0

整个下午...

我正在尝试使用 OpenID-Connect 协议将Keycloak IdM 与OneLogin连接起来。

我已经成功完成了双方的设置,但是当我尝试通过 Keycloak 进行身份验证时,出现以下错误:

Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: No access_token from server.
    at org.keycloak.broker.oidc.OIDCIdentityProvider.verifyAccessToken(OIDCIdentityProvider.java:297)

使用 DEBUG 日志记录运行 Keycloak,我可以看到 OneLogin 返回的错误代码如下:

2017-09-26 16:38:09,986 DEBUG [org.apache.http.wire] (default task-4) http-outgoing-2 >> "POST /oidc/token HTTP/1.1[\r][\n]"
2017-09-26 16:38:09,986 DEBUG [org.apache.http.wire] (default task-4) http-outgoing-2 >> "Content-Length: 677[\r][\n]"
2017-09-26 16:38:09,986 DEBUG [org.apache.http.wire] (default task-4) http-outgoing-2 >> "Content-Type: application/x-www-form-urlencoded[\r][\n]"
2017-09-26 16:38:09,986 DEBUG [org.apache.http.wire] (default task-4) http-outgoing-2 >> "Host: ***.onelogin.com[\r][\n]"
2017-09-26 16:38:09,986 DEBUG [org.apache.http.wire] (default task-4) http-outgoing-2 >> "Connection: Keep-Alive[\r][\n]"
2017-09-26 16:38:09,986 DEBUG [org.apache.http.wire] (default task-4) http-outgoing-2 >> "User-Agent: Apache-HttpClient/4.5 (Java/1.8.0_112)[\r][\n]"
2017-09-26 16:38:09,986 DEBUG [org.apache.http.wire] (default task-4) http-outgoing-2 >> "Accept-Encoding: gzip,deflate[\r][\n]"
2017-09-26 16:38:09,986 DEBUG [org.apache.http.wire] (default task-4) http-outgoing-2 >> "[\r][\n]"
2017-09-26 16:38:09,986 DEBUG [org.apache.http.wire] (default task-4) http-outgoing-2 >> "code=**redacted**&grant_type=authorization_code&client_secret=**redacted**&redirect_uri=https%3A%2F%2Fidm01.**redacted-url**%2Fendpoint&client_id=**redacted**"    
2017-09-26 16:38:10,391 DEBUG [org.apache.http.wire] (default task-4) http-outgoing-2 << "HTTP/1.1 400 Bad Request[\r][\n]"  
2017-09-26 16:38:10,391 DEBUG [org.apache.http.wire] (default task-4) http-outgoing-2 << "Cache-Control: no-cache, no-store[\r][\n]"  
2017-09-26 16:38:10,391 DEBUG [org.apache.http.wire] (default task-4) http-outgoing-2 << "Content-Type: application/json; charset=utf-8[\r][\n]"  
2017-09-26 16:38:10,391 DEBUG [org.apache.http.wire] (default task-4) http-outgoing-2 << "Date: Tue, 26 Sep 2017 15:38:10 GMT[\r][\n]"  
2017-09-26 16:38:10,391 DEBUG [org.apache.http.wire] (default task-4) http-outgoing-2 << "Pragma: no-cache[\r][\n]"  
2017-09-26 16:38:10,391 DEBUG [org.apache.http.wire] (default task-4) http-outgoing-2 << "X-Content-Type-Options: nosniff[\r][\n]"  
2017-09-26 16:38:10,391 DEBUG [org.apache.http.wire] (default task-4) http-outgoing-2 << "X-Powered-By: Express[\r][\n]"  
2017-09-26 16:38:10,391 DEBUG [org.apache.http.wire] (default task-4) http-outgoing-2 << "X-Xss-Protection: 1; mode=block[\r][\n]"  
2017-09-26 16:38:10,391 DEBUG [org.apache.http.wire] (default task-4) http-outgoing-2 << "Content-Length: 108[\r][\n]"  
2017-09-26 16:38:10,391 DEBUG [org.apache.http.wire] (default task-4) http-outgoing-2 << "Connection: keep-alive[\r][\n]"  
2017-09-26 16:38:10,391 DEBUG [org.apache.http.wire] (default task-4) http-outgoing-2 << "[\r][\n]"  
2017-09-26 16:38:10,391 DEBUG [org.apache.http.wire] (default task-4) http-outgoing-2 << "{"error":"invalid_request","error_description":"client_secret must be provided in the Authorization header"}"

听起来相当简单,但是当环顾四周时,如果请求包含client_idclient_secret,我会看到关于“授权”标头是否必不可少的相互矛盾的信息。
例如Google Identity Platform 文档Auth0 文档

那么这是 Keycloak 中的错误,还是 OneLogin 中的错误?

提前感谢您的任何回复。

问候
加文

4

1 回答 1

0

不熟悉 Keycloak,但我们希望 clientid/secret 作为 Basic auth 标头发送,而不是在 URL 或请求的正文中发送(看起来就是这样)

于 2017-10-12T23:48:25.473 回答