On 19.1.2016 12:54, Stian Thorgersen wrote:

I wouldn't think it is. OpenID Connect usually is '.../userinfo'. As long as '/me' returns json you can use mappers to do whatever you'd like though.

But MS Live API /me operation do not accept Bearer Authorization header, documentation says access token must be sent as GET param, so it looks like User Info URL will not work as it sends Bearer header :-(


I tried to use general OIDC connector but I end up with
13:09:25,763 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] Failed to make identity provider oauth callback
org.keycloak.broker.provider.IdentityBrokerException: No access_token from server.
    at org.keycloak.broker.oidc.OIDCIdentityProvider.verifyAccessToken(OIDCIdentityProvider.java:269)
    at org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedIdentity(OIDCIdentityProvider.java:206)
    at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:229)

It is strange, looks like Token URL doesn't return access_token, it only returns id_token. Response is like
{"id_token":"eyJ0eXAiOiJKV1Qi....","id_token_expires_in":86400}

Any idea what may be wrong? Should this id_token be used instead of access token? If yes then I can resolve this problem in custom social provider.

Vlastimil

On 19 January 2016 at 12:22, Vlastimil Elias <velias@redhat.com> wrote:

On 19.1.2016 12:09, Stian Thorgersen wrote:

On 19 January 2016 at 12:06, Vlastimil Elias <velias@redhat.com> wrote:

Hi

On 19.1.2016 11:52, Stian Thorgersen wrote:

If you can get it in today or tomorrow (early) we can add it to 1.8.0.CR2.

will try to do this, I will provide PR against branche and the another against master

You should also be able to use the generic OpenID Connect provider.

I though about it, but if I understand it correctly I will not be able to get users name, surname and email this way, as it is not provided in OAuth 2 and it requires another REST call in common social providers.

Do they not have an userinfo endpoint?

They have some REST endpoint at /me path, see doc at https://msdn.microsoft.com/en-us/library/hh826534.aspx
But I'm not sure if it match some standard or rules so generic OpenID Connect provider can use it. What is format for UserInfo endpoint to be useful for this provider? Keycloak documentation do not provide any useful info about requirements for this URL (eg link to some specification).

Vlastimil

 

Adding it yourself would require also adding templates in admin theme, shouldn't be a big deal as you only need that one template and the rest you'd inherit from Keycloak theme.

I see

Thanks

On 19 January 2016 at 11:10, Vlastimil Elias <velias@redhat.com> wrote:

Hi,

I need Social login provider for Microsoft Live account. I can implement
it as I did few other social login providers already.

Problem is that I need it in Keycloak 1.8. Any chance to add it to 1.8
if I will be quick enough (PR today or tomorrow)? It is OAuth2 based
provider so impl should be easy.

If not in KC 1.8 release, is it possible to add social provider as
customization to my KC instance only? It is common provider factory so
it should be possible I hope, but it also requires some template in
admin theme, so I'm not sure (probably I have to create my customized
admin theme in this case).

I definitely prefer to have it in upstream if possible.

Vlastimil

--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team



_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev

-- 
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team

-- 
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team

-- 
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team