benjaminfavre / keycloak-apple-social-identity-provider Goto Github PK
View Code? Open in Web Editor NEWApple Social Identity Provider for Keycloak
License: Apache License 2.0
Apple Social Identity Provider for Keycloak
License: Apache License 2.0
Probleme de compatibilité entre keycloak et votre plugin
Message apres indentification
« Erreur inattendue lors de l’authentification avec le fournisseur identifié »
Nous utilisons la solution IAM Keycloak (https://www.keycloak.org/), version 19.0.3, pour la gestion du compte
et avons intégré le SDK openid / AppAuth-iOS (https://github.com/openid/AppAuth-iOS) sur l'application pour le connecter à Keycloak.
Nous voulons savoir Comment intégrer Apple signin à Keycloak ?
Thank you for this project Benjamin, we've integrated it on our Keycloak server and it basically works really well. One thing we are struggling with is that it does not seem to provide any user attributes to Keycloak when signing in.
After signing in for the first time, Keycloak redirects to a form asking the user to fill out any attributes that are required but missing, which is email, first name and last name. I can see in your code that you are requesting the email and name scopes, and that you are also setting those in the context, so I would expect it to work.
Is this a known limitation of your provider, or are we missing something? Please advise.
when I try to deploy this jar file I get Caused by: java.lang.NoClassDefFoundError: Failed to link co/ritual/keycloak/identityprovider/apple/AppleUsernameTemplateMapper (Module "deployment.keycloak-spi_deploy.jar" from Service Module Loader): org/keycloak/broker/oidc/mappers/UsernameTemplateMapper
error. Any idea why this might happen?
The admin console page does not display the teamId and keyId fields. To configure them, I had to update the identity provider using the REST API. I suspect this is a result of changes made to the Keycloak baseline. Other than this gotcha, this provider still seems to work.
Hi,
Is it possible to use the module with 19.0.3 version of keycloack built in legacy way (quay.io/keycloak/keycloak:legacy) ?
The version does not have /opt/keycloak/providers/ folder and no /opt/keycloak/bin/kc.sh script inside
Thank you in advance!
Hi,
I am integrating keycloak with my app. Due to some reason, I have to pass some custom parameters from query params to the register.ftl file. I have written a custom authenticator and have added it start of the registration flow so that I can access it before the register page is rendered. I have successfully extracted query param and now I want to use it in my register.ftl file.
I have added it in session attribute in authenticate method of my custom authenticator like this
context.getSession().setAttribute("patient_code","54321"); //for testing
And then tried to access it in ftl file like this:
Patient Code: ${attribute.patient_code}
But it is not working and I get error when register.ftl page is being rendered. The user is not created yet so cant use user attributes. I tried using context.getAuthenticationSession().setAuthNote but it didnt work either.
Is there any way I can achieve this? I may need to add some custom logic in authenticator and based on that, pass params to ftl, so I want to achieve it by passing from authenticator to ftl.
Hi,
with this apple social identity provider is not possible to add the Identity Provider Mapper of type "Attribute Importer"
I passed one day trying to install this provider to my Keycloak docker instance without any success.
Right now this is my Dockerfile:
FROM jboss/keycloak:12.0.2
WORKDIR '/opt/jboss/keycloak/themes'
RUN curl https://github.com/simon-feamzy/keycloak-apple-social-identity-provider/releases/download/v1.0.4/apple-social-identity-provider-1.0.4.jar -o apple-social-identity-provider-1.0.4.jar
RUN ${JBOSS_HOME}/bin/jboss-cli.sh --command="module add --name=fr.benjaminfavre.provider --resources=apple-social-identity-provider-1.0.4.jar --dependencies=org.keycloak.keycloak-core,org.keycloak.keycloak-services,org.keycloak.keycloak-server-spi,org.keycloak.keycloak-server-spi-private"
ADD ./standalone/configuration/standalone-ha.xml /opt/jboss/keycloak/standalone/configuration/standalone-ha.xml
RUN mkdir macondo
RUN cp -R ./keycloak/* macondo
COPY ./themes/login/. ./macondo/login
Notice i assed the provider on the xml file:
<subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
<web-context>auth</web-context>
<providers>
<provider>
classpath:${jboss.home.dir}/providers/*
</provider>
<provider>module:fr.benjaminfavre.provider</provider>
</providers>
...
</subsystem>
But it gives me a lot of bugs, the last one:
15:18:14,866 INFO [org.keycloak.services] (ServerService Thread Pool -- 63) KC-SERVICES0001: Loading config from standalone.xml or domain.xml
15:18:14,920 FATAL [org.keycloak.services] (ServerService Thread Pool -- 63) Error during startup: java.lang.RuntimeException: org.jboss.modules.ModuleLoadException: Error loading module from /opt/jboss/keycloak/modules/fr/benjaminfavre/provider/main/module.xml
at [email protected]//org.keycloak.provider.wildfly.ModuleProviderLoaderFactory.create(ModuleProviderLoaderFactory.java:45)
at [email protected]//org.keycloak.provider.ProviderManager.<init>(ProviderManager.java:65)
at [email protected]//org.keycloak.services.DefaultKeycloakSessionFactory.init(DefaultKeycloakSessionFactory.java:90)
at [email protected]//org.keycloak.services.resources.KeycloakApplication.createSessionFactory(KeycloakApplication.java:260)
at [email protected]//org.keycloak.services.resources.KeycloakApplication.startup(KeycloakApplication.java:125)
at [email protected]//org.keycloak.provider.wildfly.WildflyPlatform.onStartup(WildflyPlatform.java:29)
at [email protected]//org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:115)
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490)
at [email protected]//org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:152)
at [email protected]//org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2815)
at [email protected]//org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:371)
at [email protected]//org.jboss.resteasy.spi.ResteasyDeployment.startInternal(ResteasyDeployment.java:283)
at [email protected]//org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:93)
at [email protected]//org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:140)
at [email protected]//org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:42)
at [email protected]//io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
at [email protected]//org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
at [email protected]//io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
at [email protected]//io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:305)
at [email protected]//io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:145)
at [email protected]//io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:588)
at [email protected]//io.underto
w.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:559)
at [email protected]//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42)
at [email protected]//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at [email protected]//org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
at [email protected]//io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:601)
at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:97)
at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:78)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at [email protected]//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at [email protected]//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
at [email protected]//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
at [email protected]//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
at java.base/java.lang.Thread.run(Thread.java:834)
at [email protected]//org.jboss.threads.JBossThread.run(JBossThread.java:513)
Caused by: org.jboss.modules.ModuleLoadException: Error loading module from /opt/jboss/keycloak/modules/fr/benjaminfavre/provider/main/module.xml
at org.jboss.modules.xml.ModuleXmlParser.parseModuleXml(ModuleXmlParser.java:337)
at org.jboss.modules.xml.ModuleXmlParser.parseModuleXml(ModuleXmlParser.java:293)
at org.jboss.modules.xml.ModuleXmlParser.parseModuleXml(ModuleXmlParser.java:254)
at org.jboss.modules.LocalModuleFinder.parseModuleXmlFile(LocalModuleFinder.java:250)
at org.jboss.modules.LocalModuleFinder.lambda$findModule$1(LocalModuleFinder.java:195)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at org.jboss.modules.LocalModuleFinder.findModule(LocalModuleFinder.java:195)
at org.jboss.modules.ModuleLoader.findModule0(ModuleLoader.java:696)
at org.jboss.modules.ModuleLoader.findModule(ModuleLoader.java:689)
at org.jboss.modules.ModuleLoader.loadModuleLocal(ModuleLoader.java:499)
at org.jboss.modules.DelegatingModuleLoader.preloadModule(DelegatingModuleLoader.java:57)
at org.jboss.modules.ModuleLoader.preloadExportedModule(ModuleLoader.java:414)
at org.jboss.modules.ModuleLoader.preloadModule(ModuleLoader.java:455)
at [email protected]//org.jboss.as.server.moduleservice.ServiceModuleLoader.preloadModule(ServiceModuleLoader.java:146)
at org.jboss.modules.ModuleLoader.preloadModule(ModuleLoader.java:400)
at org.jboss.modules.ModuleLoader.loadModule(ModuleLoader.java:295)
at org.jboss.modules.ModuleLoader.loadModule(ModuleLoader.java:283)
at [email protected]//org.keycloak.provider.wildfly.ModuleProviderLoaderFactory.create(ModuleProviderLoaderFactory.java:41)
... 42 more
Caused by: org.jboss.modules.xml.XmlPullParserException: Failed to add resource root 'apple-social-identity-provider-1.0.4.jar' at path 'apple-social-identity-provider-1.0.4.jar' (position: END_TAG seen ... <resource-root path="apple-social-identity-provider-1.0.4.jar"/>... @6:73) caused by: java.util.zip.ZipException: zip END header not found
at org.jboss.modules.xml.ModuleXmlParser.parseResourceRoot(ModuleXmlParser.java:1121)
at org.jboss.modules.xml.ModuleXmlParser.parseResources(ModuleXmlParser.java:932)
at org.jboss.modules.xml.ModuleXmlParser.parseModuleContents(ModuleXmlParser.java:697)
at org.jboss.modules.xml.ModuleXmlParser.parseDocument(ModuleXmlParser.java:469)
at org.jboss.modules.xml.ModuleXmlParser.parseModuleXml(ModuleXmlParser.java:335)
... 59 more
Caused by: java.util.zip.ZipException: zip END header not found
at java.base/java.util.zip.ZipFile$Source.zerror(ZipFile.java:1567)
at java.base/java.util.zip.ZipFile$Source.findEND(ZipFile.java:1462)
at java.base/java.util.zip.ZipFile$Source.initCEN(ZipFile.java:1469)
at java.base/java.util.zip.ZipFile$Source.<init>(ZipFile.java:1274)
at java.base/java.util.zip.ZipFile$Source.get(ZipFile.java:1237)
at java.base/java.util.zip.ZipFile$CleanableResource.<init>(ZipFile.java:727)
at java.base/java.util.zip.ZipFile$CleanableResource.get(ZipFile.java:844)
at java.base/java.util.zip.ZipFile.<init>(ZipFile.java:247)
at java.base/java.util.zip.ZipFile.<init>(ZipFile.java:177)
at java.base/java.util.jar.JarFile.<init>(JarFile.java:348)
at org.jboss.modules.xml.JDKSpecific.getJarFile(JDKSpecific.java:33)
at org.jboss.modules.xml.ModuleXmlParser$DefaultResourceRootFactory.createResourceLoader(ModuleXmlParser.java:1618)
at org.jboss.modules.LocalModuleFinder.lambda$new$0(LocalModuleFinder.java:103)
at org.jboss.modules.xml.ModuleXmlParser.parseResourceRoot(ModuleXmlParser.java:1119)
... 63 more
I tried also to put it on the deployment's folder, but no success.
It could be related to #10 and #8, because even when there is no problem to "install" the jar file and create the module(first and second custom commands on the Dockerfile), i can't see the provider on Keycloak dashboard. Also can be related to #7, because at adding the provider to the configuration file(standalone), it breaks the server. May it be because the Keycloak version we are using for?
Is there any interest on continuing with this provider?
After adding .jar and necessary configuration to Keycloak, Apple provider appears on Identity Providers selector.
However, when I select this option, Keycloak redirects to a not found page.
What can I do?
Hi! Are you able to provide an example module.xml file? Currently I'm getting the following error:
16:08:35,049 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-2) Uncaught server error: java.lang.NoClassDefFoundError: javax/ws/rs/core/Response
My module.xml file:
<?xml version='1.0' encoding='UTF-8'?>
<module xmlns="urn:jboss:module:1.1" name="fr.benjaminfavre.provider">
<resources>
<resource-root path="provider.jar"/>
</resources>
<dependencies>
<module name="org.keycloak.keycloak-core"/>
<module name="org.keycloak.keycloak-server-spi"/>
<module name="org.keycloak.keycloak-services"/>
<module name="org.keycloak.keycloak-server-spi-private"/>
</dependencies>
</module>
According to this post, Apple requires a very specific wording for its Sign-In buttons. That would be easily achievable using the "Display Name" property present in the generic OIDC provider you're inheriting from. However, your Admin UI snippet is lacking that field. Could you please add the following snippet to realm-identity-provider-apple-ext.html
as suggested by ebiscardi:
<div class="form-group clearfix">
<label class="col-md-2 control-label" for="displayName"> {{:: 'display-name' | translate}}</label>
<div class="col-md-6">
<input class="form-control" id="displayName" type="text" ng-model="identityProvider.displayName">
</div>
<kc-tooltip>{{:: 'identity-provider.display-name.tooltip' | translate}}</kc-tooltip>
</div>
Hello there,
I have a problem after successful apple auth. I checked a few times and all my credentials provided in provider settings are correct but redirecting after apple sign in creates error "An internal server error has occurred" in keycloak. My keycloak version is 21.1.0. I checked keycloak logs and this is what it says:
ubuntu-keycloakv2-1 | 2023-05-19 13:11:05,695 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-15) Uncaught server error: java.lang.NoSuchMethodError: ‘void org.keycloak.broker.oidc.OIDCIdentityProvider$OIDCEndpoint.(org.keycloak.broker.oidc.OIDCIdentityProvider, org.keycloak.broker.provider.IdentityProvider$AuthenticationCallback, org.keycloak.models.RealmModel, org.keycloak.events.EventBuilder)’
ubuntu-keycloakv2-1 | at fr.benjaminfavre.provider.AppleIdentityProvider$OIDCEndpoint.(AppleIdentityProvider.java:108)
ubuntu-keycloakv2-1 | at fr.benjaminfavre.provider.AppleIdentityProvider.callback(AppleIdentityProvider.java:45)
ubuntu-keycloakv2-1 | at org.keycloak.services.resources.IdentityBrokerService.getEndpoint(IdentityBrokerService.java:420)
ubuntu-keycloakv2-1 | at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
ubuntu-keycloakv2-1 | at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
ubuntu-keycloakv2-1 | at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
ubuntu-keycloakv2-1 | at java.base/java.lang.reflect.Method.invoke(Method.java:568)
ubuntu-keycloakv2-1 | at org.jboss.resteasy.core.ResourceLocatorInvoker.constructLocator(ResourceLocatorInvoker.java:107)
ubuntu-keycloakv2-1 | at org.jboss.resteasy.core.ResourceLocatorInvoker.resolveTargetFromLocator(ResourceLocatorInvoker.java:87)
ubuntu-keycloakv2-1 | at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:148)
ubuntu-keycloakv2-1 | at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:183)
ubuntu-keycloakv2-1 | at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:141)
ubuntu-keycloakv2-1 | at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:32)
ubuntu-keycloakv2-1 | at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:492)
ubuntu-keycloakv2-1 | at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:261)
ubuntu-keycloakv2-1 | at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:161)
ubuntu-keycloakv2-1 | at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364)
ubuntu-keycloakv2-1 | at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:164)
ubuntu-keycloakv2-1 | at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:247)
ubuntu-keycloakv2-1 | at io.quarkus.resteasy.runtime.standalone.RequestDispatcher.service(RequestDispatcher.java:73)
ubuntu-keycloakv2-1 | at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.dispatch(VertxRequestHandler.java:151)
ubuntu-keycloakv2-1 | at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:82)
ubuntu-keycloakv2-1 | at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:42)
ubuntu-keycloakv2-1 | at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1284)
ubuntu-keycloakv2-1 | at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:173)
ubuntu-keycloakv2-1 | at io.vertx.ext.web.impl.RoutingContextWrapper.next(RoutingContextWrapper.java:200)
ubuntu-keycloakv2-1 | at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:84)
ubuntu-keycloakv2-1 | at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:71)
ubuntu-keycloakv2-1 | at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1284)
ubuntu-keycloakv2-1 | at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:173)
ubuntu-keycloakv2-1 | at io.vertx.ext.web.impl.RoutingContextWrapper.next(RoutingContextWrapper.java:200)
ubuntu-keycloakv2-1 | at io.quarkus.vertx.http.runtime.VertxHttpRecorder$6.handle(VertxHttpRecorder.java:430)
ubuntu-keycloakv2-1 | at io.quarkus.vertx.http.runtime.VertxHttpRecorder$6.handle(VertxHttpRecorder.java:408)
ubuntu-keycloakv2-1 | at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1284)
ubuntu-keycloakv2-1 | at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:173)
ubuntu-keycloakv2-1 | at io.vertx.ext.web.impl.RoutingContextWrapper.next(RoutingContextWrapper.java:200)
ubuntu-keycloakv2-1 | at org.keycloak.quarkus.runtime.integration.web.QuarkusRequestFilter.lambda$createBlockingHandler$0(QuarkusRequestFilter.java:82)
ubuntu-keycloakv2-1 | at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:576)
ubuntu-keycloakv2-1 | at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2449)
ubuntu-keycloakv2-1 | at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1478)
ubuntu-keycloakv2-1 | at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
ubuntu-keycloakv2-1 | at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
ubuntu-keycloakv2-1 | at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
ubuntu-keycloakv2-1 | at java.base/java.lang.Thread.run(Thread.java:833)
ubuntu-keycloakv2-1 |
What can I do to fix this?
The jboss-deployment-structure.xml did not include all the dependencies. The following had to be added.
<module name="javax.ws.rs.api" export="true"/>
Still it does not appear. What else should be done? Should any configuration files be updated?
Failed to make identity provider oauth callback: java.lang.IllegalArgumentException: Illegal base64 character 2e
at java.base/java.util.Base64$Decoder.decode0(Base64.java:743)
at java.base/java.util.Base64$Decoder.decode(Base64.java:535)
at java.base/java.util.Base64$Decoder.decode(Base64.java:558)
Apple reviewers cannot login, we get the following error in the log {"error":"invalid_grant","error_description":"The code has already been used."}
. Every account we test with works. I have found other with the same problem: https://developer.apple.com/forums/thread/679534
In the thread some talk about caching and setting nonce, is this handled correctly by this extension?
Steps:
module add --name=apple-social-identity-provider --resources=apple-social-identity-provider-1.0.2.jar --dependencies=org.keycloak.keycloak-core,org.keycloak.keycloak-services,org.keycloak.keycloak-server-spi,org.keycloak.keycloak-server-spi-private
embed-server --server-config=standalone.xml --std-out=echo
batch
/subsystem=keycloak-server:list-add(name=providers,value=module:apple-social-identity-provider)
/subsystem=keycloak-server/spi=social/:add
/subsystem=keycloak-server/spi=social/provider=apple/:add(enabled=true)
run-batch
stop-embedded-server
embed-server --server-config=standalone-ha.xml --std-out=echo
batch
/subsystem=keycloak-server:list-add(name=providers,value=module:apple-social-identity-provider)
/subsystem=keycloak-server/spi=social/:add
/subsystem=keycloak-server/spi=social/provider=apple/:add(enabled=true)
run-batch
stop-embedded-server
Hi,
i got this to work but have no Apple logo. Is this possible to add somehow?
Next release of keycloak will use quarkus as a replacement of wildfire.
Is there a plan to make this extension compatible with Quarkus ?
Thx.
Hi. Firstly big thanks for your work! I try this provider and it works fine for web auth. Now I want to add native ios authorization and make external token change from apple token to keycloak token. I can do this if I set OpenID Connect v1.0 provider and set this fields:
How can I add this option to this provider?
If there is interest in it, it would be great to see this extension listed on https://www.keycloak.org/extensions.html
A simple PR to https://github.com/keycloak/keycloak-web/tree/main/extensions is all that is needed to do that. I would prefer the PR comes from one of the maintainers of this repository though.
Hi, I updated the provider like in this PR #21
to use this in Keycloak 16.1.1
my configuration looks correct accorging to Readme
After trying to login, I get redirected to apple, fill credentials, but when getting back to keycloak page, i see Unexpected error when authenticating with identity provider
In keycloak logs there is this:
14:27:23,462 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-12) Failed to make identity provider oauth callback: java.lang.NullPointerException
at [email protected]//org.keycloak.services.resources.IdentityBrokerService.lambda$authenticated$0(IdentityBrokerService.java:528)
at java.base/java.util.HashMap$KeySpliterator.forEachRemaining(HashMap.java:1621)
at java.base/java.util.stream.ReferencePipeline$Head.forEach(ReferencePipeline.java:658)
at [email protected]//org.keycloak.services.resources.IdentityBrokerService.authenticated(IdentityBrokerService.java:525)
at [email protected]//org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:514)
at deployment.apple-social-identity-provider-1.0.3-SNAPSHOT.jar//fr.benjaminfavre.provider.AppleIdentityProvider$OIDCEndpoint.authResponse(AppleIdentityProvider.java:123)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at [email protected]//org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:170)
...
Any idea how to make it work?
When I try to login using Apple oAuth by hitting the URL
http://my.example.app/api/auth/login/apple?client_id=webapp&state=ae6cfa04-2b97-443d-89d6-735ca87e1164&response_type=code&nonce=3bf581b7-59ec-4f91-9caf-bf02b9913a67&kc_idp_hint=apple&redirect_uri=https://my.example.app/api/auth/apple/callback/webapp&scope=openid email
Upon further inspection, it seems like it is due to the redirected authorization URL having indeed a bad URI (it uses HTTP instead of HTTPS) - https://appleid.apple.com/auth/authorize?response_mode=form_post&scope=openid+email+name&state=MHsd34r2J1DOdLgnx7G8qVbhZ7k-FGLxHM6E7qOqTDs.jKtRwBXmZUw.webapp&response_type=code&client_id=my.app.clientId&redirect_uri=http%3A%2F%2Fmy.example.app%2Fauth%2Frealms%2FAppleAuth%2Fbroker%2Fapple%2Fendpoint&nonce=GxRbWFg_lmpH3mZ_ZE2QOg
Now, if I change the redirect_uri
query string parameter to ensure it is https
instead of http
, I am able to login with my apple ID. HOWEVER, the callback URL fails with the following error
Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: No access_token from server. error='invalid_grant', error_description='redirect_uri mismatch. The code was not issued to http://api.vid.app/auth/realms/AppleAuth/broker/apple/endpoint.', error_uri='null'
I suspect this is due to the initial redirect URL being HTTP instead of HTTPS - is there a way around this? Id like for the redirected request to have the parameter for redirect_uri
follow the HTTPS scheme instead, as Apple does not allow for HTTP URLs as callbacks
Or maybe I am doing something wrong... my keycloak server is configured via a helm chart using the following command - helm install auth-keycloak codecentric/keycloak --version 18.1.1
Hello,
I configured an OIDC identity provider on my realm ABC
In the mappers (of the identity provider) I configured 2 attribute importers and 1 hardcoded attribute
When I go on the login page and I connect with my identity provider, the 2 attribute importer are present in the token (they imported successfully the attributes from the client account) but the hardcoded attribute is not present
In the second connection, the hardcoded attribute is present !
Could you please help me ? I need the hardcoded attribute to be in the token from the first connection
Thanks in advance
I've imported the jar (version) 1.4.1 in my keycloak docker installation (20.0.3).
The apple provider is enabled : authentication works.
I've set the scope to : name%20email
I've set the first login flow to : "first broker login".
On the first authentication, the information of mail has the following format "[email protected]" (instead of the mail of user, i suppose for privacy reason) and the last et first name are empty.
How to automatically fill names information ?
In fact, i'm deploying an hybrid application ( an app with a webbrowser pointing to my keycloak instance) to the apple store . It's work but apple wants that i remove the step where you fill email and names. They said it's a bad experience to their user to refill informations.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.