stayen
April 7, 2021, 5:12pm
1
Trying to integrate Keycloak (12.0.2) with ClassLink OAuth2. After creating corresponding OpenID Connect IdP in Keycloak and trying to authenticate, I get generic error at Keycloak after successfully authenticating at IdP.
The below is shown in logs:
2021-04-07 12:15:19,631 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-4) Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: No access_token from server.
Client secret may be correct (at least it’s displayed as asterisks)
Time is set up correctly on Keycloak server
What can be other possible causes? The following trace (in the log) is rather huge - please let me know what additional data I should provide.
Thank you.
Of course you should to provide that trace. You need be aware of OAuth2
!= OIDC
. Are you sure that “ClassLink OAuth2” is OIDC compliant IDP?
stayen
April 8, 2021, 2:00pm
3
Hard to say about the compatibility. I have problems with both SAML and OAuth2//OpenID Connect trying to integrate Keycloak with ClassLink.
For reference:
https://launchpad.classlink.com/.well-known/openid-configuration
stayen
April 8, 2021, 2:13pm
4
Here are Keycloak logs after the mentioned error happens.
You have nice backtrace, so you can track it. E.g.
at org.keycloak.broker.oidc.OIDCIdentityProvider.verifyAccessToken(OIDCIdentityProvider.java:515)
}
throw new IdentityBrokerException("Failed to invoke url [" + url + "]: " + msg);
}
return response;
}
private String verifyAccessToken(AccessTokenResponse tokenResponse) {
String accessToken = tokenResponse.getToken();
if (accessToken == null) {
throw new IdentityBrokerException("No access_token from server.");
}
return accessToken;
}
protected boolean verify(JWSInput jws) {
if (!getConfig().isValidateSignature()) return true;
try {
PublicKey publicKey = PublicKeyStorageManager.getIdentityProviderPublicKey(session, session.getContext().getRealm(), getConfig(), jws);
So accessToken
is null and backtrack it back to find more details.
stayen
April 21, 2021, 5:56am
6
Well, the studies reveal strange issue. When I enable debug-level logging at Keycloak and intercept the moment it reaches Token URL, the below is seen:
Executing request POST /oauth2/v2/token HTTP/1.1
Target auth state: UNCHALLENGED
Proxy auth state: UNCHALLENGED
http-outgoing-0 >> POST /oauth2/v2/token HTTP/1.1
http-outgoing-0 >> Content-Length: 728
http-outgoing-0 >> Content-Type: application/x-www-form-urlencoded
http-outgoing-0 >> Host: launchpad.classlink.com
http-outgoing-0 >> Connection: Keep-Alive
http-outgoing-0 >> User-Agent: Apache-HttpClient/4.5.13 (Java/1.8.0_282)
http-outgoing-0 >> Accept-Encoding: gzip,deflate
http-outgoing-0 >> "POST /oauth2/v2/token HTTP/1.1[\r][\n]"
http-outgoing-0 >> "Content-Length: 728[\r][\n]"
http-outgoing-0 >> "Content-Type: application/x-www-form-urlencoded[\r][\n]"
http-outgoing-0 >> "Host: launchpad.classlink.com[\r][\n]"
http-outgoing-0 >> "Connection: Keep-Alive[\r][\n]"
http-outgoing-0 >> "User-Agent: Apache-HttpClient/4.5.13 (Java/1.8.0_282)[\r][\n]"
http-outgoing-0 >> "Accept-Encoding: gzip,deflate[\r][\n]"
http-outgoing-0 >> "[\r][\n]"
http-outgoing-0 >> "client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&code=c1618927455070e43ed97293dc1c9ca715cedac5d15792&grant_type=authorization_code&redirect_uri=https%3A%2F%2Fkeycloak.chengtsui.co%2Fauth%2Frealms%2Fsandbox%2Fbroker%2Fchengtsui_openid_test%2Fendpoint&client_assertion=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIn0.eyJleHAiOjE2MTg5Mjc1MTUsImlhdCI6MTYxODkyNzQ1NSwianRpIjoiODViYTg2NWUtYWE5Ni00NGY0LWIwODUtMzY5MmM1ZGMwODk2IiwiaXNzIjoiYzE2MTg0OTcyODY2MTUyZDI1Y2QxZTdiZGFjZDAwNGZiZWNhYjY0MTRjMTQiLCJhdWQiOiJodHRwczovL2xhdW5jaHBhZC5jbGFzc2xpbmsuY29tL29hdXRoMi92Mi90b2tlbiIsInN1YiI6ImMxNjE4NDk3Mjg2NjE1MmQyNWNkMWU3YmRhY2QwMDRmYmVjYWI2NDE0YzE0IiwidHlwIjoiSldUIn0.4rNozD95yHh0rK2DmzD7dfQG7ASX-_Q1SlfwcUGcaJk"
http-outgoing-0 << "HTTP/1.1 400 Bad Request[\r][\n]"
http-outgoing-0 << "Date: Tue, 20 Apr 2021 14:04:15 GMT[\r][\n]"
http-outgoing-0 << "Content-Type: application/json; charset=utf-8[\r][\n]"
http-outgoing-0 << "Content-Length: 87[\r][\n]"
http-outgoing-0 << "Connection: keep-alive[\r][\n]"
http-outgoing-0 << "X-Powered-By: Express[\r][\n]"
http-outgoing-0 << "Content-Security-Policy: frame-ancestors 'self' *.classlink.com *.classlink.io[\r][\n]"
http-outgoing-0 << "Strict-Transport-Security: max-age=31536000; includeSubDomains[\r][\n]"
http-outgoing-0 << "Vary: Origin, X-HTTP-Method-Override, Accept-Encoding[\r][\n]"
http-outgoing-0 << "set-cookie: i18next=en; path=/; expires=Wed, 20 Apr 2022 14:04:15 GMT[\r][\n]"
http-outgoing-0 << "set-cookie: i18next=en; path=/; expires=Wed, 20 Apr 2022 14:04:15 GMT[\r][\n]"
http-outgoing-0 << "set-cookie: connect.sid=s%3AJ4M9VmTOAI0SIQ677Zawowp7ps-tYgh8.f5OrVDep48j0tMpu48tP%2FLev9CHrZQd46c1%2F5vd2pkM; Path=/; HttpOnly; Secure[\r][\n]"
http-outgoing-0 << "Cache-Control: no-store[\r][\n]"
http-outgoing-0 << "Pragma: no-cache[\r][\n]"
http-outgoing-0 << "[\r][\n]"
http-outgoing-0 << "{[\n]"
http-outgoing-0 << " "error": "invalid_request",[\n]"
http-outgoing-0 << " "error_description": "client secret can't be blank"[\n]"
http-outgoing-0 << "}"
Client authentication is set to “Client secret as jwt”, so I am somewhat puzzled now why the IdP requires client secret.
stayen
April 22, 2021, 1:50pm
7
Fixed. I managed to establish Keycloak to ClassLink integration.