[keycloak-user] keycloak 5.0 integration with FranceConnect (IDP provider) no longer working
Olivier Rivat
orivat at janua.fr
Mon Apr 15 02:11:27 EDT 2019
Hi Cedric,
I am integrating KC (SP) to FranceConnect (IDP) dierctly out of the box.
I haven't written any KC code module extension and FranceConnect is
configured as an IDP for KC.
FranceConnect Integration is working fine with KC 4.81, but it is
failing with KC 5.00.
Only diff I noticed is that internally there is this
client_session_state flag added with KC 5.0.
This is what makes the integration failing
Regards,
Olivier Rivat
Le 15/04/2019 à 07:43, cedric at couralet.eu a écrit :
> Hi,
>
> How are you integrating the two idps ? The client_session_state parameter seems added as an hack when using KeycloakOIDCIdentityProvider ([1]), but this was added a long time ago. I think this provider should only be used when the 2 idps are keycloak, you may want to tyry the generic OIDCIdentityProvider, which does not add this param.
> But, there is an issue with logout [2] and signature validation . Which is why we had to developed our own keycloak extension for france connect [3]. I just tried it with keycloak 5.0.0 without problem.
>
> (and you may want to change your account information with france connect (client_secret and client_id), these should not be public)
>
> Cédric Couralet
>
> [1] https://github.com/keycloak/keycloak/blob/c34c0a3860fa3c6de5963eb56f431696e826404c/services/src/main/java/org/keycloak/broker/oidc/KeycloakOIDCIdentityProvider.java#L134
> [2] https://issues.jboss.org/browse/KEYCLOAK-7209
> [3] https://github.com/InseeFr/Keycloak-FranceConnect
>
> Le Vendredi, Avril 12, 2019 17:16 CEST, Olivier Rivat <orivat at janua.fr> a écrit:
>
>> Hi,
>>
>> I am testing the integration of keycloak to FranceConnect (French IDP
>> provider).
>> It is working fine with keycloak 4.81 (I have just tested it today), but
>> it is failing with keycloak 5.0.
>>
>> The difference between the both is that keycloak 5.0 is adding
>> internally client_session_state on the idp request.
>> But FranceConnect idp is not recognizing client_session_state.
>>
>> What could be done to overcome this issue, as the IDP has not changed.
>> Is it possibel to disbale this flag (client_session_state) so it does
>> not appear in the log of KC 5.0 ?
>>
>> Please advise what could be done to have it working again.
>>
>>
>> Regards,
>>
>> Olivier Rivat
>>
>>
>>
>> ==============================================================================
>>
>>
>>
>>
>>
>>
>> Traces are as follows between the both:
>>
>> Keycloak 4.83 trace (OK)
>>
>>
>> 2019-04-12 17:06:04,250 DEBUG [org.apache.http.wire] (default task-11)
>> http-outgoing-3 >> "[\r][\n]"
>> 2019-04-12 17:06:04,250 DEBUG [org.apache.http.wire] (default task-11)
>> http-outgoing-3 >>
>> code=de5db40072c4d4a146f46330e7f85e38610d0943e95e9cb6ac73d66bd672205a&
>> grant_type=authorization_code&
>> client_secret=f6495844366b0a6c44fb2fffb4764ee732d134f4a7a8321863983473801c26db&
>> redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fauth%2Frealms%2Fdemo%2Fbroker%2FFranceConnect%2Fendpoint&
>> client_id=db14bd4bf83bf764076a25f664ca6750a32c2cd18be6ba43806d80cb2a3745b6
>> 2019-04-12 17:06:04,308 DEBUG [org.apache.http.wire] (default task-11)
>> http-outgoing-3 << "HTTP/1.1 200 OK[\r][\n]"
>> 2019-04-12 17:06:04,308 DEBUG [org.apache.http.wire] (default task-11)
>> http-outgoing-3 << "Server: nginx[\r][\n]"
>> 2019-04-12 17:06:04,309 DEBUG [org.apache.http.wire] (default task-11)
>> http-outgoing-3 << "Date: Fri, 12 Apr 2019 15:05:57 GMT[\r][\n]"
>> 2019-04
>>
>>
>>
>>
>> Keycloak 5.00 trace (Not working)
>>
>> 6:01:00,889 DEBUG [org.apache.http.wire] (default task-10)
>> http-outgoing-0 >> "
>> code=326df10aabf29c322ca83a2a20b7ffc8c3dcab1ce150b62e99433b3a11e78e81&
>> grant_type=authorization_code&
>> client_session_state=n%2Fa&
>> client_secret=f6495844366b0a6c44fb2fffb4764ee732d134f4a7a8321863983473801c26db&
>> redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fauth%2Frealms%2Fdemo%2Fbroker%2FFranceConnect%2Fendpoint&
>> client_id=db14bd4bf83bf764076a25f664ca6750a32c2cd18be6ba43806d80cb2a3745b6"
>> 16:01:00,966 DEBUG [org.apache.http.wire] (default task-10)
>> http-outgoing-0 << "HTTP/1.1 400 Bad Request[\r][\n]"
>> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
>> http-outgoing-0 << "Server: nginx[\r][\n]"
>> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
>> http-outgoing-0 << "Date: Fri, 12 Apr 2019 14:00:53 GMT[\r][\n]"
>> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
>> http-outgoing-0 << "Content-Type: application/json; charset=utf-8[\r][\n]"
>> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
>> http-outgoing-0 << "Content-Length: 104[\r][\n]"
>> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
>> http-outgoing-0 << "Connection: keep-alive[\r][\n]"
>> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
>> http-outgoing-0 << "ETag: W/"68-1YcGPHfKrHgT2FZkgQmpNQ"[\r][\n]"
>> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
>> http-outgoing-0 << "Vary: Accept-Encoding[\r][\n]"
>> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
>> http-outgoing-0 << "[\r][\n]"
>> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
>> http-outgoing-0 << "{"status":"fail","message":"The following fields are
>> not supposed to be present : client_session_state"}"
>> 1
>>
>>
>>
>>
>>
>>
>>
>>
>> --
>>
>>
>> <http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>
>>
>> <http://www.janua.fr/images/6g_top.gif>
>>
>> Olivier Rivat
>> CTO
>> orivat at janua.fr <mailto:dchikhaoui at janua.fr>
>> Gsm: +33(0)682 801 609
>> Tél: +33(0)489 829 238
>> Fax: +33(0)955 260 370
>> http://www.janua.fr <http://www.janua.fr/>
>> <http://www.janua.fr/images/6g_top.gif>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
--
<http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>
<http://www.janua.fr/images/6g_top.gif>
Olivier Rivat
CTO
orivat at janua.fr <mailto:dchikhaoui at janua.fr>
Gsm: +33(0)682 801 609
Tél: +33(0)489 829 238
Fax: +33(0)955 260 370
http://www.janua.fr <http://www.janua.fr/>
<http://www.janua.fr/images/6g_top.gif>
More information about the keycloak-user
mailing list