[keycloak-user] problem with social identity providers with broker (only google works)

mizuki mizuki0621 at gmail.com
Tue Apr 2 16:33:41 EDT 2019 

Just a comment:
I do not want to unnecessarily complicate the case by involving proxy.
 From the packets flow, it seems like Keycloak started initiating
communication with those social providers using TLSv1 (after password was
submitted and possible during code-for-token stage), any reasons triggered
this or any work-arounds? is it because the social providers are using
TLSv1?

Cheers.
Mizuki



On Tue, Apr 2, 2019 at 1:05 PM mizuki <mizuki0621 at gmail.com> wrote:

> Hi,
>
> I've verified this problem with keycloak latest version as well as v4.8.x,
> using broker only works with google, with other social identify providers,
> all throws the same error 'Unexpected error when authenticating with
> identity provider' to the browser and in server.log:
>
> 10:46:59,838 ERROR
> [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-2)
> Failed to make identity provider oauth callback:
> javax.net.ssl.SSLException: Received fatal alert: protocol_version
> at com.ibm.jsse2.k.a(k.java:32)
> at com.ibm.jsse2.k.a(k.java:37)
> at com.ibm.jsse2.av.b(av.java:549)
> at com.ibm.jsse2.av.a(av.java:715)
> at com.ibm.jsse2.av.i(av.java:574)
> at com.ibm.jsse2.av.a(av.java:280)
> at com.ibm.jsse2.av.startHandshake(av.java:431)
> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
> at
> org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
> at
> org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373)
> at
> org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381)
> at
> org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
> at
> org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
> at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
> at
> org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111)
>
> That happens after the correct credentials being put in. So far, I've
> tested:
> - linkedin
> - facebook
> - microsoft
> - github
>
> The error almost suggest the error is with incorrect TLS version. To
> troubleshoot, I sniffed network packets, comparing Google  with non-working
> providers (ex, LInkedIn).
> Interesting thing found out was that, the keycloak instance is hosted
> behind a proxy, when authenticating with external providers, all
> communication shall go through proxy,
> in google's case it went well and communication was successful, however
> with Linkedin for example, after username/password successfully
> authenticated, the backend keycloak instance all in sudden start to talk to
> LinkedIn server itself instead of going through proxy. Of course the
> communication will fail and error returned.
>
> Can anyone advice?
>
> PS: keycloak mailing list seems to have trouble with google email, I
> apologize in advance if the reply is delayed or resent multiple times.
>
> Thanks!
> Mizuki
>

More information about the keycloak-user mailing list