.server.handlers.<wbr>PredicateHandler.<wbr>handleRequest(<wbr>PredicateHandler.java:43)</div><div> at io.undertow.servlet.handlers.<wbr>ServletInitialHandler.<wbr>handleFirstRequest(<wbr>ServletInitialHandler.java:<wbr>284)</div><div> at io.undertow.servlet.handlers.<wbr>ServletInitialHandler.<wbr>dispatchRequest(<wbr>ServletInitialHandler.java:<wbr>263)</div><div> at io.undertow.servlet.handlers.<wbr>ServletInitialHandler.access$<wbr>000(ServletInitialHandler.<wbr>java:81)</div><div> at io.undertow.servlet.handlers.<wbr>ServletInitialHandler$1.<wbr>handleRequest(<wbr>ServletInitialHandler.java:<wbr>174)</div><div> at io.undertow.server.Connectors.<wbr>executeRootHandler(Connectors.<wbr>java:202)</div><div> at io.undertow.server.<wbr>HttpServerExchange$1.run(<wbr>HttpServerExchange.java:793)</div><div> at java.util.concurrent.<wbr>ThreadPoolExecutor.runWorker(<wbr>ThreadPoolExecutor.java:1142)</div><div> at java.util.concurrent.<wbr>ThreadPoolExecutor$Worker.run(<wbr>ThreadPoolExecutor.java:617)</div><div> at java.lang.Thread.run(Thread.<wbr>java:745)</div><div>Caused by: java.io.IOException: Server returned HTTP response code: 403 for URL: <a href="https://www.googleapis.com/plus/v1/people/me/openIdConnect" target="_blank">https://www.googleapis.com/<wbr>plus/v1/people/me/<wbr>openIdConnect</a></div><div> at sun.reflect.<wbr>NativeConstructorAccessorImpl.<wbr>newInstance0(Native Method)</div><div> at sun.reflect.<wbr>NativeConstructorAccessorImpl.<wbr>newInstance(<wbr>NativeConstructorAccessorImpl.<wbr>java:62)</div><div> at sun.reflect.<wbr>DelegatingConstructorAccessorI<wbr>mpl.newInstance(<wbr>DelegatingConstructorAccessorI<wbr>mpl.java:45)</div><div> at java.lang.reflect.Constructor.<wbr>newInstance(Constructor.java:<wbr>423)</div><div> at sun.net.www.protocol.http.<wbr>HttpURLConnection$10.run(<wbr>HttpURLConnection.java:1890)</div><div> at sun.net.www.protocol.http.<wbr>HttpURLConnection$10.run(<wbr>HttpURLConnection.java:1885)</div><div> at java.security.<wbr>AccessController.doPrivileged(<wbr>Native Method)</div><div> at sun.net.www.protocol.http.<wbr>HttpURLConnection.<wbr>getChainedException(<wbr>HttpURLConnection.java:1884)</div><div> at sun.net.www.protocol.http.<wbr>HttpURLConnection.<wbr>getInputStream0(<wbr>HttpURLConnection.java:1457)</div><div> at sun.net.www.protocol.http.<wbr>HttpURLConnection.<wbr>getInputStream(<wbr>HttpURLConnection.java:1441)</div><div> at sun.net.www.protocol.https.<wbr>HttpsURLConnectionImpl.<wbr>getInputStream(<wbr>HttpsURLConnectionImpl.java:<wbr>254)</div><div> at org.keycloak.broker.provider.<wbr>util.SimpleHttp.asString(<wbr>SimpleHttp.java:148)</div><div> at org.keycloak.broker.oidc.util.<wbr>JsonSimpleHttp.asJson(<wbr>JsonSimpleHttp.java:46)</div><div> at org.keycloak.broker.oidc.<wbr>OIDCIdentityProvider.<wbr>getFederatedIdentity(<wbr>OIDCIdentityProvider.java:267)</div><div> ... 50 more</div><div>Caused by: java.io.IOException: Server returned HTTP response code: 403 for URL: <a href="https://www.googleapis.com/plus/v1/people/me/openIdConnect" target="_blank">https://www.googleapis.com/<wbr>plus/v1/people/me/<wbr>openIdConnect</a></div><div> at sun.net.www.protocol.http.<wbr>HttpURLConnection.<wbr>getInputStream0(<wbr>HttpURLConnection.java:1840)</div><div> at sun.net.www.protocol.http.<wbr>HttpURLConnection.<wbr>getInputStream(<wbr>HttpURLConnection.java:1441)</div><div> at sun.net.www.protocol.http.<wbr>HttpURLConnection.<wbr>getHeaderField(<wbr>HttpURLConnection.java:2943)</div><div> at sun.net.www.protocol.https.<wbr>HttpsURLConnectionImpl.<wbr>getHeaderField(<wbr>HttpsURLConnectionImpl.java:<wbr>291)</div><div> at org.keycloak.broker.provider.<wbr>util.SimpleHttp.asString(<wbr>SimpleHttp.java:147)</div><div> ... 52 more</div><div><br></div></div>
</div></div>
<br>______________________________<wbr>_________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/keycloak-user</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div class="gmail_signature" data-smartmail="gmail_signature"><p style="font-size:13px;color:rgb(80,0,80);font-family:'Times New Roman',serif;margin:0in 0in 0.0001pt"><b style="line-height:11.25pt;background-color:transparent"><span style="font-family:Helvetica,sans-serif;color:rgb(61,55,50)">Paulo Pires</span></b></p><p style="font-size:13px;font-family:'Times New Roman',serif;color:rgb(80,0,80);margin:0in 0in 0.0001pt;line-height:12pt"><span style="font-family:Helvetica,sans-serif;color:rgb(61,55,50)">senior infrastructure engineer | </span><a href="http://www.google.com/url?q=http%3A%2F%2Flittlebits.cc%2F&sa=D&sntz=1&usg=AFrqEzdmD1TfneYzn_vRGBO0a4wHpG-Ivg" style="color:rgb(120,43,144);font-family:Helvetica" target="_blank">littleBits</a></p><p style="font-size:12.8px;margin:0in 0in 0.0001pt;line-height:12pt"><font face="arial, helvetica, sans-serif" size="1"><b><font color="#212121">T</font></b> (917) 464-4577</font><font face="arial, helvetica, sans-serif" size="1"><br></font><a href="https://youtu.be/fMg5QPQQOOI" style="font-family:Helvetica,sans-serif;font-size:x-small" target="_blank">unleash your inner inventor.</a></p></div></div></div>
</div>