[keycloak-user] problem with social identity providers with broker (only google works)

mizuki mizuki0621 at gmail.com
Tue Apr 2 13:05:45 EDT 2019 

Hi,

I've verified this problem with keycloak latest version as well as v4.8.x,
using broker only works with google, with other social identify providers,
all throws the same error 'Unexpected error when authenticating with
identity provider' to the browser and in server.log:

10:46:59,838 ERROR
[org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-2)
Failed to make identity provider oauth callback:
javax.net.ssl.SSLException: Received fatal alert: protocol_version
at com.ibm.jsse2.k.a(k.java:32)
at com.ibm.jsse2.k.a(k.java:37)
at com.ibm.jsse2.av.b(av.java:549)
at com.ibm.jsse2.av.a(av.java:715)
at com.ibm.jsse2.av.i(av.java:574)
at com.ibm.jsse2.av.a(av.java:280)
at com.ibm.jsse2.av.startHandshake(av.java:431)
at
org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
at
org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
at
org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
at
org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373)
at
org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381)
at
org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
at
org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
at
org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111)

That happens after the correct credentials being put in. So far, I've
tested:
- linkedin
- facebook
- microsoft
- github

The error almost suggest the error is with incorrect TLS version. To
troubleshoot, I sniffed network packets, comparing Google  with non-working
providers (ex, LInkedIn).
Interesting thing found out was that, the keycloak instance is hosted
behind a proxy, when authenticating with external providers, all
communication shall go through proxy,
in google's case it went well and communication was successful, however
with Linkedin for example, after username/password successfully
authenticated, the backend keycloak instance all in sudden start to talk to
LinkedIn server itself instead of going through proxy. Of course the
communication will fail and error returned.

Can anyone advice?

PS: keycloak mailing list seems to have trouble with google email, I
apologize in advance if the reply is delayed or resent multiple times.

Thanks!
Mizuki

More information about the keycloak-user mailing list