Hmm... is github working for you if you omit the "truststore"
configuration in keycloak-server.json and use the default java cacerts
file without any changes?
Marek
On 07/06/16 09:38, LI Ming wrote:
Marek,
I already set truststore file to the default java certificates file
path in keycloak configuration file
$KEYCLOAK_HOME/standalone/configuration/keycloak-server.json as below:
"truststore": {
"file": {
"file": "/usr/java/jre/lib/security/cacerts",
"password": "changeit",
"hostname-verification-policy": "ANY",
"disabled": false
}
}
And I put my customer certificate file in it also.
Ming Li
*From:*Marek Posolda [mailto:mposolda@redhat.com]
*Sent:* Tuesday, June 07, 2016 3:17 PM
*To:* LI Ming; keycloak-user(a)lists.jboss.org
*Subject:* Re: [keycloak-user] When using Social Identity Provider, it
failed with failure "Connection timed out"
It seems that's because Keycloak is not able to send backchannel
request to github due to github certificate not trusted.
Are you using custom truststore set with truststore SPI or with
"javax.net.ssl.truststore" system property? I think that by default
github SSL certificate is verified by well-known CA, so it shouldn't
be the issue to connect to that if you use default Java file with
certificates (cacerts). However if you have custom trustore set, then
default java cacerts file is possibly not used, so well-known
certificates like the one from github are not trusted. We should
likely have a solution, which will allow to set custom truststore in
addition to default java cacerts file. But until we have it, you
probably need to manually create truststore file, where you import
both the "well-known" certificates together with your custom certificates.
Marek
On 07/06/16 08:02, LI Ming wrote:
Hi,
When I setup social identity provider (GitHub) to authenticate
the user, it always failed with the below error:
2016-06-07 00:49:05,349 ERROR
[org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default
task-9) Failed to make identity provider oauth callback:
java.net.ConnectException: Connection timed out
at java.net.PlainSocketImpl.socketConnect(Native Method)
at
java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
at
java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
at
java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
at java.net.Socket.connect(Socket.java:589)
at
sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668)
at
sun.security.ssl.BaseSSLSocketImpl.connect(BaseSSLSocketImpl.java:173)
at sun.net.NetworkClient.doConnect(NetworkClient.java:180)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:432)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:527)
at
sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:264)
at
sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367)
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191)
at
sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1105)
at
sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:999)
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177)
at
sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1283)
at
sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1258)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
at
org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:141)
at
org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
…
2016-06-07 00:49:05,355 WARN [org.keycloak.events] (default
task-9) type=LOGIN_ERROR, realmId=demo, clientId=null,
userId=null, ipAddress=135.252.159.35,
error=identity_provider_login_failure
Can you help to identity the failure reason?
Thanks,
Ming Li
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user