So the docs are ok then?

Ah, nice tip. My tests were made with a corporate account which has no permissions to enable such API, but I too slipped that part in docs.

Thanks

On Wed, Aug 10, 2016 at 11:03 AM, Sigbjørn Dybdahl <sigbjorn@fifty-five.com> wrote:

Thanks for you quick reply, Marek! 

When re-reading the documentation now I see the part on enabling the Google+ API in the Google Developer console, which I apparently didn't pay attention to. It all works smoothly now, and I can remove the user-defined OpenId Connect provider.

Regards,

Sigbjørn

On 10 August 2016 at 11:49, Marek Posolda <mposolda@redhat.com> wrote:

Did you enable Google+ API in Google admin console? Configuration of this is on Google side, not scopes on Keycloak side on identityProvider page.

Marek

On 10/08/16 10:47, Sigbjørn Dybdahl wrote:

Hello,

I'm trying to configure an instance of Keycloak using version 2.1.0.CR1 and I've run into a problem when using the Google Identity Provider with the default configuration. That is, during the callback I observe a org.keycloak.broker.provider.IdentityBrokerException: Could not fetch attributes (see complete stacktrace below for details) from userinfo endpoint which seems to be linked to the 403 Forbidden return code when calling https://www.googleapis.com/plus/v1/people/me/openIdConnect. 

This seems to be similar to https://issues.jboss.org/browse/KEYCLOAK-2942, but even when adding the additional Google+ scopes (making scope=openid profile email https://www.googleapis.com/auth/plus.me https://www.googleapis.com/auth/plus.login) the call fails. As for JIRA-2942, I've tried setting up a user-defined OpenId Connect provider with the default scope, which works just fine.

Have I forgotten any important parameter while configuring the standard Google support? Or is this a regression for this release?

Regards,

Sigbjørn Dybdahl

---

Here's the complete stacktrace for the exception:

20:07:12,247 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-20) Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: Could not fetch attributes from userinfo endpoint.

    at org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedIdentity(OIDCIdentityProvider.java:304)

    at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:230)

    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

    at java.lang.reflect.Method.invoke(Method.java:498)

    at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)

    at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)

    at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)

    at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)

    at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)

    at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)

    at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)

    at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)

    at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)

    at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)

    at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)

    at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)

    at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)

    at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)

    at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)

    at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)

    at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)

    at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)

    at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)

    at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)

    at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)

    at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)

    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

    at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)

    at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)

    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

    at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)

    at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)

    at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)

    at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)

    at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)

    at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)

    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

    at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)

    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

    at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)

    at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)

    at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)

    at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)

    at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)

    at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)

    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

    at java.lang.Thread.run(Thread.java:745)

Caused by: java.io.IOException: Server returned HTTP response code: 403 for URL: https://www.googleapis.com/plus/v1/people/me/openIdConnect

    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)

    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)

    at java.lang.reflect.Constructor.newInstance(Constructor.java:423)

    at sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLConnection.java:1890)

    at sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLConnection.java:1885)

    at java.security.AccessController.doPrivileged(Native Method)

    at sun.net.www.protocol.http.HttpURLConnection.getChainedException(HttpURLConnection.java:1884)

    at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1457)

    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441)

    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)

    at org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:148)

    at org.keycloak.broker.oidc.util.JsonSimpleHttp.asJson(JsonSimpleHttp.java:46)

    at org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedIdentity(OIDCIdentityProvider.java:267)

    ... 50 more

Caused by: java.io.IOException: Server returned HTTP response code: 403 for URL: https://www.googleapis.com/plus/v1/people/me/openIdConnect

    at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1840)

    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441)

    at sun.net.www.protocol.http.HttpURLConnection.getHeaderField(HttpURLConnection.java:2943)

    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getHeaderField(HttpsURLConnectionImpl.java:291)

    at org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:147)

    ... 52 more

_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

--

Paulo Pires

senior infrastructure engineer | littleBits

T (917) 464-4577 unleash your inner inventor.

_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user