Re: [keycloak-user] GoogleIdentityProvider seems to be broken for Keycloak 2.1.0.CR1

Thanks for you quick reply, Marek! When re-reading the documentation now I see the part on enabling the Google+ API in the Google Developer console, which I apparently didn't pay attention to. It all works smoothly now, and I can remove the user-defined OpenId Connect provider. Regards, Sigbjørn On 10 August 2016 at 11:49, Marek Posolda <mposolda(a)redhat.com&gt; wrote: > Did you enable Google+ API in Google admin console? Configuration of this > is on Google side, not scopes on Keycloak side on identityProvider page. > > Marek > > > On 10/08/16 10:47, Sigbjørn Dybdahl wrote: > > Hello, > > I'm trying to configure an instance of Keycloak using version 2.1.0.CR1 > and I've run into a problem when using the Google Identity Provider with > the default configuration. That is, during the callback I observe > a org.keycloak.broker.provider.IdentityBrokerException: Could not fetch > attributes (see complete stacktrace below for details) from userinfo > endpoint which seems to be linked to the 403 Forbidden return code when > calling <https://www.googleapis.com/plus/v1/people/me/openIdConnect> > https://www.googleapis.com/plus/v1/people/me/openIdConnect. > > This seems to be similar to https://issues.jboss.org/browse/KEYCLOAK-2942, > but even when adding the additional Google+ scopes (making scope=openid > profile email https://www.googleapis.com/auth/plus.me > https://www.googleapis.com/auth/plus.login) the call fails. As for > JIRA-2942, I've tried setting up a user-defined OpenId Connect provider > with the default scope, which works just fine. > > Have I forgotten any important parameter while configuring the standard > Google support? Or is this a regression for this release? > > > Regards, > Sigbjørn Dybdahl > > --- > > Here's the complete stacktrace for the exception: > > 20:07:12,247 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] > (default task-20) Failed to make identity provider oauth callback: > org.keycloak.broker.provider.IdentityBrokerException: Could not fetch > attributes from userinfo endpoint. > at org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedId > entity(OIDCIdentityProvider.java:304) > at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$ > Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:230) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce > ssorImpl.java:62) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe > thodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInje > ctorImpl.java:139) > at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget > (ResourceMethodInvoker.java:295) > at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(Resourc > eMethodInvoker.java:249) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge > tObject(ResourceLocatorInvoker.java:138) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour > ceLocatorInvoker.java:107) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge > tObject(ResourceLocatorInvoker.java:133) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour > ceLocatorInvoker.java:101) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro > nousDispatcher.java:395) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro > nousDispatcher.java:202) > at org.jboss.resteasy.plugins.server.servlet.ServletContainerDi > spatcher.service(ServletContainerDispatcher.java:221) > at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc > her.service(HttpServletDispatcher.java:56) > at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc > her.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at io.undertow.servlet.handlers.ServletHandler.handleRequest(Se > rvletHandler.java:85) > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d > oFilter(FilterHandler.java:129) > at org.keycloak.services.filters.KeycloakSessionServletFilter.d > oFilter(KeycloakSessionServletFilter.java:90) > at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilte > r.java:60) > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d > oFilter(FilterHandler.java:131) > at io.undertow.servlet.handlers.FilterHandler.handleRequest(Fil > terHandler.java:84) > at io.undertow.servlet.handlers.security.ServletSecurityRoleHan > dler.handleRequest(ServletSecurityRoleHandler.java:62) > at io.undertow.servlet.handlers.ServletDispatchingHandler.handl > eRequest(ServletDispatchingHandler.java:36) > at org.wildfly.extension.undertow.security.SecurityContextAssoc > iationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at io.undertow.server.handlers.PredicateHandler.handleRequest(P > redicateHandler.java:43) > at io.undertow.servlet.handlers.security.SSLInformationAssociat > ionHandler.handleRequest(SSLInformationAssociationHandler.java:131) > at io.undertow.servlet.handlers.security.ServletAuthenticationC > allHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at io.undertow.server.handlers.PredicateHandler.handleRequest(P > redicateHandler.java:43) > at io.undertow.security.handlers.AbstractConfidentialityHandler > .handleRequest(AbstractConfidentialityHandler.java:46) > at io.undertow.servlet.handlers.security.ServletConfidentiality > ConstraintHandler.handleRequest(ServletConfident > ialityConstraintHandler.java:64) > at io.undertow.security.handlers.AuthenticationMechanismsHandle > r.handleRequest(AuthenticationMechanismsHandler.java:60) > at io.undertow.servlet.handlers.security.CachedAuthenticatedSes > sionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at io.undertow.security.handlers.NotificationReceiverHandler.ha > ndleRequest(NotificationReceiverHandler.java:50) > at io.undertow.security.handlers.AbstractSecurityContextAssocia > tionHandler.handleRequest(AbstractSecurityContextAssociation > Handler.java:43) > at io.undertow.server.handlers.PredicateHandler.handleRequest(P > redicateHandler.java:43) > at org.wildfly.extension.undertow.security.jacc.JACCContextIdHa > ndler.handleRequest(JACCContextIdHandler.java:61) > at io.undertow.server.handlers.PredicateHandler.handleRequest(P > redicateHandler.java:43) > at io.undertow.server.handlers.PredicateHandler.handleRequest(P > redicateHandler.java:43) > at io.undertow.servlet.handlers.ServletInitialHandler.handleFir > stRequest(ServletInitialHandler.java:284) > at io.undertow.servlet.handlers.ServletInitialHandler.dispatchR > equest(ServletInitialHandler.java:263) > at io.undertow.servlet.handlers.ServletInitialHandler.access$00 > 0(ServletInitialHandler.java:81) > at io.undertow.servlet.handlers.ServletInitialHandler$1.handleR > equest(ServletInitialHandler.java:174) > at io.undertow.server.Connectors.executeRootHandler(Connectors. > java:202) > at io.undertow.server.HttpServerExchange$1.run(HttpServerExchan > ge.java:793) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool > Executor.java:1142) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo > lExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > Caused by: java.io.IOException: Server returned HTTP response code: 403 > for URL: https://www.googleapis.com/plus/v1/people/me/openIdConnect > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native > Method) > at sun.reflect.NativeConstructorAccessorImpl.newInstance(Native > ConstructorAccessorImpl.java:62) > at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(De > legatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:423) > at sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLCo > nnection.java:1890) > at sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLCo > nnection.java:1885) > at java.security.AccessController.doPrivileged(Native Method) > at sun.net.www.protocol.http.HttpURLConnection.getChainedExcept > ion(HttpURLConnection.java:1884) > at sun.net.www.protocol.http.HttpURLConnection.getInputStream0( > HttpURLConnection.java:1457) > at sun.net.www.protocol.http.HttpURLConnection.getInputStream(H > ttpURLConnection.java:1441) > at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputSt > ream(HttpsURLConnectionImpl.java:254) > at org.keycloak.broker.provider.util.SimpleHttp.asString(Simple > Http.java:148) > at org.keycloak.broker.oidc.util.JsonSimpleHttp.asJson(JsonSimp > leHttp.java:46) > at org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedId > entity(OIDCIdentityProvider.java:267) > ... 50 more > Caused by: java.io.IOException: Server returned HTTP response code: 403 > for URL: https://www.googleapis.com/plus/v1/people/me/openIdConnect > at sun.net.www.protocol.http.HttpURLConnection.getInputStream0( > HttpURLConnection.java:1840) > at sun.net.www.protocol.http.HttpURLConnection.getInputStream(H > ttpURLConnection.java:1441) > at sun.net.www.protocol.http.HttpURLConnection.getHeaderField(H > ttpURLConnection.java:2943) > at sun.net.www.protocol.https.HttpsURLConnectionImpl.getHeaderF > ield(HttpsURLConnectionImpl.java:291) > at org.keycloak.broker.provider.util.SimpleHttp.asString(Simple > Http.java:147) > ... 52 more > > > > _______________________________________________ > keycloak-user mailing listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user