Keycloak unable to discover Discovery endpoint of custom OpenID Connect Provider

I am trying to integrate a custom openID connect provider with Keycloak , but Keycloak isn’t able to discover the discovery endpoint of the OP.


The endpoint is accessible both via the browser and curl.

curl -ki -X GET http://adain-dev-aps1.workspaces.corp.win.ia55.net:5000/.well-known/openid-configuration
HTTP/1.1 200 OK
Server: Werkzeug/2.2.2 Python/3.7.15
Date: Mon, 19 Dec 2022 14:01:58 GMT
Content-type: application/json; charset=utf-8
Content-Length: 3859
Pragma: no-cache
Cache-Control: no-store
Connection: close

{"version": "3.0", "token_endpoint_auth_methods_supported": ["client_secret_post", "client_secret_basic", "client_secret_jwt", "private_key_jwt"], "claims_parameter_supported": true, "request_parameter_supported": true, "request_uri_parameter_supported": true, "require_request_uri_registration": true, "grant_types_supported": ["authorization_code", "implicit", "urn:ietf:params:oauth:grant-type:jwt-bearer", "refresh_token"], "subject_types_supported": ["public", "pairwise"], "request_object_signing_alg_values_supported": ["RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512"], "registration_endpoint": "http://adain-dev-aps1.workspaces.corp.win.ia55.net:5000/registration", "introspection_endpoint": "http://adain-dev-aps1.workspaces.corp.win.ia55.net:5000/introspection", "response_types_supported": ["code", "token", "id_token", "code token", "code id_token", "id_token token", "code id_token token", "none"], "response_modes_supported": ["query", "fragment", "form_post"], "request_object_encryption_alg_values_supported": ["RSA-OAEP", "RSA-OAEP-256", "A128KW", "A192KW", "A256KW", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW"], "request_object_encryption_enc_values_supported": ["A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512", "A128GCM", "A192GCM", "A256GCM"], "claim_types_supported": ["normal", "aggregated", "distributed"], "authorization_endpoint": "http://adain-dev-aps1.workspaces.corp.win.ia55.net:5000/authorization", "token_endpoint_auth_signing_alg_values_supported": ["RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512"], "token_endpoint": "http://adain-dev-aps1.workspaces.corp.win.ia55.net:5000/token", "userinfo_signing_alg_values_supported": ["RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512"], "userinfo_encryption_alg_values_supported": ["RSA-OAEP", "RSA-OAEP-256", "A128KW", "A192KW", "A256KW", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW"], "userinfo_encryption_enc_values_supported": ["A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512", "A128GCM", "A192GCM", "A256GCM"], "client_authn_method": ["bearer_header", "bearer_body"], "userinfo_endpoint": "http://adain-dev-aps1.workspaces.corp.win.ia55.net:5000/userinfo", "frontchannel_logout_supported": true, "frontchannel_logout_session_supported": true, "backchannel_logout_supported": true, "backchannel_logout_session_supported": true, "check_session_iframe": "http://adain-dev-aps1.workspaces.corp.win.ia55.net:5000/check_session_iframe", "end_session_endpoint": "http://adain-dev-aps1.workspaces.corp.win.ia55.net:5000/session", "issuer": "http://adain-dev-aps1.workspaces.corp.win.ia55.net:5000", "acr_values_supported": ["urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword"], "jwks_uri": "http://adain-dev-aps1.workspaces.corp.win.ia55.net:5000/static/jwks.json", "scopes_supported": ["offline_access", "address", "research_and_scholarship", "phone", "profile", "openid", "email"], "claims_supported": ["address", "preferred_username", "family_name", "phone_number", "name", "gender", "sub", "email_verified", "updated_at", "picture", "middle_name", "profile", "email", "nickname", "locale", "birthdate", "iss", "given_name", "website", "eduperson_scoped_affiliation", "phone_number_verified", "zoneinfo"], "id_token_signing_alg_values_supported": ["RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512"], "id_token_encryption_alg_values_supported": ["RSA-OAEP", "RSA-OAEP-256", "A128KW", "A192KW", "A256KW", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW"], "id_token_encryption_enc_values_supported": ["A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512", "A128GCM", "A192GCM", "A256GCM"]}

Any leads here are appreciated.

Thanks,
Mohammed Adain

Assuming as you had mentioned no network issues or SELinux type restrictions, is the OpenID IDP correctly set up?

are you able to check the logs ? There should be a stracktrace, since the request returns 500

Hmm, I guess the check is made on the frontend

Yes its set up fine.

When I configured the authorization and token endpoint explicitly, it worked fine for me but the discovery endpoint still fails.
Was able to integrate it for time being by explicitly configuring the authorization and token endpoint.