stayen
April 7, 2021, 5:12pm
1
Trying to integrate Keycloak (12.0.2) with ClassLink OAuth2. After creating corresponding OpenID Connect IdP in Keycloak and trying to authenticate, I get generic error at Keycloak after successfully authenticating at IdP.
The below is shown in logs:
2021-04-07 12:15:19,631 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-4) Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: No access_token from server.
Client secret may be correct (at least it’s displayed as asterisks)
What can be other possible causes? The following trace (in the log) is rather huge - please let me know what additional data I should provide.
Thank you.
Of course you should to provide that trace. You need be aware of OAuth2 != OIDC. Are you sure that “ClassLink OAuth2” is OIDC compliant IDP?
stayen
April 8, 2021, 2:00pm
3
Hard to say about the compatibility. I have problems with both SAML and OAuth2//OpenID Connect trying to integrate Keycloak with ClassLink.
For reference:
https://launchpad.classlink.com/.well-known/openid-configuration
stayen
April 8, 2021, 2:13pm
4
Here are Keycloak logs after the mentioned error happens.
You have nice backtrace, so you can track it. E.g.
at org.keycloak.broker.oidc.OIDCIdentityProvider.verifyAccessToken(OIDCIdentityProvider.java:515)
}
throw new IdentityBrokerException("Failed to invoke url [" + url + "]: " + msg);
}
return response;
}
private String verifyAccessToken(AccessTokenResponse tokenResponse) {
String accessToken = tokenResponse.getToken();
if (accessToken == null) {
throw new IdentityBrokerException("No access_token from server.");
}
return accessToken;
}
protected boolean verify(JWSInput jws) {
if (!getConfig().isValidateSignature()) return true;
try {
PublicKey publicKey = PublicKeyStorageManager.getIdentityProviderPublicKey(session, session.getContext().getRealm(), getConfig(), jws);
So accessToken is null and backtrack it back to find more details.
stayen
April 21, 2021, 5:56am
6
Well, the studies reveal strange issue. When I enable debug-level logging at Keycloak and intercept the moment it reaches Token URL, the below is seen:
Executing request POST /oauth2/v2/token HTTP/1.1
Target auth state: UNCHALLENGED
Proxy auth state: UNCHALLENGED
http-outgoing-0 >> POST /oauth2/v2/token HTTP/1.1
http-outgoing-0 >> Content-Length: 728
http-outgoing-0 >> Content-Type: application/x-www-form-urlencoded
http-outgoing-0 >> Host: launchpad.classlink.com
http-outgoing-0 >> Connection: Keep-Alive
http-outgoing-0 >> User-Agent: Apache-HttpClient/4.5.13 (Java/1.8.0_282)
http-outgoing-0 >> Accept-Encoding: gzip,deflate
http-outgoing-0 >> "POST /oauth2/v2/token HTTP/1.1[\r][\n]"
http-outgoing-0 >> "Content-Length: 728[\r][\n]"
http-outgoing-0 >> "Content-Type: application/x-www-form-urlencoded[\r][\n]"
http-outgoing-0 >> "Host: launchpad.classlink.com[\r][\n]"
http-outgoing-0 >> "Connection: Keep-Alive[\r][\n]"
http-outgoing-0 >> "User-Agent: Apache-HttpClient/4.5.13 (Java/1.8.0_282)[\r][\n]"
http-outgoing-0 >> "Accept-Encoding: gzip,deflate[\r][\n]"
http-outgoing-0 >> "[\r][\n]"
http-outgoing-0 >> "client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&code=c1618927455070e43ed97293dc1c9ca715cedac5d15792&grant_type=authorization_code&redirect_uri=https%3A%2F%2Fkeycloak.chengtsui.co%2Fauth%2Frealms%2Fsandbox%2Fbroker%2Fchengtsui_openid_test%2Fendpoint&client_assertion=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIn0.eyJleHAiOjE2MTg5Mjc1MTUsImlhdCI6MTYxODkyNzQ1NSwianRpIjoiODViYTg2NWUtYWE5Ni00NGY0LWIwODUtMzY5MmM1ZGMwODk2IiwiaXNzIjoiYzE2MTg0OTcyODY2MTUyZDI1Y2QxZTdiZGFjZDAwNGZiZWNhYjY0MTRjMTQiLCJhdWQiOiJodHRwczovL2xhdW5jaHBhZC5jbGFzc2xpbmsuY29tL29hdXRoMi92Mi90b2tlbiIsInN1YiI6ImMxNjE4NDk3Mjg2NjE1MmQyNWNkMWU3YmRhY2QwMDRmYmVjYWI2NDE0YzE0IiwidHlwIjoiSldUIn0.4rNozD95yHh0rK2DmzD7dfQG7ASX-_Q1SlfwcUGcaJk"
http-outgoing-0 << "HTTP/1.1 400 Bad Request[\r][\n]"
http-outgoing-0 << "Date: Tue, 20 Apr 2021 14:04:15 GMT[\r][\n]"
http-outgoing-0 << "Content-Type: application/json; charset=utf-8[\r][\n]"
http-outgoing-0 << "Content-Length: 87[\r][\n]"
http-outgoing-0 << "Connection: keep-alive[\r][\n]"
http-outgoing-0 << "X-Powered-By: Express[\r][\n]"
http-outgoing-0 << "Content-Security-Policy: frame-ancestors 'self' *.classlink.com *.classlink.io[\r][\n]"
http-outgoing-0 << "Strict-Transport-Security: max-age=31536000; includeSubDomains[\r][\n]"
http-outgoing-0 << "Vary: Origin, X-HTTP-Method-Override, Accept-Encoding[\r][\n]"
http-outgoing-0 << "set-cookie: i18next=en; path=/; expires=Wed, 20 Apr 2022 14:04:15 GMT[\r][\n]"
http-outgoing-0 << "set-cookie: i18next=en; path=/; expires=Wed, 20 Apr 2022 14:04:15 GMT[\r][\n]"
http-outgoing-0 << "set-cookie: connect.sid=s%3AJ4M9VmTOAI0SIQ677Zawowp7ps-tYgh8.f5OrVDep48j0tMpu48tP%2FLev9CHrZQd46c1%2F5vd2pkM; Path=/; HttpOnly; Secure[\r][\n]"
http-outgoing-0 << "Cache-Control: no-store[\r][\n]"
http-outgoing-0 << "Pragma: no-cache[\r][\n]"
http-outgoing-0 << "[\r][\n]"
http-outgoing-0 << "{[\n]"
http-outgoing-0 << " "error": "invalid_request",[\n]"
http-outgoing-0 << " "error_description": "client secret can't be blank"[\n]"
http-outgoing-0 << "}"
Client authentication is set to “Client secret as jwt”, so I am somewhat puzzled now why the IdP requires client secret.
stayen
April 22, 2021, 1:50pm
7
Fixed. I managed to establish Keycloak to ClassLink integration.