[keycloak-user] Problem Integration with OAuth2 provider
Graham Burgess
graham.burgess at razer.com
Fri Aug 17 18:57:22 EDT 2018
OK, I think I have figured it out, at least on “paper”. If I am reading http://openid.net/specs/openid-connect-core-1_0.html#TokenRequest, section 3.1.3.3 right, then the token endpoint should be returning an id_token as well as access_token. I have already notified my IdP of the issue.
Graham
From: Graham Burgess
Sent: Friday, August 17, 2018 3:00 PM
To: keycloak-user at lists.jboss.org
Subject: RE: [keycloak-user] Problem Integration with OAuth2 provider
So to help me to understand what is going on being Keycloak and my IdP, I spun up an Nginx instance with a PHP script to dump the request to the /token endpoint on the IdP. The following is an example of the output that I can get from it:
POST /dump.php HTTP/1.1
HTTP headers:
X-Forwarded-Proto: https
X-Forwarded-Port: 443
X-Forwarded-For: <REDACTED>
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip,deflate
Content-Length: 266
User-Agent: Apache-HttpClient/4.5.2 (Java/1.8.0_161)
Host: php-dump
Request body:
code=<AUTHORIZATION_CODE>&grant_type=authorization_code&client_secret=<CLIENT_SECRET>&redirect_uri=<REDIRECT_URI>&client_id=<CLIENT_ID>
This allowed me to confirm the request was sending the right details to the IdP as part of the /token request. I was also able to get an output from the IdP’s /token endpoint:
{
"access_token": "<ACCESS_TOKEN>",
"expires_in": 3600,
"token_type": "Bearer",
"scope": "openid cop profile email",
"refresh_token": "<REFRESH_TOKEN>"
}
This looks right to me, so makes the “No token from server” error even weirder, or am I missing something?
Kind regards,
Graham
More information about the keycloak-user
mailing list