A few weeks after I asked this question we got this working. A Microsoft support engineer
solved the issue – turns out that by using different endpoints for AAD, the issue was
resolved. We’re using https://login.microsoftonline.com/<id
here>/oauth2/authorize and https://login.microsoftonline.com/<id
here>/oauth2/token as auth and token URLs.
Furthermore, we have:
- logout url = blank
- backchannel logout = off
- disable user info = off
- user info url = blank
- issuer = blank
- default scopes = blank
- validate signatures = off
Cliend ID and secret should be filled with the corresponding data from the MS portal.
Hope this helps! If not, feel free to drop me a line ☺.
Van: Stefan Engstrom <sengstrom(a)ena.com>
Datum: donderdag 24 mei 2018 om 20:58
Aan: "diederen(a)nlcom.nl" <diederen(a)nlcom.nl>,
Onderwerp: Re: KeyCloak and Azure Active Directory / response_type
I'm running in to this exact issue - curious if there are any insights? The redirect
contains a "code" element but keycloak chokes on
trading this for an access_token. I have a parallel IDP to google which returns an element
of that name (code) and that piece works just fine.
From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org>
on behalf of Robin Diederen <diederen(a)nlcom.nl>
Sent: Monday, January 8, 2018 5:03:53 AM
Subject: [keycloak-user] KeyCloak and Azure Active Directory / response_type
I’m trying to make KeyCloak (3.4.0 Final) work with Microsoft Azure AD using the OpenID
Connect protocol (OIDC). My goal is for KeyCloak to be an identity broker between a number
of in-house clients and Azure AD as identity backend.
After configuring the appropriate endpoints for OIDC / oAuth v2.0 and some clients, upon
hitting my client with my browser, KeyCloak redirects me to the Microsoft login page.
Logging in works fine and my client / app is correctly recognized by Microsoft. However,
when redirected back to KeyCloak, I’m presented with an error.
Upon further investigation I’ve noticed that KeyCloak reports this error in its logs:
“Failed to make identity provider oauth callback:
org.keycloak.broker.provider.IdentityBrokerException: No access_token from server.”. This
seems to be related to the response_type attribute, which is to be set from KeyCloak upon
calling the Microsoft login page. Up till now, I did not find any way to make KeyCloak
include this parameter with the preffered value, being “response_type=token_id”. KeyCloak
however does include “response_type=code”, yet Microsoft doesn’t seem to like this.
So here’s my question: how can I instruct KeyCloak to include this parameter to make it
work with AzureAD? I’ve tried a number of settings in the client page, such as implicit
and standard flow enabed / disabled, however, to no avail.
Any help is greatly appreciated.
keycloak-user mailing list