[keycloak-user] When using Social Identity Provider, it failed with failure "Connection timed out"
Marek Posolda
mposolda at redhat.com
Tue Jun 7 04:06:57 EDT 2016
Hmm... is github working for you if you omit the "truststore"
configuration in keycloak-server.json and use the default java cacerts
file without any changes?
Marek
On 07/06/16 09:38, LI Ming wrote:
>
> Marek,
>
> I already set truststore file to the default java certificates file
> path in keycloak configuration file
> $KEYCLOAK_HOME/standalone/configuration/keycloak-server.json as below:
>
> "truststore": {
>
> "file": {
>
> "file": "/usr/java/jre/lib/security/cacerts",
>
> "password": "changeit",
>
> "hostname-verification-policy": "ANY",
>
> "disabled": false
>
> }
>
> }
>
> And I put my customer certificate file in it also.
>
> Ming Li
>
> *From:*Marek Posolda [mailto:mposolda at redhat.com]
> *Sent:* Tuesday, June 07, 2016 3:17 PM
> *To:* LI Ming; keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] When using Social Identity Provider, it
> failed with failure "Connection timed out"
>
> It seems that's because Keycloak is not able to send backchannel
> request to github due to github certificate not trusted.
>
> Are you using custom truststore set with truststore SPI or with
> "javax.net.ssl.truststore" system property? I think that by default
> github SSL certificate is verified by well-known CA, so it shouldn't
> be the issue to connect to that if you use default Java file with
> certificates (cacerts). However if you have custom trustore set, then
> default java cacerts file is possibly not used, so well-known
> certificates like the one from github are not trusted. We should
> likely have a solution, which will allow to set custom truststore in
> addition to default java cacerts file. But until we have it, you
> probably need to manually create truststore file, where you import
> both the "well-known" certificates together with your custom certificates.
>
> Marek
>
> On 07/06/16 08:02, LI Ming wrote:
>
> Hi,
>
> When I setup social identity provider (GitHub) to authenticate
> the user, it always failed with the below error:
>
> 2016-06-07 00:49:05,349 ERROR
> [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default
> task-9) Failed to make identity provider oauth callback:
> java.net.ConnectException: Connection timed out
>
> at java.net.PlainSocketImpl.socketConnect(Native Method)
>
> at
> java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
>
> at
> java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
>
> at
> java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
>
> at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
>
> at java.net.Socket.connect(Socket.java:589)
>
> at
> sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668)
>
> at
> sun.security.ssl.BaseSSLSocketImpl.connect(BaseSSLSocketImpl.java:173)
>
> at sun.net.NetworkClient.doConnect(NetworkClient.java:180)
>
> at sun.net.www.http.HttpClient.openServer(HttpClient.java:432)
>
> at sun.net.www.http.HttpClient.openServer(HttpClient.java:527)
>
> at
> sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:264)
>
> at
> sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367)
>
> at
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191)
>
> at
> sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1105)
>
> at
> sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:999)
>
> at
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177)
>
> at
> sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1283)
>
> at
> sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1258)
>
> at
> sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
>
> at
> org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:141)
>
> at
> org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228)
>
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>
> …
>
> 2016-06-07 00:49:05,355 WARN [org.keycloak.events] (default
> task-9) type=LOGIN_ERROR, realmId=demo, clientId=null,
> userId=null, ipAddress=135.252.159.35,
> error=identity_provider_login_failure
>
> Can you help to identity the failure reason?
>
> Thanks,
>
> Ming Li
>
>
>
>
> _______________________________________________
>
> keycloak-user mailing list
>
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160607/e0e28573/attachment.html
More information about the keycloak-user
mailing list