I am having trouble configuring OpenShiftV4’s oauth server as an identity provider in Keycloak.
And after looking at the problem, it seems to be that it cannot actually work at all conceptually. Looking for insight on this.
(just to be clear, I’m looking to use openshiftv4 as an IDP for Keycloak. Not use Keycloak as an IDP for openshift).
I create an identity provider (in Keycloak 10) and select the preconfigured type “openshiftv4”. I fill in the base api url and all the details. Also made sure my Keycloak instance has the necessary certs to be able to talk to openshift.
I try my SSO login sequence, I get redirected to the openshift login page as expected. I authenticate there successfully, but upon the redirect back to Keycloak, some error is displayed on the screen. The keycloak logs show this:
2020-08-27 21:20:46,459 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-46) Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: Could not obtain user profile from Openshift. ... at firstname.lastname@example.org.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377) at java.base/java.lang.Thread.run(Thread.java:834) Caused by: java.lang.RuntimeException: No identifier provider for identity. at email@example.com//org.keycloak.broker.provider.B...
Well… yes, it makes sense. The openshift api does not provide a fully compliant OIDC set of endpoints. Only Oauth2. As is confirmed by looking at the /.well-known/oauth-configuration openshift discovery endpoint.
So there is no userinfo end point to talk to. I am assuming that is what the problem is here. I tried turning off the “userinfo” toggle in the keycloak identity provider in the hope that it might skip that step and let me enter things manually maybe, to no avail.
Seeing similarities with https://github.com/openshift/origin/issues/18013, I’m wondering what I’m missing: if openshiftv4 is NOT an oidc provider, then why is it in the list of available identity providers in Keycloak?
Was there an oversight (and it’s not supposed to be there), or am I missing something.