12:43 a.m.
Hi,
How are you integrating the two idps ? The client_session_state parameter seems added as
an hack when using KeycloakOIDCIdentityProvider ([1]), but this was added a long time ago.
I think this provider should only be used when the 2 idps are keycloak, you may want to
tyry the generic OIDCIdentityProvider, which does not add this param.
But, there is an issue with logout [2] and signature validation . Which is why we had to
developed our own keycloak extension for france connect [3]. I just tried it with keycloak
5.0.0 without problem.
(and you may want to change your account information with france connect (client_secret
and client_id), these should not be public)
Cédric Couralet
[1]
https://github.com/keycloak/keycloak/blob/c34c0a3860fa3c6de5963eb56f43169...
[2] https://issues.jboss.org/browse/KEYCLOAK-7209
[3] https://github.com/InseeFr/Keycloak-FranceConnect
Le Vendredi, Avril 12, 2019 17:16 CEST, Olivier Rivat <orivat(a)janua.fr> a écrit:
Hi,
I am testing the integration of keycloak to FranceConnect (French IDP
provider).
It is working fine with keycloak 4.81 (I have just tested it today), but
it is failing with keycloak 5.0.
The difference between the both is that keycloak 5.0 is adding
internally client_session_state on the idp request.
But FranceConnect idp is not recognizing client_session_state.
What could be done to overcome this issue, as the IDP has not changed.
Is it possibel to disbale this flag (client_session_state) so it does
not appear in the log of KC 5.0 ?
Please advise what could be done to have it working again.
Regards,
Olivier Rivat
==============================================================================
Traces are as follows between the both:
Keycloak 4.83 trace (OK)
2019-04-12 17:06:04,250 DEBUG [org.apache.http.wire] (default task-11)
http-outgoing-3 >> "[\r][\n]"
2019-04-12 17:06:04,250 DEBUG [org.apache.http.wire] (default task-11)
http-outgoing-3 >>
code=de5db40072c4d4a146f46330e7f85e38610d0943e95e9cb6ac73d66bd672205a&
grant_type=authorization_code&
client_secret=f6495844366b0a6c44fb2fffb4764ee732d134f4a7a8321863983473801c26db&
redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fauth%2Frealms%2Fdemo%2Fbroker%2FFranceConnect%2Fendpoint&
client_id=db14bd4bf83bf764076a25f664ca6750a32c2cd18be6ba43806d80cb2a3745b6
2019-04-12 17:06:04,308 DEBUG [org.apache.http.wire] (default task-11)
http-outgoing-3 << "HTTP/1.1 200 OK[\r][\n]"
2019-04-12 17:06:04,308 DEBUG [org.apache.http.wire] (default task-11)
http-outgoing-3 << "Server: nginx[\r][\n]"
2019-04-12 17:06:04,309 DEBUG [org.apache.http.wire] (default task-11)
http-outgoing-3 << "Date: Fri, 12 Apr 2019 15:05:57 GMT[\r][\n]"
2019-04
Keycloak 5.00 trace (Not working)
6:01:00,889 DEBUG [org.apache.http.wire] (default task-10)
http-outgoing-0 >> "
code=326df10aabf29c322ca83a2a20b7ffc8c3dcab1ce150b62e99433b3a11e78e81&
grant_type=authorization_code&
client_session_state=n%2Fa&
client_secret=f6495844366b0a6c44fb2fffb4764ee732d134f4a7a8321863983473801c26db&
redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fauth%2Frealms%2Fdemo%2Fbroker%2FFranceConnect%2Fendpoint&
client_id=db14bd4bf83bf764076a25f664ca6750a32c2cd18be6ba43806d80cb2a3745b6"
16:01:00,966 DEBUG [org.apache.http.wire] (default task-10)
http-outgoing-0 << "HTTP/1.1 400 Bad Request[\r][\n]"
16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
http-outgoing-0 << "Server: nginx[\r][\n]"
16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
http-outgoing-0 << "Date: Fri, 12 Apr 2019 14:00:53 GMT[\r][\n]"
16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
http-outgoing-0 << "Content-Type: application/json;
charset=utf-8[\r][\n]"
16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
http-outgoing-0 << "Content-Length: 104[\r][\n]"
16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
http-outgoing-0 << "Connection: keep-alive[\r][\n]"
16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
http-outgoing-0 << "ETag:
W/"68-1YcGPHfKrHgT2FZkgQmpNQ"[\r][\n]"
16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
http-outgoing-0 << "Vary: Accept-Encoding[\r][\n]"
16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
http-outgoing-0 << "[\r][\n]"
16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
http-outgoing-0 <<
"{"status":"fail","message":"The following fields
are
not supposed to be present : client_session_state"}"
1
--
<http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/i...
<http://www.janua.fr/images/6g_top.gif>
Olivier Rivat
CTO
orivat(a)janua.fr <mailto:dchikhaoui@janua.fr>
Gsm: +33(0)682 801 609
Tél: +33(0)489 829 238
Fax: +33(0)955 260 370
http://www.janua.fr <http://www.janua.fr/>
<http://www.janua.fr/images/6g_top.gif>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
