4:37 p.m.
I tried to import the basic IDP config for a custom "OpenID Connect v1.0"
provider from the published Google autoconf URL:
https://accounts.google.com/.well-known/openid-configuration
The URLs are picked up fine but there seem to be two issues:
1.) the "Issuer" is imported as "https://accounts.google.com" when it
should be "accounts.google.com"
2.) the public validation keys are not imported correctly. The always
produce
12:09:40,416 ERROR
[org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-17)
Failed to make identity provider oauth callback:
org.keycloak.broker.provider.IdentityBrokerException: token signature
validation failed
at
org.keycloak.broker.oidc.OIDCIdentityProvider.validateToken(OIDCIdentityProvider.java:286)
when authentication is being performed.
Are these bugs or is the published discovery document from Google not
standard compliant?
Thanks
10:25 a.m.
Why do you think the issuer should be changed to accounts.google.com?
I'm not sure about the keys as our code eats the error. How can I
reproduce this? Meaning how can I set up my google account and such?
Same as regular social provider stuff?
On 5/12/2015 5:37 PM, Thorsten wrote:
I tried to import the basic IDP config for a custom "OpenID
Connect
v1.0" provider from the published Google autoconf URL:
https://accounts.google.com/.well-known/openid-configuration
The URLs are picked up fine but there seem to be two issues:
1.) the "Issuer" is imported as "https://accounts.google.com" when
it
should be "accounts.google.com <http://accounts.google.com>"
2.) the public validation keys are not imported correctly. The always
produce
12:09:40,416 ERROR
[org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default
task-17) Failed to make identity provider oauth callback:
org.keycloak.broker.provider.IdentityBrokerException: token signature
validation failed
at
org.keycloak.broker.oidc.OIDCIdentityProvider.validateToken(OIDCIdentityProvider.java:286)
when authentication is being performed.
Are these bugs or is the published discovery document from Google not
standard compliant?
Thanks
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
12:01 p.m.
Well, when I put "https://accounts.google.com" into the "Issuer" field
I
get the following exception:
16:53:37,502 ERROR
[org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-37)
Failed to make identity provider oauth callback:
org.keycloak.broker.provider.IdentityBrokerException: Wrong issuer from
token. Got: accounts.google.com expected: https://accounts.google.com
at
org.keycloak.broker.oidc.OIDCIdentityProvider.validateToken(OIDCIdentityProvider.java:312)
The autoconfig stuff for the sign key issue is easy to reproduce:
- create realm
- add "OpenID Connect v1.0" provider
- on the bottom populate the "Import From Url" with "
https://accounts.google.com/.well-known/openid-configuration" and click
"Import"
- add your "Client ID" and "Client secret" as provided in your Google
Developer Console
- add scopes "openid profile email"
- click "Save"
(due to the aforementioned "Issuer" issue you may need to change "
https://accounts.google.com" to "accounts.google.com" as well)
Try to login with your google account into the realm and it should give you
the sig validation failure I posed.
2015-05-13 17:25 GMT+02:00 Bill Burke <bburke(a)redhat.com>:
Why do you think the issuer should be changed to
accounts.google.com?
I'm not sure about the keys as our code eats the error. How can I
reproduce this? Meaning how can I set up my google account and such?
Same as regular social provider stuff?
On 5/12/2015 5:37 PM, Thorsten wrote:
> I tried to import the basic IDP config for a custom "OpenID Connect
> v1.0" provider from the published Google autoconf URL:
> https://accounts.google.com/.well-known/openid-configuration
>
> The URLs are picked up fine but there seem to be two issues:
>
> 1.) the "Issuer" is imported as "https://accounts.google.com"
when it
> should be "accounts.google.com <http://accounts.google.com>"
> 2.) the public validation keys are not imported correctly. The always
> produce
>
> 12:09:40,416 ERROR
> [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default
> task-17) Failed to make identity provider oauth callback:
> org.keycloak.broker.provider.IdentityBrokerException: token signature
> validation failed
> at
>
org.keycloak.broker.oidc.OIDCIdentityProvider.validateToken(OIDCIdentityProvider.java:286)
>
> when authentication is being performed.
>
> Are these bugs or is the published discovery document from Google not
> standard compliant?
>
> Thanks
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
3512
days inactive
3513
days old
2 comments
2 participants
participants (2)
-
Bill Burke -
Thorsten