Keycloak unable to discover Discovery endpoint of custom OpenID Connect Provider

MohammedAdain · December 19, 2022, 2:17pm

I am trying to integrate a custom openID connect provider with Keycloak , but Keycloak isn’t able to discover the discovery endpoint of the OP.

The endpoint is accessible both via the browser and curl.

curl -ki -X GET http://adain-dev-aps1.workspaces.corp.win.ia55.net:5000/.well-known/openid-configuration
HTTP/1.1 200 OK
Server: Werkzeug/2.2.2 Python/3.7.15
Date: Mon, 19 Dec 2022 14:01:58 GMT
Content-type: application/json; charset=utf-8
Content-Length: 3859
Pragma: no-cache
Cache-Control: no-store
Connection: close

{"version": "3.0", "token_endpoint_auth_methods_supported": ["client_secret_post", "client_secret_basic", "client_secret_jwt", "private_key_jwt"], "claims_parameter_supported": true, "request_parameter_supported": true, "request_uri_parameter_supported": true, "require_request_uri_registration": true, "grant_types_supported": ["authorization_code", "implicit", "urn:ietf:params:oauth:grant-type:jwt-bearer", "refresh_token"], "subject_types_supported": ["public", "pairwise"], "request_object_signing_alg_values_supported": ["RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512"], "registration_endpoint": "http://adain-dev-aps1.workspaces.corp.win.ia55.net:5000/registration", "introspection_endpoint": "http://adain-dev-aps1.workspaces.corp.win.ia55.net:5000/introspection", "response_types_supported": ["code", "token", "id_token", "code token", "code id_token", "id_token token", "code id_token token", "none"], "response_modes_supported": ["query", "fragment", "form_post"], "request_object_encryption_alg_values_supported": ["RSA-OAEP", "RSA-OAEP-256", "A128KW", "A192KW", "A256KW", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW"], "request_object_encryption_enc_values_supported": ["A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512", "A128GCM", "A192GCM", "A256GCM"], "claim_types_supported": ["normal", "aggregated", "distributed"], "authorization_endpoint": "http://adain-dev-aps1.workspaces.corp.win.ia55.net:5000/authorization", "token_endpoint_auth_signing_alg_values_supported": ["RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512"], "token_endpoint": "http://adain-dev-aps1.workspaces.corp.win.ia55.net:5000/token", "userinfo_signing_alg_values_supported": ["RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512"], "userinfo_encryption_alg_values_supported": ["RSA-OAEP", "RSA-OAEP-256", "A128KW", "A192KW", "A256KW", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW"], "userinfo_encryption_enc_values_supported": ["A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512", "A128GCM", "A192GCM", "A256GCM"], "client_authn_method": ["bearer_header", "bearer_body"], "userinfo_endpoint": "http://adain-dev-aps1.workspaces.corp.win.ia55.net:5000/userinfo", "frontchannel_logout_supported": true, "frontchannel_logout_session_supported": true, "backchannel_logout_supported": true, "backchannel_logout_session_supported": true, "check_session_iframe": "http://adain-dev-aps1.workspaces.corp.win.ia55.net:5000/check_session_iframe", "end_session_endpoint": "http://adain-dev-aps1.workspaces.corp.win.ia55.net:5000/session", "issuer": "http://adain-dev-aps1.workspaces.corp.win.ia55.net:5000", "acr_values_supported": ["urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword"], "jwks_uri": "http://adain-dev-aps1.workspaces.corp.win.ia55.net:5000/static/jwks.json", "scopes_supported": ["offline_access", "address", "research_and_scholarship", "phone", "profile", "openid", "email"], "claims_supported": ["address", "preferred_username", "family_name", "phone_number", "name", "gender", "sub", "email_verified", "updated_at", "picture", "middle_name", "profile", "email", "nickname", "locale", "birthdate", "iss", "given_name", "website", "eduperson_scoped_affiliation", "phone_number_verified", "zoneinfo"], "id_token_signing_alg_values_supported": ["RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512"], "id_token_encryption_alg_values_supported": ["RSA-OAEP", "RSA-OAEP-256", "A128KW", "A192KW", "A256KW", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW"], "id_token_encryption_enc_values_supported": ["A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512", "A128GCM", "A192GCM", "A256GCM"]}

Any leads here are appreciated.

Thanks,
Mohammed Adain

melancholia · December 19, 2022, 6:02pm

Assuming as you had mentioned no network issues or SELinux type restrictions, is the OpenID IDP correctly set up?

zak · December 28, 2022, 12:30pm

are you able to check the logs ? There should be a stracktrace, since the request returns 500

MohammedAdain · January 5, 2023, 7:52am

Hmm, I guess the check is made on the frontend

MohammedAdain · January 5, 2023, 7:52am

Yes its set up fine.

MohammedAdain · January 5, 2023, 7:54am

When I configured the authorization and token endpoint explicitly, it worked fine for me but the discovery endpoint still fails.
Was able to integrate it for time being by explicitly configuring the authorization and token endpoint.