Re: [keycloak-user] GoogleIdentityProvider seems to be broken for Keycloak 2.1.0.CR1

Wednesday, 10 August 2016

It has been broken for a while. Here's what works for me:

* Login to Keycloak's Admin console and select the Identity
Providers tab. Click Add provider and select OpenID Connect v1.0.
* Set Alias to google
* Set Authorization URL to https://accounts.google.com/o/oauth2/auth
* Set User Info URL to https://www.googleapis.com/oauth2/v3/userinfo
* Set Token URL to https://accounts.google.com/o/oauth2/token
* Fill in the client id and client secret with the ones provided by Google
* Set Default Scopes to openid profile email
* Click Save
* Copy the Redirect URL go back to Google API Manager and add it to the
Authorized redirect URIs list.

On Wed, Aug 10, 2016 at 9:47 AM, Sigbjørn Dybdahl <sigbjorn(a)fifty-five.com&gt;
wrote:

...
 Hello,

 I'm trying to configure an instance of Keycloak using version 2.1.0.CR1
 and I've run into a problem when using the Google Identity Provider with
 the default configuration. That is, during the callback I observe
 a org.keycloak.broker.provider.IdentityBrokerException: Could not fetch
 attributes (see complete stacktrace below for details) from userinfo
 endpoint which seems to be linked to the 403 Forbidden return code when
 calling https://www.googleapis.com/plus/v1/people/me/openIdConnect.

 This seems to be similar to https://issues.jboss.org/browse/KEYCLOAK-2942,
 but even when adding the additional Google+ scopes (making scope=openid
 profile email https://www.googleapis.com/auth/plus.me
 https://www.googleapis.com/auth/plus.login) the call fails. As for
 JIRA-2942, I've tried setting up a user-defined OpenId Connect provider
 with the default scope, which works just fine.

 Have I forgotten any important parameter while configuring the standard
 Google support? Or is this a regression for this release?

 Regards,
 Sigbjørn Dybdahl

 ---

 Here's the complete stacktrace for the exception:

 20:07:12,247 ERROR [org.keycloak.broker.oidc.
 AbstractOAuth2IdentityProvider] (default task-20) Failed to make identity
 provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException:
 Could not fetch attributes from userinfo endpoint.
     at org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedIdentity(
 OIDCIdentityProvider.java:304)
     at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider
 $Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:230)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(
 NativeMethodAccessorImpl.java:62)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(
 DelegatingMethodAccessorImpl.java:43)
     at java.lang.reflect.Method.invoke(Method.java:498)
     at org.jboss.resteasy.core.MethodInjectorImpl.invoke(
 MethodInjectorImpl.java:139)
     at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(
 ResourceMethodInvoker.java:295)
     at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(
 ResourceMethodInvoker.java:249)
     at org.jboss.resteasy.core.ResourceLocatorInvoker.
 invokeOnTargetObject(ResourceLocatorInvoker.java:138)
     at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
 ResourceLocatorInvoker.java:107)
     at org.jboss.resteasy.core.ResourceLocatorInvoker.
 invokeOnTargetObject(ResourceLocatorInvoker.java:133)
     at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
 ResourceLocatorInvoker.java:101)
     at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
 SynchronousDispatcher.java:395)
     at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
 SynchronousDispatcher.java:202)
     at org.jboss.resteasy.plugins.server.servlet.
 ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
     at org.jboss.resteasy.plugins.server.servlet.
 HttpServletDispatcher.service(HttpServletDispatcher.java:56)
     at org.jboss.resteasy.plugins.server.servlet.
 HttpServletDispatcher.service(HttpServletDispatcher.java:51)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
     at io.undertow.servlet.handlers.ServletHandler.handleRequest(
 ServletHandler.java:85)
     at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
 doFilter(FilterHandler.java:129)
     at org.keycloak.services.filters.KeycloakSessionServletFilter.
 doFilter(KeycloakSessionServletFilter.java:90)
     at io.undertow.servlet.core.ManagedFilter.doFilter(
 ManagedFilter.java:60)
     at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
 doFilter(FilterHandler.java:131)
     at io.undertow.servlet.handlers.FilterHandler.handleRequest(
 FilterHandler.java:84)
     at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.
 handleRequest(ServletSecurityRoleHandler.java:62)
     at io.undertow.servlet.handlers.ServletDispatchingHandler.
 handleRequest(ServletDispatchingHandler.java:36)
     at org.wildfly.extension.undertow.security.
 SecurityContextAssociationHandler.handleRequest(
 SecurityContextAssociationHandler.java:78)
     at io.undertow.server.handlers.PredicateHandler.handleRequest(
 PredicateHandler.java:43)
     at io.undertow.servlet.handlers.security.
 SSLInformationAssociationHandler.handleRequest(
 SSLInformationAssociationHandler.java:131)
     at io.undertow.servlet.handlers.security.
 ServletAuthenticationCallHandler.handleRequest(
 ServletAuthenticationCallHandler.java:57)
     at io.undertow.server.handlers.PredicateHandler.handleRequest(
 PredicateHandler.java:43)
     at io.undertow.security.handlers.AbstractConfidentialityHandler
 .handleRequest(AbstractConfidentialityHandler.java:46)
     at io.undertow.servlet.handlers.security.
 ServletConfidentialityConstraintHandler.handleRequest(
 ServletConfidentialityConstraintHandler.java:64)
     at io.undertow.security.handlers.AuthenticationMechanismsHandle
 r.handleRequest(AuthenticationMechanismsHandler.java:60)
     at io.undertow.servlet.handlers.security.
 CachedAuthenticatedSessionHandler.handleRequest(
 CachedAuthenticatedSessionHandler.java:77)
     at io.undertow.security.handlers.NotificationReceiverHandler.
 handleRequest(NotificationReceiverHandler.java:50)
     at io.undertow.security.handlers.AbstractSecurityContextAssocia
 tionHandler.handleRequest(AbstractSecurityContextAssocia
 tionHandler.java:43)
     at io.undertow.server.handlers.PredicateHandler.handleRequest(
 PredicateHandler.java:43)
     at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.
 handleRequest(JACCContextIdHandler.java:61)
     at io.undertow.server.handlers.PredicateHandler.handleRequest(
 PredicateHandler.java:43)
     at io.undertow.server.handlers.PredicateHandler.handleRequest(
 PredicateHandler.java:43)
     at io.undertow.servlet.handlers.ServletInitialHandler.
 handleFirstRequest(ServletInitialHandler.java:284)
     at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(
 ServletInitialHandler.java:263)
     at io.undertow.servlet.handlers.ServletInitialHandler.access$
 000(ServletInitialHandler.java:81)
     at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(
 ServletInitialHandler.java:174)
     at io.undertow.server.Connectors.executeRootHandler(Connectors.
 java:202)
     at io.undertow.server.HttpServerExchange$1.run(
 HttpServerExchange.java:793)
     at java.util.concurrent.ThreadPoolExecutor.runWorker(
 ThreadPoolExecutor.java:1142)
     at java.util.concurrent.ThreadPoolExecutor$Worker.run(
 ThreadPoolExecutor.java:617)
     at java.lang.Thread.run(Thread.java:745)
 Caused by: java.io.IOException: Server returned HTTP response code: 403
 for URL: https://www.googleapis.com/plus/v1/people/me/openIdConnect
     at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
 Method)
     at sun.reflect.NativeConstructorAccessorImpl.newInstance(
 NativeConstructorAccessorImpl.java:62)
     at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(
 DelegatingConstructorAccessorImpl.java:45)
     at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
     at sun.net.www.protocol.http.HttpURLConnection$10.run(
 HttpURLConnection.java:1890)
     at sun.net.www.protocol.http.HttpURLConnection$10.run(
 HttpURLConnection.java:1885)
     at java.security.AccessController.doPrivileged(Native Method)
     at sun.net.www.protocol.http.HttpURLConnection.getChainedException(
 HttpURLConnection.java:1884)
     at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(
 HttpURLConnection.java:1457)
     at sun.net.www.protocol.http.HttpURLConnection.getInputStream(
 HttpURLConnection.java:1441)
     at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(
 HttpsURLConnectionImpl.java:254)
     at org.keycloak.broker.provider.util.SimpleHttp.asString(
 SimpleHttp.java:148)
     at org.keycloak.broker.oidc.util.JsonSimpleHttp.asJson(
 JsonSimpleHttp.java:46)
     at org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedIdentity(
 OIDCIdentityProvider.java:267)
     ... 50 more
 Caused by: java.io.IOException: Server returned HTTP response code: 403
 for URL: https://www.googleapis.com/plus/v1/people/me/openIdConnect
     at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(
 HttpURLConnection.java:1840)
     at sun.net.www.protocol.http.HttpURLConnection.getInputStream(
 HttpURLConnection.java:1441)
     at sun.net.www.protocol.http.HttpURLConnection.getHeaderField(
 HttpURLConnection.java:2943)
     at sun.net.www.protocol.https.HttpsURLConnectionImpl.getHeaderField(
 HttpsURLConnectionImpl.java:291)
     at org.keycloak.broker.provider.util.SimpleHttp.asString(
 SimpleHttp.java:147)
     ... 52 more

 _______________________________________________
 keycloak-user mailing list
 keycloak-user(a)lists.jboss.org
 https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 

*Paulo Pires*

senior infrastructure engineer | littleBits
<http://www.google.com/url?q=http%3A%2F%2Flittlebits.cc%2F&sa=D&sn...

*T* (917) 464-4577
unleash your inner inventor. <https://youtu.be/fMg5QPQQOOI>

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

Re: [keycloak-user] GoogleIdentityProvider seems to be broken for Keycloak 2.1.0.CR1