[keycloak-user] When using Social Identity Provider, it failed with failure "Connection timed out"

Marek Posolda mposolda at redhat.com
Tue Jun 7 03:17:12 EDT 2016


It seems that's because Keycloak is not able to send backchannel request 
to github due to github certificate not trusted.

Are you using custom truststore set with truststore SPI or with 
"javax.net.ssl.truststore" system property? I think that by default 
github SSL certificate is verified by well-known CA, so it shouldn't be 
the issue to connect to that if you use default Java file with 
certificates (cacerts). However if you have custom trustore set, then 
default java cacerts file is possibly not used, so well-known 
certificates like the one from github are not trusted. We should likely 
have a solution, which will allow to set custom truststore in addition 
to default java cacerts file. But until we have it, you probably need to 
manually create truststore file, where you import both the "well-known" 
certificates together with your custom certificates.

Marek

On 07/06/16 08:02, LI Ming wrote:
>
> Hi,
>
>   When I setup social identity provider (GitHub) to authenticate the 
> user, it always failed with the below error:
>
> 2016-06-07 00:49:05,349 ERROR 
> [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default 
> task-9) Failed to make identity provider oauth callback: 
> java.net.ConnectException: Connection timed out
>
>         at java.net.PlainSocketImpl.socketConnect(Native Method)
>
>         at 
> java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
>
>         at 
> java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
>
>         at 
> java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
>
>         at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
>
>         at java.net.Socket.connect(Socket.java:589)
>
>         at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668)
>
>         at 
> sun.security.ssl.BaseSSLSocketImpl.connect(BaseSSLSocketImpl.java:173)
>
>         at sun.net.NetworkClient.doConnect(NetworkClient.java:180)
>
>         at sun.net.www.http.HttpClient.openServer(HttpClient.java:432)
>
>         at sun.net.www.http.HttpClient.openServer(HttpClient.java:527)
>
>         at 
> sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:264)
>
>         at 
> sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367)
>
>         at 
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191)
>
>         at 
> sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1105)
>
>         at 
> sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:999)
>
>         at 
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177)
>
>         at 
> sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1283)
>
>         at 
> sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1258)
>
>         at 
> sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
>
>         at 
> org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:141)
>
>         at 
> org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228)
>
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>
>>
> 2016-06-07 00:49:05,355 WARN  [org.keycloak.events] (default task-9) 
> type=LOGIN_ERROR, realmId=demo, clientId=null, userId=null, 
> ipAddress=135.252.159.35, error=identity_provider_login_failure
>
>    Can you help to identity the failure reason?
>
>    Thanks,
>
> Ming Li
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160607/7a12fc09/attachment.html 


More information about the keycloak-user mailing list