[keycloak-user] KeyCloak and Azure Active Directory / response_type
Stefan Engstrom
sengstrom at ena.com
Thu May 24 14:58:37 EDT 2018
I'm running in to this exact issue - curious if there are any insights? The redirect from microsoftonline.com contains a "code" element but keycloak chokes on trading this for an access_token. I have a parallel IDP to google which returns an element of that name (code) and that piece works just fine.
________________________________
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> on behalf of Robin Diederen <diederen at nlcom.nl>
Sent: Monday, January 8, 2018 5:03:53 AM
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] KeyCloak and Azure Active Directory / response_type
Hello all,
I’m trying to make KeyCloak (3.4.0 Final) work with Microsoft Azure AD using the OpenID Connect protocol (OIDC). My goal is for KeyCloak to be an identity broker between a number of in-house clients and Azure AD as identity backend.
After configuring the appropriate endpoints for OIDC / oAuth v2.0 and some clients, upon hitting my client with my browser, KeyCloak redirects me to the Microsoft login page. Logging in works fine and my client / app is correctly recognized by Microsoft. However, when redirected back to KeyCloak, I’m presented with an error.
Upon further investigation I’ve noticed that KeyCloak reports this error in its logs: “Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: No access_token from server.”. This seems to be related to the response_type attribute, which is to be set from KeyCloak upon calling the Microsoft login page. Up till now, I did not find any way to make KeyCloak include this parameter with the preffered value, being “response_type=token_id”. KeyCloak however does include “response_type=code”, yet Microsoft doesn’t seem to like this.
So here’s my question: how can I instruct KeyCloak to include this parameter to make it work with AzureAD? I’ve tried a number of settings in the client page, such as implicit and standard flow enabed / disabled, however, to no avail.
Any help is greatly appreciated.
Best, Robin
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list