AnsweredAssumed Answered

External Identity Provider Configuration - Fails at the call-back

Question asked by m.venkatraman885341 on Nov 28, 2017
Latest reply on Jun 1, 2018 by Sjaak Overgaauw

I'm trying to configure an external identity provider and associate it with an API defined through the API Manager.

 

I've deployed the Auth Broker and attached the right Auth Source. I'm using the OpenId Connect. Right Auth URL, Token URL and Call Back URL are configured in the Auth Source. Boomi is registered properly in the external identity provider with the right call-back URL. The client id and secret generated at the external identity provider is correctly configured in the Auth Source.

 

When I hit the Boomi Auth Broker's Auth URL with the right query parameters, it successfully redirects to the External Identity Provider's Login Page. Once the I successfully login the IDP redirects me to the Boomi Auth Broker's call-back URL. However the page displays the "WE'RE SORRY.. Unexpected error when authenticating with identity provider".

When I see the redirects I can see that the IDP properly created the "code" and sent that as the query parameter for the call-back URL. That means the authentication was successful and the IDP is rightly returning back the auth code.

 

When I saw the Boomi Auth Broker's logs, I can see exception with these details.

Nov 28, 2017 11:04:48 AM +0000 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint authResponse] Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: No access_token from server.
at org.keycloak.broker.oidc.OIDCIdentityProvider.verifyAccessToken(OIDCIdentityProvider.java:297)
at org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedIdentity(OIDCIdentityProvider.java:228)
at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:231)


So it looks like Boomi Auth Broker is not able to process the auth code to create or exchange for an access token. It may be also possible that Boomi Auth Broker is wrongly expecting an access_token instead of a auth code. It is not clear where Boomi Auth Broker is failing looking at the HTTP redirects or the Broker Logs.

 

Has anybody faced this problem? Is there any wrong configuration which maybe causing this?

Outcomes