[keycloak-user] GoogleIdentityProvider seems to be broken for Keycloak 2.1.0.CR1
Paulo Pires
pires at littlebits.cc
Wed Aug 10 06:17:58 EDT 2016
Ah, nice tip. My tests were made with a corporate account which has no
permissions to enable such API, but I too slipped that part in docs.
Thanks
On Wed, Aug 10, 2016 at 11:03 AM, Sigbjørn Dybdahl <sigbjorn at fifty-five.com>
wrote:
> Thanks for you quick reply, Marek!
>
> When re-reading the documentation now I see the part on enabling the
> Google+ API in the Google Developer console, which I apparently didn't pay
> attention to. It all works smoothly now, and I can remove the user-defined
> OpenId Connect provider.
>
>
> Regards,
> Sigbjørn
>
> On 10 August 2016 at 11:49, Marek Posolda <mposolda at redhat.com> wrote:
>
>> Did you enable Google+ API in Google admin console? Configuration of this
>> is on Google side, not scopes on Keycloak side on identityProvider page.
>>
>> Marek
>>
>>
>> On 10/08/16 10:47, Sigbjørn Dybdahl wrote:
>>
>> Hello,
>>
>> I'm trying to configure an instance of Keycloak using version 2.1.0.CR1
>> and I've run into a problem when using the Google Identity Provider with
>> the default configuration. That is, during the callback I observe
>> a org.keycloak.broker.provider.IdentityBrokerException: Could not fetch
>> attributes (see complete stacktrace below for details) from userinfo
>> endpoint which seems to be linked to the 403 Forbidden return code when
>> calling <https://www.googleapis.com/plus/v1/people/me/openIdConnect>
>> https://www.googleapis.com/plus/v1/people/me/openIdConnect.
>>
>> This seems to be similar to https://issues.jboss.org/browse/KEYCLOAK-2942,
>> but even when adding the additional Google+ scopes (making scope=openid
>> profile email https://www.googleapis.com/auth/plus.me
>> https://www.googleapis.com/auth/plus.login) the call fails. As for
>> JIRA-2942, I've tried setting up a user-defined OpenId Connect provider
>> with the default scope, which works just fine.
>>
>> Have I forgotten any important parameter while configuring the standard
>> Google support? Or is this a regression for this release?
>>
>>
>> Regards,
>> Sigbjørn Dybdahl
>>
>> ---
>>
>> Here's the complete stacktrace for the exception:
>>
>> 20:07:12,247 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider]
>> (default task-20) Failed to make identity provider oauth callback:
>> org.keycloak.broker.provider.IdentityBrokerException: Could not fetch
>> attributes from userinfo endpoint.
>> at org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedId
>> entity(OIDCIdentityProvider.java:304)
>> at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$
>> Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:230)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce
>> ssorImpl.java:62)
>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>> thodAccessorImpl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:498)
>> at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInje
>> ctorImpl.java:139)
>> at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget
>> (ResourceMethodInvoker.java:295)
>> at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(Resourc
>> eMethodInvoker.java:249)
>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
>> tObject(ResourceLocatorInvoker.java:138)
>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
>> ceLocatorInvoker.java:107)
>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
>> tObject(ResourceLocatorInvoker.java:133)
>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
>> ceLocatorInvoker.java:101)
>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro
>> nousDispatcher.java:395)
>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro
>> nousDispatcher.java:202)
>> at org.jboss.resteasy.plugins.server.servlet.ServletContainerDi
>> spatcher.service(ServletContainerDispatcher.java:221)
>> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc
>> her.service(HttpServletDispatcher.java:56)
>> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc
>> her.service(HttpServletDispatcher.java:51)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>> at io.undertow.servlet.handlers.ServletHandler.handleRequest(Se
>> rvletHandler.java:85)
>> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d
>> oFilter(FilterHandler.java:129)
>> at org.keycloak.services.filters.KeycloakSessionServletFilter.d
>> oFilter(KeycloakSessionServletFilter.java:90)
>> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilte
>> r.java:60)
>> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d
>> oFilter(FilterHandler.java:131)
>> at io.undertow.servlet.handlers.FilterHandler.handleRequest(Fil
>> terHandler.java:84)
>> at io.undertow.servlet.handlers.security.ServletSecurityRoleHan
>> dler.handleRequest(ServletSecurityRoleHandler.java:62)
>> at io.undertow.servlet.handlers.ServletDispatchingHandler.handl
>> eRequest(ServletDispatchingHandler.java:36)
>> at org.wildfly.extension.undertow.security.SecurityContextAssoc
>> iationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>> redicateHandler.java:43)
>> at io.undertow.servlet.handlers.security.SSLInformationAssociat
>> ionHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>> at io.undertow.servlet.handlers.security.ServletAuthenticationC
>> allHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>> redicateHandler.java:43)
>> at io.undertow.security.handlers.AbstractConfidentialityHandler
>> .handleRequest(AbstractConfidentialityHandler.java:46)
>> at io.undertow.servlet.handlers.security.ServletConfidentiality
>> ConstraintHandler.handleRequest(ServletConfident
>> ialityConstraintHandler.java:64)
>> at io.undertow.security.handlers.AuthenticationMechanismsHandle
>> r.handleRequest(AuthenticationMechanismsHandler.java:60)
>> at io.undertow.servlet.handlers.security.CachedAuthenticatedSes
>> sionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>> at io.undertow.security.handlers.NotificationReceiverHandler.ha
>> ndleRequest(NotificationReceiverHandler.java:50)
>> at io.undertow.security.handlers.AbstractSecurityContextAssocia
>> tionHandler.handleRequest(AbstractSecurityContextAssociation
>> Handler.java:43)
>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>> redicateHandler.java:43)
>> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHa
>> ndler.handleRequest(JACCContextIdHandler.java:61)
>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>> redicateHandler.java:43)
>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>> redicateHandler.java:43)
>> at io.undertow.servlet.handlers.ServletInitialHandler.handleFir
>> stRequest(ServletInitialHandler.java:284)
>> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchR
>> equest(ServletInitialHandler.java:263)
>> at io.undertow.servlet.handlers.ServletInitialHandler.access$00
>> 0(ServletInitialHandler.java:81)
>> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleR
>> equest(ServletInitialHandler.java:174)
>> at io.undertow.server.Connectors.executeRootHandler(Connectors.
>> java:202)
>> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchan
>> ge.java:793)
>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>> Executor.java:1142)
>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>> lExecutor.java:617)
>> at java.lang.Thread.run(Thread.java:745)
>> Caused by: java.io.IOException: Server returned HTTP response code: 403
>> for URL: https://www.googleapis.com/plus/v1/people/me/openIdConnect
>> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
>> Method)
>> at sun.reflect.NativeConstructorAccessorImpl.newInstance(Native
>> ConstructorAccessorImpl.java:62)
>> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(De
>> legatingConstructorAccessorImpl.java:45)
>> at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
>> at sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLCo
>> nnection.java:1890)
>> at sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLCo
>> nnection.java:1885)
>> at java.security.AccessController.doPrivileged(Native Method)
>> at sun.net.www.protocol.http.HttpURLConnection.getChainedExcept
>> ion(HttpURLConnection.java:1884)
>> at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(
>> HttpURLConnection.java:1457)
>> at sun.net.www.protocol.http.HttpURLConnection.getInputStream(H
>> ttpURLConnection.java:1441)
>> at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputSt
>> ream(HttpsURLConnectionImpl.java:254)
>> at org.keycloak.broker.provider.util.SimpleHttp.asString(Simple
>> Http.java:148)
>> at org.keycloak.broker.oidc.util.JsonSimpleHttp.asJson(JsonSimp
>> leHttp.java:46)
>> at org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedId
>> entity(OIDCIdentityProvider.java:267)
>> ... 50 more
>> Caused by: java.io.IOException: Server returned HTTP response code: 403
>> for URL: https://www.googleapis.com/plus/v1/people/me/openIdConnect
>> at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(
>> HttpURLConnection.java:1840)
>> at sun.net.www.protocol.http.HttpURLConnection.getInputStream(H
>> ttpURLConnection.java:1441)
>> at sun.net.www.protocol.http.HttpURLConnection.getHeaderField(H
>> ttpURLConnection.java:2943)
>> at sun.net.www.protocol.https.HttpsURLConnectionImpl.getHeaderF
>> ield(HttpsURLConnectionImpl.java:291)
>> at org.keycloak.broker.provider.util.SimpleHttp.asString(Simple
>> Http.java:147)
>> ... 52 more
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
*Paulo Pires*
senior infrastructure engineer | littleBits
<http://www.google.com/url?q=http%3A%2F%2Flittlebits.cc%2F&sa=D&sntz=1&usg=AFrqEzdmD1TfneYzn_vRGBO0a4wHpG-Ivg>
*T* (917) 464-4577
unleash your inner inventor. <https://youtu.be/fMg5QPQQOOI>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160810/9b934a4d/attachment-0001.html
More information about the keycloak-user
mailing list