Well, when I put "https://accounts.google.com" into the "Issuer" field I get the following exception:

16:53:37,502 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-37) Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: Wrong issuer from token. Got: accounts.google.com expected: https://accounts.google.com
        at org.keycloak.broker.oidc.OIDCIdentityProvider.validateToken(OIDCIdentityProvider.java:312)

The autoconfig stuff for the sign key issue is easy to reproduce:

- create realm
- add "OpenID Connect v1.0" provider
- on the bottom populate the "Import From Url" with "https://accounts.google.com/.well-known/openid-configuration" and click "Import"
- add your "Client ID" and "Client secret" as provided in your Google Developer Console
- add scopes "openid profile email"
- click "Save"

(due to the aforementioned "Issuer" issue you may need to change "https://accounts.google.com" to "accounts.google.com" as well)

Try to login with your google account into the realm and it should give you the sig validation failure I posed.

2015-05-13 17:25 GMT+02:00 Bill Burke <bburke@redhat.com>:
Why do you think the issuer should be changed to accounts.google.com?

I'm not sure about the keys as our code eats the error.  How can I
reproduce this?  Meaning how can I set up my google account and such?
Same as regular social provider stuff?



On 5/12/2015 5:37 PM, Thorsten wrote:
> I tried to import the basic IDP config for a custom "OpenID Connect
> v1.0" provider from the published Google autoconf URL:
> https://accounts.google.com/.well-known/openid-configuration
>
> The URLs are picked up fine but there seem to be two issues:
>
> 1.) the "Issuer" is imported as "https://accounts.google.com" when it
> should be "accounts.google.com <http://accounts.google.com>"
> 2.) the public validation keys are not imported correctly. The always
> produce
>
> 12:09:40,416 ERROR
> [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default
> task-17) Failed to make identity provider oauth callback:
> org.keycloak.broker.provider.IdentityBrokerException: token signature
> validation failed
>          at
> org.keycloak.broker.oidc.OIDCIdentityProvider.validateToken(OIDCIdentityProvider.java:286)
>
> when authentication is being performed.
>
> Are these bugs or is the published discovery document from Google not
> standard compliant?
>
> Thanks
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user@lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user