Hi, we have upgraded our keycloak service image from v.8 to v.12… all is working ok but we’re not able to sign up / login in our local dev environment… Nevertheless, it works in our test and production environments (deployed in Google cloud). It’s important for us to spin up all the services locally so we can debug everything properly…
The error arises after accepting the google oauth dialog and redirected to the local URL: http://localhost:8080/auth/realms/pi-top/broker/after-first-broker-login?session_code=...
The keycloak UI ${message.summary} only says “Unexpected error when authenticating with identity provider” and the local container logs contains this error:
06:38:47,534 ERROR [org.keycloak.services.resources.IdentityBrokerService] (default task-6) identityProviderUnexpectedErrorMessage: java.lang.NullPointerException
at org.keycloak.keycloak-model-jpa@12.0.4//org.keycloak.models.jpa.UserAdapter.grantRoleImpl(UserAdapter.java:452)
at org.keycloak.keycloak-model-jpa@12.0.4//org.keycloak.models.jpa.UserAdapter.grantRole(UserAdapter.java:446)
at org.keycloak.keycloak-model-infinispan@12.0.4//org.keycloak.models.cache.infinispan.UserAdapter.grantRole(UserAdapter.java:300)
at org.keycloak.keycloak-services@12.0.4//org.keycloak.services.resources.IdentityBrokerService.afterFirstBrokerLogin(IdentityBrokerService.java:707)
at org.keycloak.keycloak-services@12.0.4//org.keycloak.services.resources.IdentityBrokerService.afterFirstBrokerLogin(IdentityBrokerService.java:665)
We suspect that it could be related with the realm configuration, baseUrl, rootUrl, adminUrl, etc… but we’ve tried to change many of the realm parameters without success. Any help will be appreciated, thank you!
@raultruco Can you share your config and what you are trying to achieve? Sounds like you’ve got Google set up as a your IdP. Are you using the standard Keycloak Google “social login”, or are you using generic OIDC or SAML?
@melancholia Assuming it’s a standard flow, no, there is no requirement for a publicly routable domain, as it all happens through browser redirect.
@xgp, @melancholia We’ve got an Identity Provider set up for Google in keycloak… it actually worked on localhost before updating from v.8 to v.12 and it even works with v.12 on out test environment (google cloud with a publicly routable domain).
We’re importing all the config from a .json file previously exported from the UI. This is the “identityProviders” entry:
We have the google side set up with http://localhost:8080/auth/realms/pi-top/broker/google/endpoint as an authorized redirect url, and it was working for us in keycloak v8 but not v12…
I am afraid I don’t have a ready answer to your query. An apparently similar config is running on our v12.0.4 (it’s on a publicly routed domain; however as @xgp mentions above, it would not mattter).
Were there any out-of-the-box setting changes for the ‘first browser login’ Authentication flow with the version upgrade and/or customization?