[keycloak-user] keycloak 5.0 integration with FranceConnect (IDP provider) no longer working

cedric@couralet.eu cedric at couralet.eu
Mon Apr 15 01:43:27 EDT 2019 

Hi,

How are you integrating the two idps ? The client_session_state parameter seems added as an hack when using KeycloakOIDCIdentityProvider ([1]), but this was added a long time ago. I think this provider should only be used when the 2 idps are keycloak, you may want to tyry the generic OIDCIdentityProvider, which does not add this param.
But, there is an issue with logout [2]  and signature validation . Which is why we had to developed our own keycloak extension for france connect [3]. I just tried it with keycloak 5.0.0 without problem.

(and you may want to change your account information with france connect (client_secret and client_id), these should not be public)

Cédric Couralet

[1] https://github.com/keycloak/keycloak/blob/c34c0a3860fa3c6de5963eb56f431696e826404c/services/src/main/java/org/keycloak/broker/oidc/KeycloakOIDCIdentityProvider.java#L134
[2] https://issues.jboss.org/browse/KEYCLOAK-7209
[3] https://github.com/InseeFr/Keycloak-FranceConnect

Le Vendredi, Avril 12, 2019 17:16 CEST, Olivier Rivat <orivat at janua.fr> a écrit: 
 
> Hi,
> 
> I am testing the integration of keycloak  to   FranceConnect (French IDP 
> provider).
> It is working fine with keycloak 4.81 (I have just tested it today), but 
> it is failing with keycloak 5.0.
> 
> The difference between the both is that keycloak 5.0 is adding 
> internally client_session_state on the idp request.
> But FranceConnect idp is not recognizing client_session_state.
> 
> What could be done to overcome this issue, as the IDP has not changed.
> Is it possibel to disbale this flag (client_session_state) so it does 
> not appear in the log of KC 5.0 ?
> 
> Please advise what could be done to have it working again.
> 
> 
> Regards,
> 
> Olivier Rivat
> 
> 
> 
> ==============================================================================
> 
> 
> 
> 
> 
> 
> Traces are as follows between the both:
> 
> Keycloak 4.83 trace (OK)
> 
> 
> 2019-04-12 17:06:04,250 DEBUG [org.apache.http.wire] (default task-11) 
> http-outgoing-3 >> "[\r][\n]"
> 2019-04-12 17:06:04,250 DEBUG [org.apache.http.wire] (default task-11) 
> http-outgoing-3 >>
> code=de5db40072c4d4a146f46330e7f85e38610d0943e95e9cb6ac73d66bd672205a&
> grant_type=authorization_code&
> client_secret=f6495844366b0a6c44fb2fffb4764ee732d134f4a7a8321863983473801c26db&
> redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fauth%2Frealms%2Fdemo%2Fbroker%2FFranceConnect%2Fendpoint&
> client_id=db14bd4bf83bf764076a25f664ca6750a32c2cd18be6ba43806d80cb2a3745b6
> 2019-04-12 17:06:04,308 DEBUG [org.apache.http.wire] (default task-11) 
> http-outgoing-3 << "HTTP/1.1 200 OK[\r][\n]"
> 2019-04-12 17:06:04,308 DEBUG [org.apache.http.wire] (default task-11) 
> http-outgoing-3 << "Server: nginx[\r][\n]"
> 2019-04-12 17:06:04,309 DEBUG [org.apache.http.wire] (default task-11) 
> http-outgoing-3 << "Date: Fri, 12 Apr 2019 15:05:57 GMT[\r][\n]"
> 2019-04
> 
> 
> 
> 
> Keycloak 5.00 trace (Not working)
> 
> 6:01:00,889 DEBUG [org.apache.http.wire] (default task-10) 
> http-outgoing-0 >> "
> code=326df10aabf29c322ca83a2a20b7ffc8c3dcab1ce150b62e99433b3a11e78e81&
> grant_type=authorization_code&
> client_session_state=n%2Fa&
> client_secret=f6495844366b0a6c44fb2fffb4764ee732d134f4a7a8321863983473801c26db&
> redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fauth%2Frealms%2Fdemo%2Fbroker%2FFranceConnect%2Fendpoint&
> client_id=db14bd4bf83bf764076a25f664ca6750a32c2cd18be6ba43806d80cb2a3745b6"
> 16:01:00,966 DEBUG [org.apache.http.wire] (default task-10) 
> http-outgoing-0 << "HTTP/1.1 400 Bad Request[\r][\n]"
> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10) 
> http-outgoing-0 << "Server: nginx[\r][\n]"
> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10) 
> http-outgoing-0 << "Date: Fri, 12 Apr 2019 14:00:53 GMT[\r][\n]"
> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10) 
> http-outgoing-0 << "Content-Type: application/json; charset=utf-8[\r][\n]"
> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10) 
> http-outgoing-0 << "Content-Length: 104[\r][\n]"
> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10) 
> http-outgoing-0 << "Connection: keep-alive[\r][\n]"
> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10) 
> http-outgoing-0 << "ETag: W/"68-1YcGPHfKrHgT2FZkgQmpNQ"[\r][\n]"
> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10) 
> http-outgoing-0 << "Vary: Accept-Encoding[\r][\n]"
> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10) 
> http-outgoing-0 << "[\r][\n]"
> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10) 
> http-outgoing-0 << "{"status":"fail","message":"The following fields are 
> not supposed to be present : client_session_state"}"
> 1
> 
> 
> 
> 
> 
> 
> 
> 
> -- 
> 
> 
> <http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>
> 
> 	<http://www.janua.fr/images/6g_top.gif>
> 	
> Olivier Rivat
> CTO
> orivat at janua.fr <mailto:dchikhaoui at janua.fr>
> Gsm: +33(0)682 801 609
> Tél: +33(0)489 829 238
> Fax: +33(0)955 260 370
> http://www.janua.fr <http://www.janua.fr/>
> 	<http://www.janua.fr/images/6g_top.gif>
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list