[keycloak-user] When using Social Identity Provider, it failed with failure "Connection timed out"

Marek Posolda mposolda at redhat.com
Tue Jun 7 04:06:57 EDT 2016 

Hmm... is github working for you if you omit the "truststore" 
configuration in keycloak-server.json and use the default java cacerts 
file without any changes?

Marek

On 07/06/16 09:38, LI Ming wrote:
>
> Marek,
>
> I already set truststore file to the default java certificates file 
> path in keycloak configuration file 
> $KEYCLOAK_HOME/standalone/configuration/keycloak-server.json as below:
>
>     "truststore": {
>
>       "file": {
>
>         "file": "/usr/java/jre/lib/security/cacerts",
>
>         "password": "changeit",
>
> "hostname-verification-policy": "ANY",
>
>         "disabled": false
>
>       }
>
>     }
>
> And I put my customer certificate file in it also.
>
> Ming Li
>
> *From:*Marek Posolda [mailto:mposolda at redhat.com]
> *Sent:* Tuesday, June 07, 2016 3:17 PM
> *To:* LI Ming; keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] When using Social Identity Provider, it 
> failed with failure "Connection timed out"
>
> It seems that's because Keycloak is not able to send backchannel 
> request to github due to github certificate not trusted.
>
> Are you using custom truststore set with truststore SPI or with 
> "javax.net.ssl.truststore" system property? I think that by default 
> github SSL certificate is verified by well-known CA, so it shouldn't 
> be the issue to connect to that if you use default Java file with 
> certificates (cacerts). However if you have custom trustore set, then 
> default java cacerts file is possibly not used, so well-known 
> certificates like the one from github are not trusted. We should 
> likely have a solution, which will allow to set custom truststore in 
> addition to default java cacerts file. But until we have it, you 
> probably need to manually create truststore file, where you import 
> both the "well-known" certificates together with your custom certificates.
>
> Marek
>
> On 07/06/16 08:02, LI Ming wrote:
>
>     Hi,
>
>       When I setup social identity provider (GitHub) to authenticate
>     the user, it always failed with the below error:
>
>     2016-06-07 00:49:05,349 ERROR
>     [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default
>     task-9) Failed to make identity provider oauth callback:
>     java.net.ConnectException: Connection timed out
>
>             at java.net.PlainSocketImpl.socketConnect(Native Method)
>
>             at
>     java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
>
>             at
>     java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
>
>             at
>     java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
>
>             at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
>
>             at java.net.Socket.connect(Socket.java:589)
>
>             at
>     sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668)
>
>             at
>     sun.security.ssl.BaseSSLSocketImpl.connect(BaseSSLSocketImpl.java:173)
>
>             at sun.net.NetworkClient.doConnect(NetworkClient.java:180)
>
>             at sun.net.www.http.HttpClient.openServer(HttpClient.java:432)
>
>             at sun.net.www.http.HttpClient.openServer(HttpClient.java:527)
>
>             at
>     sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:264)
>
>             at
>     sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367)
>
>             at
>     sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191)
>
>             at
>     sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1105)
>
>             at
>     sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:999)
>
>             at
>     sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177)
>
>             at
>     sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1283)
>
>             at
>     sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1258)
>
>             at
>     sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
>
>             at
>     org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:141)
>
>             at
>     org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228)
>
>             at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>
>>
>     2016-06-07 00:49:05,355 WARN  [org.keycloak.events] (default
>     task-9) type=LOGIN_ERROR, realmId=demo, clientId=null,
>     userId=null, ipAddress=135.252.159.35,
>     error=identity_provider_login_failure
>
>        Can you help to identity the failure reason?
>
>        Thanks,
>
>     Ming Li
>
>
>
>
>     _______________________________________________
>
>     keycloak-user mailing list
>
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160607/e0e28573/attachment.html

More information about the keycloak-user mailing list