AzureAD OIDC Configuration

Hi all,

I’m trying to use Keycloak to broker AzureAD users. I want to manage what applications and permissions users get access to through Keycloak. To give an example Joe User verifies through AzureAD that he is an active employee (IT manages that stuff). Keycloak has a configuration that shows Joe User can access 5 different AWS Accounts as well as Jenkins.

I have keycloak up and working. I’ve configed a Realm and added the IDP and was able to use the config url to pull the settings. I created the Azure Application and got the secret and brought that over. However i’m getting this error and I can’t figure out how to resolve it.

ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-437) Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: No access_token from server.

Any help would be greatly appreciated. Oh and Server Version is 8.0.0

Thanks,
B

I was able to fix this. If anyone is ever looking to do this follow these steps

  1. Create OIDC provider in desired Realm of Keycloak
  1. In another tab open portal.azure.com > Azure Active Directory > App registrations > New Registration
  • Name: oidc
  • Redirect URI > Web > copy Redirect URI from keycloak tab (it’s right above Alias)
  • Register
  1. Azure AD tab > Certificates & secrets (Under your oidc app)
  • New Client Secret
  • Expires (your choice)
  • Description (put down YYYYMMDD it will expire)
  • Add
  • Copy Value
  1. Keycloak Tab
  • Client Secret: paste value from client secret YYYYMMDD
  • Client ID: Copy Application (client) ID from Azure AD Tab in App - Registration Overview section
  • Client Authentication: Client secret sent as post
  • Trust Email: On
  • Save
2 Likes

I have a problem when configuring to login via an Angular app.

Did configure it this OIDC way and also via the Identity Provider Microsoft that is already on the list, but neither of these two ways is working. I am sure i did configure it correctly because i can login via Provider when not logging on Angular App.

Maybe you have another point i am missing.

Took this example: GitHub
Keycloak v9 Server (Docker): http://localhost:8085/
Angular v8 App: http://localhost:4200/

I am able to login via user/pass. But when login via IdentityProviders i end up on HTTP StatusCode 502.

It does some redirects.
1.- /localhost:8085/auth/realms/angular-heroes/broker/microsoft-oidc/login?client_id=heroes-client&tab_id=9dPNGKBUCj0&session_code=CODECODECODE
2- /login.microsoftonline.com/_TENANT_ID_/oauth2/v2.0/authorize?scope=openid&state=ERT.ERT.heroes-client&response_type=code&client_id=cf7d7d25-e06d-4998-83ee-23f8c8c147eb&redirect_uri=http%3A%2F%2Flocalhost%3A8085%2Fauth%2Frealms%2Fangular-heroes%2Fbroker%2Fmicrosoft-oidc%2Fendpoint&ui_locales=es&nonce=PUVSHd3CVNcuipeXrIZ2Rw
3.-/localhost:8085/auth/realms/angular-heroes/broker/microsoft-oidc/endpoint?code=QWE-QWE-QWE-QWE-QWE-QWE-QWE&state=ASD.ASD.heroes-client&session_state=ZXC-ZXC-ZXC-ZXC-ZXC

step #3 gives Status Code 502 Bad Gateway

I am facing the same issue you faced in step 3
do you find any suggestion to resolve the issue

I used AWS as my target application for initial testing but connected that via SAML. To me it sounds more like your client or the protocol mapper in the client. Not completely sure.

I found solution for my issue
i configure the ID as “keycloak openid” when i change it to “Openid v1.0” it works fine
thanks for your help

Hi @bjgodfrey,

I tried as you described in your solution, but I get the following error on keycloak:

15:20:03,011 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-167) Failed to make identity provider oauth call
back: org.keycloak.broker.provider.IdentityBrokerException: Could not fetch attributes from userinfo endpoint.

With another app registration with “Accounts in any organizational directory” enabled

  • using Identity provider microsoft it works fine
  • using Identity provider Keycloak OpenID Connect it also does not work (same issue)

There must be a difference of the configuration, when importing from url and using pre-defined identity provider microsoft…

Btw. by enabling debug prints in keycloak I see that user data seems to be received correctly:

16:14:20,937 DEBUG [org.keycloak.social.user_profile_dump] (default task-1) User Profile JSON Data for provider oidc: {“sub”:“abc”,“name”:“my name”,“family_name”:“name”,“given_name”:“my”,“picture”:“https://graph.microsoft.com/v1.0/me/photo/$value",“email”:"my.name@mail.com”}

Just a follow up question. How do you get the photo in Azure AD? “picture”:“[https://graph.microsoft.com/v1.0/me/photo/$value"]
I tried to pass it directly to microsoft graph api using same access token but i’m getting unauthorized access.

I’ve only used the URL import. Also, we use mrparkers for the tf management of our keycloak and we updated to 11.3.

What I’ve found helpful is to setup a second instance and get it working. Then compare the differences on the two.

We don’t pull that or deal with it at all.