[keycloak-user] Keycloak as OpenID Connect provider for Liferay Portal 6.2

Liferay Portal has an OpenID Connect plugin, configured by a property file with these properties openidconnect.enableOpenIDConnect=true openidconnect.token-location=https://<my keycloak and port>/auth/realms/CMFIRST/protocol/openid-connect/token openidconnect.authorization-location=https://<my keycloak and port>/auth/realms/CMFIRST/protocol/openid-connect/auth openidconnect.profile-uri=https://<my keycloak and port>/auth/realms/CMFIRST/protocol/openid-connect/userinfo openidconnect.issuer=https://<my keycloak and port>/auth/realms/CMFIRST/protocol/openid-connect/certs openidconnect.client-id=Portal openidconnect.secret=<my secret> openidconnect.scope=openid profile email Property docs at end of email My keycloak Client is an out of the box setup Here are the realm keys. AES OCT <a uuid> 100 aes-generated<https://mobileportal.cmfirsttech.com:9280/auth/admin/master/console/#/realms/CMFIRST/keys/providers/aes-generated/b00f30ba-49da-4dfb-8f21-c256b069ec5b> HS256 OCT <a uuid> 100 hmac-generated<https://mobileportal.cmfirsttech.com:9280/auth/admin/master/console/#/realms/CMFIRST/keys/providers/hmac-generated/c2362731-7a65-416f-918e-1b8c67ac7cb1> RS256 RSA <something> 100 rsa-generated<https://mobileportal.cmfirsttech.com:9280/auth/admin/master/console/#/realms/CMFIRST/keys/providers/rsa-generated/e57385c6-e6eb-421c-945e-725a30f189b5> Public key Certificate Liferay does not like the jwt signature 13:09:39,833 WARN [http-bio-8080-exec-10][Liferay62Adapter:46] The token was not valid: -- JWT --__Raw String: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJWTUtfTHpWbDY0T2plZW9NVkppajRTLTFNYTZ3aDU5b1dkWHpycXZ5MDJBIn0.eyJqdGkiOiJmZWY0MzVmMS0wOTI0LTQ5MWUtODk0MS1kMjFhMGRhZWNlY2EiLCJleHAiOjE1NTA1ODIwNzksIm5iZiI6MCwiaWF0IjoxNTUwNTgxNzc5LCJpc3MiOiJodHRwczovL21vYmlsZXBvcnRhbC5jbWZpcnN0dGVjaC5jb206OTI4MC9hdXRoL3JlYWxtcy9DTUZJUlNUIiwiYXVkIjoiUG9ydGFsIiwic3ViIjoiZmYwYmY1MWUtOWFmOS00M2JkLWE0NTQtZGQzZDM5OTM4ZjFhIiwidHlwIjoiSUQiLCJhenAiOiJQb3J0YWwiLCJhdXRoX3RpbWUiOjE1NTA1ODE3NzksInNlc3Npb25fc3RhdGUiOiI1YjE3NzVjZS0xYWZlLTQ3ODItYWM4OC1jOTgwZTg4NTIxOTUiLCJhY3IiOiIxIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJmbXNzdGFmZiJ9.APuz2MZkEbk3ADgPw2F4BxaS5ETkIMDeGerMZqmLPEYI-I04l0f8iOBFyxcVDV4C-dGginNcyqgL7Ep459B8kkm8mDwCWj2QqUo3VQF9QyTCRnz22vpqYEaJqsjmgQ5d7Bby6wCYshXECSuSNIUJ3N9ZMQVa_yq1qUM9JWg00FRs41ed4fJGhV1EWNFZGF5hKrJXfXQoICkdB61AjsjCE6Fi84P22hM_3AgDwvuS140USWweG0JA72EL3mdpQtXKB_5GAvG6XLEHGQu7QUGJPSxvyQ94Vr8Z74TobnPFsBamy7uzgNji5SJRnTxOjNsWlxYFIzp4bYHtUgmYoelxLg__Header: {"typ": "JWT", "alg": "RS256", "cty": "null" , "kid": "VMK_LzVl64OjeeoMVJij4S-1Ma6wh59oWdXzrqvy02A"}__Claims Set: {"iss": "https://<my kc host and port>/auth/realms/CMFIRST", "sub": "ff0bf51e-9af9-43bd-a454-dd3d39938f1a", "aud": ["Portal"], "exp": 1550582079, "nbf": "0", "iat": 1550581779, "jti": "fef435f1-0924-491e-8941-d21a0daececa", "typ": "ID" }__Signature: APuz2MZkEbk3ADgPw2F4BxaS5ETkIMDeGerMZqmLPEYI-I04l0f8iOBFyxcVDV4C-dGginNcyqgL7Ep459B8kkm8mDwCWj2QqUo3VQF9QyTCRnz22vpqYEaJqsjmgQ5d7Bby6wCYshXECSuSNIUJ3N9ZMQVa_yq1qUM9JWg00FRs41ed4fJGhV1EWNFZGF5hKrJXfXQoICkdB61AjsjCE6Fi84P22hM_3AgDwvuS140USWweG0JA72EL3mdpQtXKB_5GAvG6XLEHGQu7QUGJPSxvyQ94Vr8Z74TobnPFsBamy7uzgNji5SJRnTxOjNsWlxYFIzp4bYHtUgmYoelxLg__--------- [Sanitized] I don't have this problems in my web apps, they use the Tomcat adapter and no issue with the JWT sig. Any suggestions? Property docs Portal properties The following portal properties can be set. They are required unless specified as optional. openidconnect.enableOpenIDConnect Whether to enable the plugin (effectively allowing you to disable the plugin without uninstalling it). Boolean, either 'true' or 'false'. Default is false. openidconnect.authorization-location Complete url to the OpenID Connect Provider's authorization location. Example for Google: https://accounts.google.com/o/oauth2/v2/auth openidconnect.token-location Complete url to the OpenID Connect Provider's token location. Example for Google: https://www.googleapis.com/oauth2/v4/token openidconnect.profile-uri Complete URL to the 'user info' endpoint. Example for Google: https://www.googleapis.com/plus/v1/people/me/openIdConnect openidconnect.sso-logout-uri (Optional) openidconnect.sso-logout-param (Optional) openidconnect.sso-logout-value (Optional) Complete URL to the 'SSO logout' endpoint. Ignored if empty. After redirection to the given URL, the OpenID Connect Provider should redirect to the Lifery Portal home page (or another public after-logout-resource). This target may be included in this URL as a URL parameter or may be configured for the OpenID Connect Provider. openidconnect.issuer The information retrieved from the user info endpoint has to be verified against a preconfigured string, according to the OpenID Connect spec. This 'issuer' claim is used for that. Example for Google: https://accounts.google.com openidconnect.client-id Register your Liferay portal as a 'client app' with the Google developer console, and the resulting client id is the openid connect client id. Non-working example for Google: 7kasuf1-123123adfaafdsflni7me2kr.apps.googleusercontent.com openidconnect.secret Secret of the client, after registration of the Liferay portal, just like the client-id. openidconnect.scope Scope(s) of the access token (space separated), should be the same (or a subset) of the scopes allowed by the provider to the client. Default value: openid profile email openidconnect.provider (Optional) Type of OpenID Connect provider. Supported values: generic (default), azure. For most Provider implementations, the generic provider works. For Azure, use the value azure as this makes slight changes to the fields sent as UserInfo.