下午全部......
我尝试使用OpenID-Connect协议将Keycloak IdM与OneLogin连接起来。
我设法让双方都设置好,但是当我尝试通过Keycloak进行身份验证时,我收到以下错误:
Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: No access_token from server.
at org.keycloak.broker.oidc.OIDCIdentityProvider.verifyAccessToken(OIDCIdentityProvider.java:297)
使用DEBUG日志记录运行Keycloak,我能够看到从OneLogin返回的错误代码如下:
2017-09-26 16:38:09,986 DEBUG [org.apache.http.wire] (default task-4) http-outgoing-2 >> "POST /oidc/token HTTP/1.1[\r][\n]"
2017-09-26 16:38:09,986 DEBUG [org.apache.http.wire] (default task-4) http-outgoing-2 >> "Content-Length: 677[\r][\n]"
2017-09-26 16:38:09,986 DEBUG [org.apache.http.wire] (default task-4) http-outgoing-2 >> "Content-Type: application/x-www-form-urlencoded[\r][\n]"
2017-09-26 16:38:09,986 DEBUG [org.apache.http.wire] (default task-4) http-outgoing-2 >> "Host: ***.onelogin.com[\r][\n]"
2017-09-26 16:38:09,986 DEBUG [org.apache.http.wire] (default task-4) http-outgoing-2 >> "Connection: Keep-Alive[\r][\n]"
2017-09-26 16:38:09,986 DEBUG [org.apache.http.wire] (default task-4) http-outgoing-2 >> "User-Agent: Apache-HttpClient/4.5 (Java/1.8.0_112)[\r][\n]"
2017-09-26 16:38:09,986 DEBUG [org.apache.http.wire] (default task-4) http-outgoing-2 >> "Accept-Encoding: gzip,deflate[\r][\n]"
2017-09-26 16:38:09,986 DEBUG [org.apache.http.wire] (default task-4) http-outgoing-2 >> "[\r][\n]"
2017-09-26 16:38:09,986 DEBUG [org.apache.http.wire] (default task-4) http-outgoing-2 >> "code=**redacted**&grant_type=authorization_code&client_secret=**redacted**&redirect_uri=https%3A%2F%2Fidm01.**redacted-url**%2Fendpoint&client_id=**redacted**"
2017-09-26 16:38:10,391 DEBUG [org.apache.http.wire] (default task-4) http-outgoing-2 << "HTTP/1.1 400 Bad Request[\r][\n]"
2017-09-26 16:38:10,391 DEBUG [org.apache.http.wire] (default task-4) http-outgoing-2 << "Cache-Control: no-cache, no-store[\r][\n]"
2017-09-26 16:38:10,391 DEBUG [org.apache.http.wire] (default task-4) http-outgoing-2 << "Content-Type: application/json; charset=utf-8[\r][\n]"
2017-09-26 16:38:10,391 DEBUG [org.apache.http.wire] (default task-4) http-outgoing-2 << "Date: Tue, 26 Sep 2017 15:38:10 GMT[\r][\n]"
2017-09-26 16:38:10,391 DEBUG [org.apache.http.wire] (default task-4) http-outgoing-2 << "Pragma: no-cache[\r][\n]"
2017-09-26 16:38:10,391 DEBUG [org.apache.http.wire] (default task-4) http-outgoing-2 << "X-Content-Type-Options: nosniff[\r][\n]"
2017-09-26 16:38:10,391 DEBUG [org.apache.http.wire] (default task-4) http-outgoing-2 << "X-Powered-By: Express[\r][\n]"
2017-09-26 16:38:10,391 DEBUG [org.apache.http.wire] (default task-4) http-outgoing-2 << "X-Xss-Protection: 1; mode=block[\r][\n]"
2017-09-26 16:38:10,391 DEBUG [org.apache.http.wire] (default task-4) http-outgoing-2 << "Content-Length: 108[\r][\n]"
2017-09-26 16:38:10,391 DEBUG [org.apache.http.wire] (default task-4) http-outgoing-2 << "Connection: keep-alive[\r][\n]"
2017-09-26 16:38:10,391 DEBUG [org.apache.http.wire] (default task-4) http-outgoing-2 << "[\r][\n]"
2017-09-26 16:38:10,391 DEBUG [org.apache.http.wire] (default task-4) http-outgoing-2 << "{"error":"invalid_request","error_description":"client_secret must be provided in the Authorization header"}"
听起来相当简单,但在环顾四周时,我发现有关“授权”的信息是否存在冲突信息。如果请求包含 client_id 和 client_secret ,则标头必不可少。
例如。 Google Identity Platform docs和Auth0 docs
这是Keycloak中的错误,还是OneLogin中的错误?
提前感谢您的回复。
问候
加文
答案 0 :(得分:0)
不熟悉Keycloak,但我们希望将clientid / secret作为Basic auth标头发送,而不是在URL或请求的Body中发送(这就是它的样子)