[keycloak-user] GoogleIdentityProvider seems to be broken for Keycloak 2.1.0.CR1

Sigbjørn Dybdahl sigbjorn at fifty-five.com
Wed Aug 10 11:09:21 EDT 2016


Hi Bill,

Yes, the information is present on
https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.1/topics/identity-broker/social/google.html
.

As it seems like I'm not the only one having this problem, it might be an
idea to highlight the section on activating the Google+ API, if possible.


Regards,
Sigbjørn

On 10 August 2016 at 16:50, Bill Burke <bburke at redhat.com> wrote:

> So the docs are ok then?
>
> On 8/10/16 6:17 AM, Paulo Pires wrote:
>
> Ah, nice tip. My tests were made with a corporate account which has no
> permissions to enable such API, but I too slipped that part in docs.
>
> Thanks
>
> On Wed, Aug 10, 2016 at 11:03 AM, Sigbjørn Dybdahl <
> sigbjorn at fifty-five.com> wrote:
>
>> Thanks for you quick reply, Marek!
>>
>> When re-reading the documentation now I see the part on enabling the
>> Google+ API in the Google Developer console, which I apparently didn't pay
>> attention to. It all works smoothly now, and I can remove the user-defined
>> OpenId Connect provider.
>>
>>
>> Regards,
>> Sigbjørn
>>
>> On 10 August 2016 at 11:49, Marek Posolda <mposolda at redhat.com> wrote:
>>
>>> Did you enable Google+ API in Google admin console? Configuration of
>>> this is on Google side, not scopes on Keycloak side on identityProvider
>>> page.
>>>
>>> Marek
>>>
>>>
>>> On 10/08/16 10:47, Sigbjørn Dybdahl wrote:
>>>
>>> Hello,
>>>
>>> I'm trying to configure an instance of Keycloak using version 2.1.0.CR1
>>> and I've run into a problem when using the Google Identity Provider with
>>> the default configuration. That is, during the callback I observe
>>> a org.keycloak.broker.provider.IdentityBrokerException: Could not fetch
>>> attributes (see complete stacktrace below for details) from userinfo
>>> endpoint which seems to be linked to the 403 Forbidden return code when
>>> calling https://www.googleapis.com/plus/v1/people/me/openIdConnect.
>>>
>>> This seems to be similar to https://issues.jboss.org/br
>>> owse/KEYCLOAK-2942, but even when adding the additional Google+ scopes
>>> (making scope=openid profile email https://www.googleapis.com/aut
>>> h/plus.me https://www.googleapis.com/auth/plus.login) the call fails.
>>> As for JIRA-2942, I've tried setting up a user-defined OpenId Connect
>>> provider with the default scope, which works just fine.
>>>
>>> Have I forgotten any important parameter while configuring the standard
>>> Google support? Or is this a regression for this release?
>>>
>>>
>>> Regards,
>>> Sigbjørn Dybdahl
>>>
>>> ---
>>>
>>> Here's the complete stacktrace for the exception:
>>>
>>> 20:07:12,247 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider]
>>> (default task-20) Failed to make identity provider oauth callback:
>>> org.keycloak.broker.provider.IdentityBrokerException: Could not fetch
>>> attributes from userinfo endpoint.
>>>     at org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedId
>>> entity(OIDCIdentityProvider.java:304)
>>>     at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endp
>>> oint.authResponse(AbstractOAuth2IdentityProvider.java:230)
>>>     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce
>>> ssorImpl.java:62)
>>>     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>>> thodAccessorImpl.java:43)
>>>     at java.lang.reflect.Method.invoke(Method.java:498)
>>>     at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInje
>>> ctorImpl.java:139)
>>>     at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget
>>> (ResourceMethodInvoker.java:295)
>>>     at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(Resourc
>>> eMethodInvoker.java:249)
>>>     at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
>>> tObject(ResourceLocatorInvoker.java:138)
>>>     at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
>>> ceLocatorInvoker.java:107)
>>>     at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
>>> tObject(ResourceLocatorInvoker.java:133)
>>>     at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
>>> ceLocatorInvoker.java:101)
>>>     at org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro
>>> nousDispatcher.java:395)
>>>     at org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro
>>> nousDispatcher.java:202)
>>>     at org.jboss.resteasy.plugins.server.servlet.ServletContainerDi
>>> spatcher.service(ServletContainerDispatcher.java:221)
>>>     at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc
>>> her.service(HttpServletDispatcher.java:56)
>>>     at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc
>>> her.service(HttpServletDispatcher.java:51)
>>>     at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>>>     at io.undertow.servlet.handlers.ServletHandler.handleRequest(Se
>>> rvletHandler.java:85)
>>>     at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d
>>> oFilter(FilterHandler.java:129)
>>>     at org.keycloak.services.filters.KeycloakSessionServletFilter.d
>>> oFilter(KeycloakSessionServletFilter.java:90)
>>>     at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilte
>>> r.java:60)
>>>     at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d
>>> oFilter(FilterHandler.java:131)
>>>     at io.undertow.servlet.handlers.FilterHandler.handleRequest(Fil
>>> terHandler.java:84)
>>>     at io.undertow.servlet.handlers.security.ServletSecurityRoleHan
>>> dler.handleRequest(ServletSecurityRoleHandler.java:62)
>>>     at io.undertow.servlet.handlers.ServletDispatchingHandler.handl
>>> eRequest(ServletDispatchingHandler.java:36)
>>>     at org.wildfly.extension.undertow.security.SecurityContextAssoc
>>> iationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>>>     at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>> redicateHandler.java:43)
>>>     at io.undertow.servlet.handlers.security.SSLInformationAssociat
>>> ionHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>>>     at io.undertow.servlet.handlers.security.ServletAuthenticationC
>>> allHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>>>     at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>> redicateHandler.java:43)
>>>     at io.undertow.security.handlers.AbstractConfidentialityHandler
>>> .handleRequest(AbstractConfidentialityHandler.java:46)
>>>     at io.undertow.servlet.handlers.security.ServletConfidentiality
>>> ConstraintHandler.handleRequest(ServletConfidentialityConstr
>>> aintHandler.java:64)
>>>     at io.undertow.security.handlers.AuthenticationMechanismsHandle
>>> r.handleRequest(AuthenticationMechanismsHandler.java:60)
>>>     at io.undertow.servlet.handlers.security.CachedAuthenticatedSes
>>> sionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>>     at io.undertow.security.handlers.NotificationReceiverHandler.ha
>>> ndleRequest(NotificationReceiverHandler.java:50)
>>>     at io.undertow.security.handlers.AbstractSecurityContextAssocia
>>> tionHandler.handleRequest(AbstractSecurityContextAssociation
>>> Handler.java:43)
>>>     at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>> redicateHandler.java:43)
>>>     at org.wildfly.extension.undertow.security.jacc.JACCContextIdHa
>>> ndler.handleRequest(JACCContextIdHandler.java:61)
>>>     at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>> redicateHandler.java:43)
>>>     at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>> redicateHandler.java:43)
>>>     at io.undertow.servlet.handlers.ServletInitialHandler.handleFir
>>> stRequest(ServletInitialHandler.java:284)
>>>     at io.undertow.servlet.handlers.ServletInitialHandler.dispatchR
>>> equest(ServletInitialHandler.java:263)
>>>     at io.undertow.servlet.handlers.ServletInitialHandler.access$00
>>> 0(ServletInitialHandler.java:81)
>>>     at io.undertow.servlet.handlers.ServletInitialHandler$1.handleR
>>> equest(ServletInitialHandler.java:174)
>>>     at io.undertow.server.Connectors.executeRootHandler(Connectors.
>>> java:202)
>>>     at io.undertow.server.HttpServerExchange$1.run(HttpServerExchan
>>> ge.java:793)
>>>     at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>>> Executor.java:1142)
>>>     at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>>> lExecutor.java:617)
>>>     at java.lang.Thread.run(Thread.java:745)
>>> Caused by: java.io.IOException: Server returned HTTP response code: 403
>>> for URL: https://www.googleapis.com/plus/v1/people/me/openIdConnect
>>>     at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
>>> Method)
>>>     at sun.reflect.NativeConstructorAccessorImpl.newInstance(Native
>>> ConstructorAccessorImpl.java:62)
>>>     at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(De
>>> legatingConstructorAccessorImpl.java:45)
>>>     at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
>>>     at sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLCo
>>> nnection.java:1890)
>>>     at sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLCo
>>> nnection.java:1885)
>>>     at java.security.AccessController.doPrivileged(Native Method)
>>>     at sun.net.www.protocol.http.HttpURLConnection.getChainedExcept
>>> ion(HttpURLConnection.java:1884)
>>>     at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(
>>> HttpURLConnection.java:1457)
>>>     at sun.net.www.protocol.http.HttpURLConnection.getInputStream(H
>>> ttpURLConnection.java:1441)
>>>     at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputSt
>>> ream(HttpsURLConnectionImpl.java:254)
>>>     at org.keycloak.broker.provider.util.SimpleHttp.asString(Simple
>>> Http.java:148)
>>>     at org.keycloak.broker.oidc.util.JsonSimpleHttp.asJson(JsonSimp
>>> leHttp.java:46)
>>>     at org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedId
>>> entity(OIDCIdentityProvider.java:267)
>>>     ... 50 more
>>> Caused by: java.io.IOException: Server returned HTTP response code: 403
>>> for URL: https://www.googleapis.com/plus/v1/people/me/openIdConnect
>>>     at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(
>>> HttpURLConnection.java:1840)
>>>     at sun.net.www.protocol.http.HttpURLConnection.getInputStream(H
>>> ttpURLConnection.java:1441)
>>>     at sun.net.www.protocol.http.HttpURLConnection.getHeaderField(H
>>> ttpURLConnection.java:2943)
>>>     at sun.net.www.protocol.https.HttpsURLConnectionImpl.getHeaderF
>>> ield(HttpsURLConnectionImpl.java:291)
>>>     at org.keycloak.broker.provider.util.SimpleHttp.asString(Simple
>>> Http.java:147)
>>>     ... 52 more
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>> _______________________________________________ keycloak-user mailing
>> list keycloak-user at lists.jboss.org https://lists.jboss.org/mailma
>> n/listinfo/keycloak-user
>
> --
>
> *Paulo Pires*
>
> senior infrastructure engineer | littleBits
> <http://www.google.com/url?q=http%3A%2F%2Flittlebits.cc%2F&sa=D&sntz=1&usg=AFrqEzdmD1TfneYzn_vRGBO0a4wHpG-Ivg>
>
> *T* (917) 464-4577 unleash your inner inventor.
> <https://youtu.be/fMg5QPQQOOI>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160810/20cdf917/attachment-0001.html 


More information about the keycloak-user mailing list