[keycloak-user] keycloak 5.0 integration with FranceConnect (IDP provider) no longer working

Olivier Rivat orivat at janua.fr
Mon Apr 15 12:32:05 EDT 2019 

Hello Cedric,

Tkx a lot for all your updates.


I have just downloaded your module, and uploaded it.
I am not able to configure the IDPwith your module.

When I click on it on one  of the both choices to configure the IDP 
(FranceConnect Particlier for example), I do obtain the following below.


What could be missing from my side ?

Regards,

Olivier






Le 15/04/2019 à 07:43, cedric at couralet.eu a écrit :
> Hi,
>
> How are you integrating the two idps ? The client_session_state parameter seems added as an hack when using KeycloakOIDCIdentityProvider ([1]), but this was added a long time ago. I think this provider should only be used when the 2 idps are keycloak, you may want to tyry the generic OIDCIdentityProvider, which does not add this param.
> But, there is an issue with logout [2]  and signature validation . Which is why we had to developed our own keycloak extension for france connect [3]. I just tried it with keycloak 5.0.0 without problem.
>
> (and you may want to change your account information with france connect (client_secret and client_id), these should not be public)
>
> Cédric Couralet
>
> [1] https://github.com/keycloak/keycloak/blob/c34c0a3860fa3c6de5963eb56f431696e826404c/services/src/main/java/org/keycloak/broker/oidc/KeycloakOIDCIdentityProvider.java#L134
> [2] https://issues.jboss.org/browse/KEYCLOAK-7209
> [3] https://github.com/InseeFr/Keycloak-FranceConnect
>
> Le Vendredi, Avril 12, 2019 17:16 CEST, Olivier Rivat <orivat at janua.fr> a écrit:
>   
>> Hi,
>>
>> I am testing the integration of keycloak  to   FranceConnect (French IDP
>> provider).
>> It is working fine with keycloak 4.81 (I have just tested it today), but
>> it is failing with keycloak 5.0.
>>
>> The difference between the both is that keycloak 5.0 is adding
>> internally client_session_state on the idp request.
>> But FranceConnect idp is not recognizing client_session_state.
>>
>> What could be done to overcome this issue, as the IDP has not changed.
>> Is it possibel to disbale this flag (client_session_state) so it does
>> not appear in the log of KC 5.0 ?
>>
>> Please advise what could be done to have it working again.
>>
>>
>> Regards,
>>
>> Olivier Rivat
>>
>>
>>
>> ==============================================================================
>>
>>
>>
>>
>>
>>
>> Traces are as follows between the both:
>>
>> Keycloak 4.83 trace (OK)
>>
>>
>> 2019-04-12 17:06:04,250 DEBUG [org.apache.http.wire] (default task-11)
>> http-outgoing-3 >> "[\r][\n]"
>> 2019-04-12 17:06:04,250 DEBUG [org.apache.http.wire] (default task-11)
>> http-outgoing-3 >>
>> code=de5db40072c4d4a146f46330e7f85e38610d0943e95e9cb6ac73d66bd672205a&
>> grant_type=authorization_code&
>> client_secret=f6495844366b0a6c44fb2fffb4764ee732d134f4a7a8321863983473801c26db&
>> redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fauth%2Frealms%2Fdemo%2Fbroker%2FFranceConnect%2Fendpoint&
>> client_id=db14bd4bf83bf764076a25f664ca6750a32c2cd18be6ba43806d80cb2a3745b6
>> 2019-04-12 17:06:04,308 DEBUG [org.apache.http.wire] (default task-11)
>> http-outgoing-3 << "HTTP/1.1 200 OK[\r][\n]"
>> 2019-04-12 17:06:04,308 DEBUG [org.apache.http.wire] (default task-11)
>> http-outgoing-3 << "Server: nginx[\r][\n]"
>> 2019-04-12 17:06:04,309 DEBUG [org.apache.http.wire] (default task-11)
>> http-outgoing-3 << "Date: Fri, 12 Apr 2019 15:05:57 GMT[\r][\n]"
>> 2019-04
>>
>>
>>
>>
>> Keycloak 5.00 trace (Not working)
>>
>> 6:01:00,889 DEBUG [org.apache.http.wire] (default task-10)
>> http-outgoing-0 >> "
>> code=326df10aabf29c322ca83a2a20b7ffc8c3dcab1ce150b62e99433b3a11e78e81&
>> grant_type=authorization_code&
>> client_session_state=n%2Fa&
>> client_secret=f6495844366b0a6c44fb2fffb4764ee732d134f4a7a8321863983473801c26db&
>> redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fauth%2Frealms%2Fdemo%2Fbroker%2FFranceConnect%2Fendpoint&
>> client_id=db14bd4bf83bf764076a25f664ca6750a32c2cd18be6ba43806d80cb2a3745b6"
>> 16:01:00,966 DEBUG [org.apache.http.wire] (default task-10)
>> http-outgoing-0 << "HTTP/1.1 400 Bad Request[\r][\n]"
>> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
>> http-outgoing-0 << "Server: nginx[\r][\n]"
>> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
>> http-outgoing-0 << "Date: Fri, 12 Apr 2019 14:00:53 GMT[\r][\n]"
>> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
>> http-outgoing-0 << "Content-Type: application/json; charset=utf-8[\r][\n]"
>> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
>> http-outgoing-0 << "Content-Length: 104[\r][\n]"
>> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
>> http-outgoing-0 << "Connection: keep-alive[\r][\n]"
>> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
>> http-outgoing-0 << "ETag: W/"68-1YcGPHfKrHgT2FZkgQmpNQ"[\r][\n]"
>> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
>> http-outgoing-0 << "Vary: Accept-Encoding[\r][\n]"
>> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
>> http-outgoing-0 << "[\r][\n]"
>> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
>> http-outgoing-0 << "{"status":"fail","message":"The following fields are
>> not supposed to be present : client_session_state"}"
>> 1
>>
>>
>>
>>
>>
>>
>>
>>
>> -- 
>>
>>
>> <http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>
>>
>> 	<http://www.janua.fr/images/6g_top.gif>
>> 	
>> Olivier Rivat
>> CTO
>> orivat at janua.fr <mailto:dchikhaoui at janua.fr>
>> Gsm: +33(0)682 801 609
>> Tél: +33(0)489 829 238
>> Fax: +33(0)955 260 370
>> http://www.janua.fr <http://www.janua.fr/>
>> 	<http://www.janua.fr/images/6g_top.gif>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
-- 


<http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>

	<http://www.janua.fr/images/6g_top.gif>
	
Olivier Rivat
CTO
orivat at janua.fr <mailto:dchikhaoui at janua.fr>
Gsm: +33(0)682 801 609
Tél: +33(0)489 829 238
Fax: +33(0)955 260 370
http://www.janua.fr <http://www.janua.fr/>
	<http://www.janua.fr/images/6g_top.gif>

More information about the keycloak-user mailing list