It seems that's because Keycloak is not able to send backchannel request to github due to github certificate not trusted. Are you using custom truststore set with truststore SPI or with "javax.net.ssl.truststore" system property? I think that by default github SSL certificate is verified by well-known CA, so it shouldn't be the issue to connect to that if you use default Java file with certificates (cacerts). However if you have custom trustore set, then default java cacerts file is possibly not used, so well-known certificates like the one from github are not trusted. We should likely have a solution, which will allow to set custom truststore in addition to default java cacerts file. But until we have it, you probably need to manually create truststore file, where you import both the "well-known" certificates together with your custom certificates. Marek On 07/06/16 08:02, LI Ming wrote:

Hmm... is github working for you if you omit the "truststore" configuration in keycloak-server.json and use the default java cacerts file without any changes? Marek On 07/06/16 09:38, LI Ming wrote:

That looks more like a proxy issue than SSL. Did you try adding -Dproxy.host

Marek, Do you have idea on the failure reason ? org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228 In the source code, Keycloak tried to send Post request to the below Url: tokenUrl: https://135.1.34.23:8443/auth/realms/demo/protocol/openid-connect/token It is local token authentication service, why reporting "Connection timed out"? Ming Li From: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org] On Behalf Of LI Ming Sent: Tuesday, June 07, 2016 4:42 PM To: Marek Posolda; keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] When using Social Identity Provider, it failed with failure "Connection timed out" No, github is not working. BTW, my server needs set http_proxy/https_proxy to access github.com. wget --secure-protocol=TLSv1 github.com --2016-06-07 03:39:02-- http://github.com/ Resolving global.proxy.alcatel-lucent.com (global.proxy.alcatel-lucent.com)... 135.245.48.33 Connecting to global.proxy.alcatel-lucent.com (global.proxy.alcatel-lucent.com)|135.245.48.33|:8000... connected. Proxy request sent, awaiting response... 301 Moved Permanently Location: https://github.com/ [following] --2016-06-07 03:39:03-- https://github.com/ Connecting to global.proxy.alcatel-lucent.com (global.proxy.alcatel-lucent.com)|135.245.48.33|:8000... connected. Proxy request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: 'index.html' [ <=> ] 25,508 --.-K/s in 0.03s 2016-06-07 03:39:03 (870 KB/s) - 'index.html' saved [25508] Github.com can be accessible via http proxy. I do not know why keycloak will complain the certificate. From: Marek Posolda [mailto:mposolda@redhat.com] Sent: Tuesday, June 07, 2016 4:07 PM To: LI Ming; keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> Subject: Re: [keycloak-user] When using Social Identity Provider, it failed with failure "Connection timed out" Hmm... is github working for you if you omit the "truststore" configuration in keycloak-server.json and use the default java cacerts file without any changes? Marek On 07/06/16 09:38, LI Ming wrote: Marek, I already set truststore file to the default java certificates file path in keycloak configuration file $KEYCLOAK_HOME/standalone/configuration/keycloak-server.json as below: "truststore": { "file": { "file": "/usr/java/jre/lib/security/cacerts", "password": "changeit", "hostname-verification-policy": "ANY", "disabled": false } } And I put my customer certificate file in it also. Ming Li From: Marek Posolda [mailto:mposolda@redhat.com] Sent: Tuesday, June 07, 2016 3:17 PM To: LI Ming; keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> Subject: Re: [keycloak-user] When using Social Identity Provider, it failed with failure "Connection timed out" It seems that's because Keycloak is not able to send backchannel request to github due to github certificate not trusted. Are you using custom truststore set with truststore SPI or with "javax.net.ssl.truststore" system property? I think that by default github SSL certificate is verified by well-known CA, so it shouldn't be the issue to connect to that if you use default Java file with certificates (cacerts). However if you have custom trustore set, then default java cacerts file is possibly not used, so well-known certificates like the one from github are not trusted. We should likely have a solution, which will allow to set custom truststore in addition to default java cacerts file. But until we have it, you probably need to manually create truststore file, where you import both the "well-known" certificates together with your custom certificates. Marek On 07/06/16 08:02, LI Ming wrote: Hi, When I setup social identity provider (GitHub) to authenticate the user, it always failed with the below error: 2016-06-07 00:49:05,349 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-9) Failed to make identity provider oauth callback: java.net.ConnectException: Connection timed out at java.net.PlainSocketImpl.socketConnect(Native Method) at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) at java.net.Socket.connect(Socket.java:589) at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668) at sun.security.ssl.BaseSSLSocketImpl.connect(BaseSSLSocketImpl.java:173) at sun.net.NetworkClient.doConnect(NetworkClient.java:180) at sun.net.www.http.HttpClient.openServer(HttpClient.java:432) at sun.net.www.http.HttpClient.openServer(HttpClient.java:527) at sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:264) at sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191) at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1105) at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:999) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177) at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1283) at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1258) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250) at org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:141) at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ... 2016-06-07 00:49:05,355 WARN [org.keycloak.events] (default task-9) type=LOGIN_ERROR, realmId=demo, clientId=null, userId=null, ipAddress=135.252.159.35, error=identity_provider_login_failure Can you help to identity the failure reason? Thanks, Ming Li _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user

Marek, After setting https.proxyHost and https.proxyPort of JVM, "Connection timed out" issue is fixed. Thanks, Ming Li From: Marek Posolda [mailto:mposolda@redhat.com] Sent: Wednesday, June 08, 2016 6:08 PM To: LI Ming; keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] When using Social Identity Provider, it failed with failure "Connection timed out" The keycloak tries to send POST request to the endpoint specified as "token URL" in the configuration. In case of github provider, token URL is set to https://github.com/login/oauth/access_token . TBH I don't know how exactly this works if you are behind proxy. However SimpleHttp class is using standard java.net.HttpURLConnection to send backchannel request and it seems that this is able to read system properties "http.proxyHost" and "http.proxyPort" as Niels pointed. I assume that system properties are working based on the http://stackoverflow.com/questions/1432961/how-do-i-make-httpurlconnectio... (see post from Sean Owen). Marek On 08/06/16 00:04, LI Ming wrote: Marek, Do you have idea on the failure reason ? org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228 In the source code, Keycloak tried to send Post request to the below Url: tokenUrl: https://135.1.34.23:8443/auth/realms/demo/protocol/openid-connect/token It is local token authentication service, why reporting "Connection timed out"? Ming Li From: keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org> [mailto:keycloak-user-bounces@lists.jboss.org] On Behalf Of LI Ming Sent: Tuesday, June 07, 2016 4:42 PM To: Marek Posolda; keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> Subject: Re: [keycloak-user] When using Social Identity Provider, it failed with failure "Connection timed out" No, github is not working. BTW, my server needs set http_proxy/https_proxy to access github.com. wget --secure-protocol=TLSv1 github.com --2016-06-07 03:39:02-- http://github.com/ Resolving global.proxy.alcatel-lucent.com (global.proxy.alcatel-lucent.com)... 135.245.48.33 Connecting to global.proxy.alcatel-lucent.com (global.proxy.alcatel-lucent.com)|135.245.48.33|:8000... connected. Proxy request sent, awaiting response... 301 Moved Permanently Location: https://github.com/ [following] --2016-06-07 03:39:03-- https://github.com/ Connecting to global.proxy.alcatel-lucent.com (global.proxy.alcatel-lucent.com)|135.245.48.33|:8000... connected. Proxy request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: 'index.html' [ <=> ] 25,508 --.-K/s in 0.03s 2016-06-07 03:39:03 (870 KB/s) - 'index.html' saved [25508] Github.com can be accessible via http proxy. I do not know why keycloak will complain the certificate. From: Marek Posolda [mailto:mposolda@redhat.com] Sent: Tuesday, June 07, 2016 4:07 PM To: LI Ming; keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> Subject: Re: [keycloak-user] When using Social Identity Provider, it failed with failure "Connection timed out" Hmm... is github working for you if you omit the "truststore" configuration in keycloak-server.json and use the default java cacerts file without any changes? Marek On 07/06/16 09:38, LI Ming wrote: Marek, I already set truststore file to the default java certificates file path in keycloak configuration file $KEYCLOAK_HOME/standalone/configuration/keycloak-server.json as below: "truststore": { "file": { "file": "/usr/java/jre/lib/security/cacerts", "password": "changeit", "hostname-verification-policy": "ANY", "disabled": false } } And I put my customer certificate file in it also. Ming Li From: Marek Posolda [mailto:mposolda@redhat.com] Sent: Tuesday, June 07, 2016 3:17 PM To: LI Ming; keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> Subject: Re: [keycloak-user] When using Social Identity Provider, it failed with failure "Connection timed out" It seems that's because Keycloak is not able to send backchannel request to github due to github certificate not trusted. Are you using custom truststore set with truststore SPI or with "javax.net.ssl.truststore" system property? I think that by default github SSL certificate is verified by well-known CA, so it shouldn't be the issue to connect to that if you use default Java file with certificates (cacerts). However if you have custom trustore set, then default java cacerts file is possibly not used, so well-known certificates like the one from github are not trusted. We should likely have a solution, which will allow to set custom truststore in addition to default java cacerts file. But until we have it, you probably need to manually create truststore file, where you import both the "well-known" certificates together with your custom certificates. Marek On 07/06/16 08:02, LI Ming wrote: Hi, When I setup social identity provider (GitHub) to authenticate the user, it always failed with the below error: 2016-06-07 00:49:05,349 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-9) Failed to make identity provider oauth callback: java.net.ConnectException: Connection timed out at java.net.PlainSocketImpl.socketConnect(Native Method) at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) at java.net.Socket.connect(Socket.java:589) at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668) at sun.security.ssl.BaseSSLSocketImpl.connect(BaseSSLSocketImpl.java:173) at sun.net.NetworkClient.doConnect(NetworkClient.java:180) at sun.net.www.http.HttpClient.openServer(HttpClient.java:432) at sun.net.www.http.HttpClient.openServer(HttpClient.java:527) at sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:264) at sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191) at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1105) at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:999) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177) at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1283) at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1258) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250) at org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:141) at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ... 2016-06-07 00:49:05,355 WARN [org.keycloak.events] (default task-9) type=LOGIN_ERROR, realmId=demo, clientId=null, userId=null, ipAddress=135.252.159.35, error=identity_provider_login_failure Can you help to identity the failure reason? Thanks, Ming Li _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user