Re: [keycloak-user] broker saml - forbidden
This is happening in OAuthRequestAuthenticator.java
code snippet:
===
try {
// For COOKIE store we don't have httpSessionId and single
sign-out won't be available
String httpSessionId = deployment.getTokenStore() ==
TokenStore.SESSION ?
reqAuthenticator.changeHttpSessionId(true) : null;
tokenResponse =
ServerRequest.invokeAccessCodeToToken(deployment, code,
strippedOauthParametersRequestUri, httpSessionId);
} catch (ServerRequest.HttpFailure failure) {
log.error("failed to turn code into token");
log.error("status from server: " + failure.getStatus());
if (failure.getStatus() == 400 && failure.getError() != null) {
log.error(" " + failure.getError());
}
return challenge(403,
OIDCAuthenticationError.Reason.CODE_TO_TOKEN_FAILURE, null);
===
Further more:
I am seeing in keycloak logs:
07:28:21,115 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator]
(default task-2) failed to turn code into token
07:28:21,117 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator]
(default task-2) status from server: 403
This is happening after the handshake done with Idp and returned back to
keycloak oidc.
anyone has any tips.
Appreciate it.
> Hi
> I'm implementing a solution as shown saml-broker-authentication, trying
> to
> protect a war (spring-rest).
> All configured fine, Keycloak-saml-idp returns fine, am getting a OIDC
> tocken back from Keycloak , but when it returns back to the URL I was
> initially hit, I get forbidden.
> Anyone gone through this pain - any tips? Thank you.
> John
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>