Message Boards
Liferay 7.3.1-ga2, Keycloak & OpenID Connect : Login not working
Liferay 7.3.1-ga2, Keycloak & OpenID Connect : Login not working
New Member Posts: 4 Join Date: 1/18/22 Recent PostsI faced some issues when trying to connect keycloak and liferay via OpenID.
After redirecting from keycloak login screen to liferay I get the following message :
Internal Server Error
An error occurred while accessing the requested resource.
http://localhost:8050/c/portal/login/openidconnect?state=mHG10v_x909fMvyyHvC_OH50YfBC54DCqA4lnxihOfY&session_state=bc88d432-d515-4bb6-b63b-c94581aad6ea&code=756ee9f6-2790-4482-b6a0-a7772a23ba21.bc88d432-d515-4bb6-b63b-c94581aad6ea.e54e192d-529a-47be-81d3-7c5c7b4168f5
In the liferay log I can see the following trace :
2022-01-18 09:42:02.650 ERROR [http-nio-8080-exec-2][OpenIdConnectFilter:132] Unable to process OpenID Connect authentication response: Unable to get tokens from http://localhost:8051/auth/realms/liferay/protocol/openid-connect/token: Connection refused (Connection refused)
com.liferay.portal.security.sso.openid.connect.OpenIdConnectServiceException$TokenException: Unable to get tokens from http://localhost:8051/auth/realms/liferay/protocol/openid-connect/token: Connection refused (Connection refused)
I use the liferay/portal:7.3.1-ga2-202004031138 with keycloak:13.0.1.
BR
RE: Liferay 7.3.1-ga2, Keycloak & OpenID Connect : Login not working
Liferay Master Posts: 728 Join Date: 1/5/10 Recent PostsHi Marko,
It's hard to say any useful having this infomation only. Are you sure the connnection to the give URL should work? Have you checked if the ports are correct, etc?
If you could share you complete configuration (as a screenshot, for example), that may help to be able to give some further help.
Zsigmond
RE: RE: Liferay 7.3.1-ga2, Keycloak & OpenID Connect : Login not working
New Member Posts: 4 Join Date: 1/18/22 Recent PostsHi Zsigmond, thank you for the response.
URLs lookse fine.
Lliferay is running on port 8050 and keycloak
is running on 8051
Client secret is correct.
Settings :
Liferay identity provider settings
authorizationEndPoint="http://localhost:8051/auth/realms/liferay/protocol/openid-connect/auth"
discoveryEndPoint=""
discoveryEndPointCacheInMillis="360000"
idTokenSigningAlgValues=[ \
"RS256", \
]
issuerURL="http://localhost:8051/auth/realms/liferay"
jwksURI="http://localhost:8051/auth/realms/liferay/protocol/openid-connect/certs"
openIdConnectClientId="keycloak-client"
openIdConnectClientSecret="4f76b627-5af0-4c3f-a366-e6d1851cb6b6"
providerName="keycloak-identity-provider"
scopes="openid\ email\ profile"
subjectTypes=[ \
"public", \
]
tokenEndPoint="http://localhost:8051/auth/realms/liferay/protocol/openid-connect/token"
userInfoEndPoint="http://localhost:8051/auth/realms/liferay/protocol/openid-connect/userinfo"
Keycloak
Client
{
"id":
"e54e192d-529a-47be-81d3-7c5c7b4168f5",
"clientId": "keycloak-client",
"name": "Keycloak Client",
"rootUrl": "",
"adminUrl":
"",
"surrogateAuthRequired":
false,
"enabled": true,
"alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret",
"secret": "**********",
"redirectUris": [
"http://localhost:8050/*"
],
"webOrigins": [
""
],
"notBefore": 0,
"bearerOnly": false,
"consentRequired": false,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": true,
"serviceAccountsEnabled": false,
"publicClient": false,
"frontchannelLogout": false,
"protocol": "openid-connect",
"attributes": {
"saml.assertion.signature": "false",
"saml.force.post.binding": "false",
"saml.multivalued.roles": "false",
"saml.encrypt": "false",
"login_theme": "keycloak",
"oauth2.device.authorization.grant.enabled":
"false",
"backchannel.logout.revoke.offline.tokens":
"false",
"saml.server.signature":
"false",
"saml.server.signature.keyinfo.ext":
"false",
"use.refresh.tokens":
"true",
"exclude.session.state.from.auth.response":
"false",
"oidc.ciba.grant.enabled":
"false",
"saml.artifact.binding":
"false",
"backchannel.logout.session.required":
"true",
"client_credentials.use_refresh_token":
"false",
"saml_force_name_id_format": "false",
"saml.client.signature": "false",
"tls.client.certificate.bound.access.tokens":
"false",
"saml.authnstatement":
"false",
"display.on.consent.screen": "false",
"saml.onetimeuse.condition": "false"
},
"authenticationFlowBindingOverrides":
{},
"fullScopeAllowed": true,
"nodeReRegistrationTimeout": -1,
"defaultClientScopes": [
"web-origins",
"profile",
"roles",
"email"
],
"optionalClientScopes": [
"address",
"phone",
"offline_access",
"microprofile-jwt"
]
},
IdentityProvider
{
"alias":
"keycloak-identity-provider",
"displayName": "keycloak identity provider",
"internalId":
"d5d64999-9a0a-49d3-b493-0c7dd8a97721",
"providerId": "oidc",
"enabled": true,
"updateProfileFirstLoginMode": "on",
"trustEmail": false,
"storeToken":
false,
"addReadTokenRoleOnCreate": false,
"authenticateByDefault": false,
"linkOnly": false,
"firstBrokerLoginFlowAlias": "first broker
login",
"config": {
"clientId": "keycloak-client",
"tokenUrl":
"http://localhost:8051/auth/realms/liferay/protocol/openid-connect/token",
"authorizationUrl":
"http://localhost:8051/auth/realms/liferay/protocol/openid-connect/auth",
"clientAuthMethod":
"client_secret_post",
"logoutUrl":
"http://localhost:8051/auth/realms/liferay/protocol/openid-connect/logout",
"syncMode": "IMPORT",
"clientSecret": "**********",
"useJwksUrl": "true"
}
}
BR
RE: RE: Liferay 7.3.1-ga2, Keycloak & OpenID Connect : Login not working
New Member Posts: 4 Join Date: 1/18/22 Recent PostsHi,
Update:
I created a liferay instance (7.4.2 CE GA3 ) with the intellij plugin and it worked.fine (I was using the same config).
After that I tried the newest docker image (liferay/portal:7.4.3.7-ga7) and I faced the same issue.
BR
RE: RE: Liferay 7.3.1-ga2, Keycloak & OpenID Connect : Login not working
Liferay Master Posts: 728 Join Date: 1/5/10 Recent PostsHi Marko,
Have you seen my latest answer below? I may replied on the wrong place.
Having your last experience also, mayn't there be still some communication problem? It may happen that the keycloak host is not opened to the Docker.
Zsigmond
RE: Liferay 7.3.1-ga2, Keycloak & OpenID Connect : Login not working
New Member Posts: 4 Join Date: 1/18/22 Recent PostsHi Zsigmond,
I have solved the issue. Lifeary couldn't connect to the keycloak container via the containerName because i was mistakenly using the host port instead of the container port.
BR
RE: Liferay 7.3.1-ga2, Keycloak & OpenID Connect : Login not working
Liferay Master Posts: 728 Join Date: 1/5/10 Recent PostsHi Marko,
Checking your configuration with our team we have some pieces of advice for changing the configuration, but basically we still think, and the error above also suggest that there is some problem with the connection that should be investigated. The error doesn't relate to Keycloak configuration, it's more like something wrong with the connection between keycloak console and liferay portal. Do you use a Docker image of the Liferay portal? Mayn't there be some communication problem? It may happen that the keycloak host is not opened to the Docker.
Our further configuration change suggestion to prevent other problems happening:
- Replace the localhost with other alias to hit Keycloak for avoiding cookie collisions when accessing liferay with the same alias localhost2.
- Add rootUrl, adminUrl and webOrigins as http://localhost:8050
- In this scenario, we don't need to set useJwksUrl as true.
- Add eventsListener to Keycloak for printing more detailed keycloak log.
After the 4th step, open the standalone.xml file which is under Keycloak/standalone/configuration/ and add the following properties under <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1"> node:
<spi name="eventsListener"> <default-provider>jboss-logging</default-provider> <provider name="jboss-logging" enabled="true"> <properties> <property name="success-level" value="info"/> <property name="error-level" value="warn"/> </properties> </provider> </spi>
After making these changes and restarting the Keycloak, the log will print out detailed info. If you can investigate that detailed doc once that can help identifiing the problem. You can also share that info to us here. We may be able to find something.
Zsigmond