Message Boards

  1. Home
  2. Portal
  3. Liferay 7.3.1-ga2, Keycloak & OpenID Connect : Login not working

Liferay 7.3.1-ga2, Keycloak & OpenID Connect : Login not working

Marko Glavan, modified 2 Years ago.

Liferay 7.3.1-ga2, Keycloak & OpenID Connect : Login not working

New Member Posts: 4 Join Date: 1/18/22 Recent Posts

I faced some issues when trying to connect keycloak and liferay via OpenID.

After redirecting from keycloak login screen to liferay I get the following message :

Internal Server Error
An error occurred while accessing the requested resource.

http://localhost:8050/c/portal/login/openidconnect?state=mHG10v_x909fMvyyHvC_OH50YfBC54DCqA4lnxihOfY&session_state=bc88d432-d515-4bb6-b63b-c94581aad6ea&code=756ee9f6-2790-4482-b6a0-a7772a23ba21.bc88d432-d515-4bb6-b63b-c94581aad6ea.e54e192d-529a-47be-81d3-7c5c7b4168f5

In the liferay log I can see the following trace :

2022-01-18 09:42:02.650 ERROR [http-nio-8080-exec-2][OpenIdConnectFilter:132] Unable to process OpenID Connect authentication response: Unable to get tokens from http://localhost:8051/auth/realms/liferay/protocol/openid-connect/token: Connection refused (Connection refused)

com.liferay.portal.security.sso.openid.connect.OpenIdConnectServiceException$TokenException: Unable to get tokens from http://localhost:8051/auth/realms/liferay/protocol/openid-connect/token: Connection refused (Connection refused)

 

I use the liferay/portal:7.3.1-ga2-202004031138 with keycloak:13.0.1.

 

BR

authentication and sso openid connect
thumbnail
Zsigmond Rab, modified 2 Years ago.

RE: Liferay 7.3.1-ga2, Keycloak & OpenID Connect : Login not working

Liferay Master Posts: 728 Join Date: 1/5/10 Recent Posts

Hi Marko,

It's hard to say any useful having this infomation only. Are you sure the connnection to the give URL should work? Have you checked if the ports are correct, etc?

If you could share you complete configuration (as a screenshot, for example), that may help to be able to give some further help.

Zsigmond

Marko Glavan, modified 2 Years ago.

RE: RE: Liferay 7.3.1-ga2, Keycloak & OpenID Connect : Login not working

New Member Posts: 4 Join Date: 1/18/22 Recent Posts

Hi Zsigmond, thank you for the response.

URLs lookse fine.
Lliferay is running on port 8050 and keycloak is running on 8051

Client secret is correct.

Settings :

Liferay identity provider settings 

authorizationEndPoint="http://localhost:8051/auth/realms/liferay/protocol/openid-connect/auth"
discoveryEndPoint=""
discoveryEndPointCacheInMillis="360000"
idTokenSigningAlgValues=[ \
  "RS256", \
  ]
issuerURL="http://localhost:8051/auth/realms/liferay"
jwksURI="http://localhost:8051/auth/realms/liferay/protocol/openid-connect/certs"
openIdConnectClientId="keycloak-client"
openIdConnectClientSecret="4f76b627-5af0-4c3f-a366-e6d1851cb6b6"
providerName="keycloak-identity-provider"
scopes="openid\ email\ profile"
subjectTypes=[ \
  "public", \
  ]
tokenEndPoint="http://localhost:8051/auth/realms/liferay/protocol/openid-connect/token"
userInfoEndPoint="http://localhost:8051/auth/realms/liferay/protocol/openid-connect/userinfo"

Keycloak 

Client

  {
      "id": "e54e192d-529a-47be-81d3-7c5c7b4168f5",
      "clientId": "keycloak-client",
      "name": "Keycloak Client",
      "rootUrl": "",
      "adminUrl": "",
      "surrogateAuthRequired": false,
      "enabled": true,
      "alwaysDisplayInConsole": false,
      "clientAuthenticatorType": "client-secret",
      "secret": "**********",
      "redirectUris": [
        "http://localhost:8050/*"
      ],
      "webOrigins": [
        ""
      ],
      "notBefore": 0,
      "bearerOnly": false,
      "consentRequired": false,
      "standardFlowEnabled": true,
      "implicitFlowEnabled": false,
      "directAccessGrantsEnabled": true,
      "serviceAccountsEnabled": false,
      "publicClient": false,
      "frontchannelLogout": false,
      "protocol": "openid-connect",
      "attributes": {
        "saml.assertion.signature": "false",
        "saml.force.post.binding": "false",
        "saml.multivalued.roles": "false",
        "saml.encrypt": "false",
        "login_theme": "keycloak",
        "oauth2.device.authorization.grant.enabled": "false",
        "backchannel.logout.revoke.offline.tokens": "false",
        "saml.server.signature": "false",
        "saml.server.signature.keyinfo.ext": "false",
        "use.refresh.tokens": "true",
        "exclude.session.state.from.auth.response": "false",
        "oidc.ciba.grant.enabled": "false",
        "saml.artifact.binding": "false",
        "backchannel.logout.session.required": "true",
        "client_credentials.use_refresh_token": "false",
        "saml_force_name_id_format": "false",
        "saml.client.signature": "false",
        "tls.client.certificate.bound.access.tokens": "false",
        "saml.authnstatement": "false",
        "display.on.consent.screen": "false",
        "saml.onetimeuse.condition": "false"
      },
      "authenticationFlowBindingOverrides": {},
      "fullScopeAllowed": true,
      "nodeReRegistrationTimeout": -1,
      "defaultClientScopes": [
        "web-origins",
        "profile",
        "roles",
        "email"
      ],
      "optionalClientScopes": [
        "address",
        "phone",
        "offline_access",
        "microprofile-jwt"
      ]
    },
  

IdentityProvider
    {
      "alias": "keycloak-identity-provider",
      "displayName": "keycloak identity provider",
      "internalId": "d5d64999-9a0a-49d3-b493-0c7dd8a97721",
      "providerId": "oidc",
      "enabled": true,
      "updateProfileFirstLoginMode": "on",
      "trustEmail": false,
      "storeToken": false,
      "addReadTokenRoleOnCreate": false,
      "authenticateByDefault": false,
      "linkOnly": false,
      "firstBrokerLoginFlowAlias": "first broker login",
      "config": {
        "clientId": "keycloak-client",
        "tokenUrl": "http://localhost:8051/auth/realms/liferay/protocol/openid-connect/token",
        "authorizationUrl": "http://localhost:8051/auth/realms/liferay/protocol/openid-connect/auth",
        "clientAuthMethod": "client_secret_post",
        "logoutUrl": "http://localhost:8051/auth/realms/liferay/protocol/openid-connect/logout",
        "syncMode": "IMPORT",
        "clientSecret": "**********",
        "useJwksUrl": "true"
      }
    }
 

BR

Marko Glavan, modified 2 Years ago.

RE: RE: Liferay 7.3.1-ga2, Keycloak & OpenID Connect : Login not working

New Member Posts: 4 Join Date: 1/18/22 Recent Posts

Hi, 

Update:

I created a liferay instance (7.4.2 CE GA3 ) with the intellij plugin and it worked.fine (I was using the same config).

After that I tried the newest docker image (liferay/portal:7.4.3.7-ga7) and I faced the same issue.

BR

thumbnail
Zsigmond Rab, modified 2 Years ago.

RE: RE: Liferay 7.3.1-ga2, Keycloak & OpenID Connect : Login not working

Liferay Master Posts: 728 Join Date: 1/5/10 Recent Posts

Hi Marko,

Have you seen my latest answer below? I may replied on the wrong place.

Having your last experience also, mayn't there be still some communication problem? It may happen that the keycloak host is not opened to the Docker.

Zsigmond

Marko Glavan, modified 2 Years ago.

RE: Liferay 7.3.1-ga2, Keycloak & OpenID Connect : Login not working

New Member Posts: 4 Join Date: 1/18/22 Recent Posts

Hi Zsigmond,

I have solved the issue. Lifeary couldn't connect to the keycloak container via the containerName because i was mistakenly using the host port instead of the container port.

BR

thumbnail
Zsigmond Rab, modified 2 Years ago.

RE: Liferay 7.3.1-ga2, Keycloak & OpenID Connect : Login not working

Liferay Master Posts: 728 Join Date: 1/5/10 Recent Posts

Hi Marko,

Checking your configuration with our team we have some pieces of advice for changing the configuration, but basically we still think, and the error above also suggest that there is some problem with the connection that should be investigated. The error doesn't relate to Keycloak configuration, it's more like something wrong with the connection between keycloak console and liferay portal. Do you use a Docker image of the Liferay portal? Mayn't there be some communication problem? It may happen that the keycloak host is not opened to the Docker.

Our further configuration change suggestion to prevent other problems happening:

  1. Replace the localhost with other alias to hit Keycloak for avoiding cookie collisions when accessing liferay with the same alias localhost2.
  2. Add rootUrl, adminUrl and webOrigins as http://localhost:8050
  3. In this scenario, we don't need to set useJwksUrl as true.
  4. Add eventsListener to Keycloak for printing more detailed keycloak log.

After the 4th step, open the standalone.xml file which is under Keycloak/standalone/configuration/ and add the following properties under <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1"> node:

            <spi name="eventsListener">
                <default-provider>jboss-logging</default-provider>
                <provider name="jboss-logging" enabled="true">
                    <properties>
                        <property name="success-level" value="info"/>
                        <property name="error-level" value="warn"/>
                    </properties>
                </provider>
            </spi>

After making these changes and restarting the Keycloak, the log will print out detailed info. If you can investigate that detailed doc once that can help identifiing the problem. You can also share that info to us here. We may be able to find something.

Zsigmond