Authentication via OIDC issue

dj_kill · March 15, 2023, 1:00pm

I have Keycloak 21.0.0 with 2 realms. Realms are identical except name.
In each realm I have external IDP. Also the same.
Only difference is a call-back URL which has realm name.

On one realm everything works fine. On another realm I cannot authenticate and Keycloak shows exception type=IDENTITY_PROVIDER_LOGIN_ERROR

2023-03-14 22:01:32,103 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (executor-thread-166) Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: Could not fetch attributes from userinfo endpoint.
        at org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedIdentity(OIDCIdentityProvider.java:424)
        at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:505)
        at jdk.internal.reflect.GeneratedMethodAccessor1047.invoke(Unknown Source)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:568)
        at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:170)
        at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:130)
        at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:660)
....
        at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
        at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
        at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
        at java.base/java.lang.Thread.run(Thread.java:833)
Caused by: org.keycloak.broker.provider.IdentityBrokerException: Invalid token
        at org.keycloak.broker.oidc.OIDCIdentityProvider.validateToken(OIDCIdentityProvider.java:623)
        at org.keycloak.broker.oidc.KeycloakOIDCIdentityProvider.processAccessTokenResponse(KeycloakOIDCIdentityProvider.java:70)
        at org.keycloak.broker.oidc.OIDCIdentityProvider.extractIdentity(OIDCIdentityProvider.java:539)
        at org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedIdentity(OIDCIdentityProvider.java:405)
        ... 48 more
Caused by: org.keycloak.jose.jws.JWSInputException: java.lang.IllegalArgumentException: Parsing error
        at org.keycloak.jose.jws.JWSInput.<init>(JWSInput.java:59)
        at org.keycloak.broker.oidc.OIDCIdentityProvider.validateToken(OIDCIdentityProvider.java:617)
        ... 51 more
Caused by: java.lang.IllegalArgumentException: Parsing error
        at org.keycloak.jose.jws.JWSInput.<init>(JWSInput.java:46)
        ... 52 more

Brief googling shows that this is something related to the SSL settings. But they are identical.

I can authenticate with Postman with both call-back URLs emulating both my realms.
Any advice where to look?

pjmalandrino · March 16, 2023, 1:26pm

Hey,
Kind a weird indeed, I would verify IDP configuration on both realms.
Also, you could take a look at : Loading...

Maybe you have disable it on one realm and not in the other ?

dj_kill · March 16, 2023, 1:58pm

No. Userinfo endpoint replies perfectly fine. And I can get userinfo via Postman.
As I can see from the logs this is somehow related to the token itself.
This is not related to the realm name: I can rename “working” realm to “non-working” and it works fine.

I configure the same IDP in the master realm (IDP allows this callback URL) and… it doesn’t work as well. Something related to IDP actually. But not clear what exactly.