[keycloak-user] Stuck with "org.keycloak.broker.provider.IdentityBrokerException: No access_token from server"

Schuster Sebastian (INST-CSS/BSV-OS2) Sebastian.Schuster at bosch-si.com
Thu Dec 5 10:26:19 EST 2019


Are you sure the secret for the client is correct? This is exactly the error you get when your configured secret for the IDP is wrong.

Best regards,
Sebastian

Mit freundlichen Grüßen / Best regards

Dr.-Ing. Sebastian Schuster 

Open Source Services (INST-CSS/BSV-OS2)
Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com
Tel. +49 30 726112-485 | Mobil +49 152 02177668 | Telefax +49 30 726112-100 | Sebastian.Schuster at bosch-si.com

Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Michael Hahn, Dr. Aleksandar Mitrovic 

​
-----Ursprüngliche Nachricht-----
Von: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> Im Auftrag von Carsten Aulbert
Gesendet: Donnerstag, 5. Dezember 2019 16:05
An: keycloak-user at lists.jboss.org
Betreff: [keycloak-user] Stuck with "org.keycloak.broker.provider.IdentityBrokerException: No access_token from server"

Hi,

we just started evaluating keycloak (v8.0.1) for our use case (central authentication which would eventually/hopefully allow us to handle authorization for web spaces, wiki and the likes with users either taken from our internal LDAP, our gitlab instance and/or edugain via SAML).

So far, it looks really nice, but after some early success I am currently stuck.

Current test set-up:

keycloak side:
  - users from local LDAP
  - our local gitlab as an identity provider
  - AFAIK, truststore has all necessary certificates

apache2 webserver:
  - directory secured via auth_openidc pointing to keycloak

What works:

Browsing to secured directory, redirect to keycloak, log in against LDAP and based on my role/username/email address, access is granted.

What fails:

Using gitlab as a secondary means of authentication (i.e.
realm/demo/account page has gitlab on the right hand side), it starts to redirect to gitlab, however fails to (renew?) a token. On the gitlab side, I only get HTTP code 401 for keycloak accessing /oath/token, on keycloak I either only get a very terse error like

14:58:22,912 WARN  [org.keycloak.events] (default task-22) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=demo, clientId=null, userId=null, ipAddress=1.2.3.4, error=invalid_code

(when using "Client Authentication" set to "Client secret sent as post") or much more verbose when setting it to "Client secret as jwt" (see the very end of the email).

Anyone with an idea, what is wrong here (I have checked the client id/secret multiple times, set and reset it again and again, played around with all the visible knobs in various configurations, bit so far to no avail).

Cheers and thanks a lot in advance!

Carsten

Long error:

15:00:28,047 ERROR
[org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default
task-24) Failed to make identity provider oauth callback:
org.keycloak.broker.provider.IdentityBrokerException: No access_token from server.



at
org.jboss.resteasy.resteasy-jaxrs at 3.9.1.Final//org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:215)
at
org.jboss.resteasy.resteasy-jaxrs at 3.9.1.Final//org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
at
org.jboss.resteasy.resteasy-jaxrs at 3.9.1.Final//org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.resteasy-jaxrs at 3.9.1.Final//org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at
javax.servlet.api at 2.0.0.Final//javax.servlet.http.HttpServlet.service(HttpServlet.java:590)
at
io.undertow.servlet at 2.0.27.Final//io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
at
io.undertow.servlet at 2.0.27.Final//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.keycloak-services at 8.0.1//org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:91)
at
io.undertow.servlet at 2.0.27.Final//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet at 2.0.27.Final//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet at 2.0.27.Final//io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet at 2.0.27.Final//io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet at 2.0.27.Final//io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
at
io.undertow.servlet at 2.0.27.Final//io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow at 18.0.1.Final//org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.core at 2.0.27.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet at 2.0.27.Final//io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68)
at
io.undertow.servlet at 2.0.27.Final//io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
at
io.undertow.servlet at 2.0.27.Final//io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.core at 2.0.27.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.core at 2.0.27.Final//io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet at 2.0.27.Final//io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.core at 2.0.27.Final//io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet at 2.0.27.Final//io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.core at 2.0.27.Final//io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.core at 2.0.27.Final//io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.core at 2.0.27.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow at 18.0.1.Final//org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.core at 2.0.27.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow at 18.0.1.Final//org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
at
io.undertow.core at 2.0.27.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet at 2.0.27.Final//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:269)
at
io.undertow.servlet at 2.0.27.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:78)
at
io.undertow.servlet at 2.0.27.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:133)
at
io.undertow.servlet at 2.0.27.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:130)
at
io.undertow.servlet at 2.0.27.Final//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
at
io.undertow.servlet at 2.0.27.Final//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at
org.wildfly.extension.undertow at 18.0.1.Final//org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
at
org.wildfly.extension.undertow at 18.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1504)
at
org.wildfly.extension.undertow at 18.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1504)
at
org.wildfly.extension.undertow at 18.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1504)
at
org.wildfly.extension.undertow at 18.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1504)
at
io.undertow.servlet at 2.0.27.Final//io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:249)
at
io.undertow.servlet at 2.0.27.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:78)
at
io.undertow.servlet at 2.0.27.Final//io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:99)
at
io.undertow.core at 2.0.27.Final//io.undertow.server.Connectors.executeRootHandler(Connectors.java:376)
at
io.undertow.core at 2.0.27.Final//io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
at
org.jboss.threads at 2.3.3.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at
org.jboss.threads at 2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
at
org.jboss.threads at 2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
at
org.jboss.threads at 2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
at java.base/java.lang.Thread.run(Thread.java:834)
15:00:28,049 WARN  [org.keycloak.events] (default task-24) type=LOGIN_ERROR, realmId=demo, clientId=null, userId=null,
ipAddress=1.2.3.4 error=identity_provider_login_failure


--
Dr. Carsten Aulbert, Max Planck Institute for Gravitational Physics, Callinstraße 38, 30167 Hannover, Germany
Phone: +49 511 762 17185




More information about the keycloak-user mailing list