The "Non 200 status code (403 Forbidden) returned from https://id.xxxxxxx.com/realms/master/protocol/openid-connect/certs"; portion of the error suggests to me that there is something wrong with the JWKS endpoint URL. It doesn't appear that the OpenID support is doing anything wrong, but rather that the IdP is returning a "403 Forbidden" response when Guacamole reaches out to the IdP's JWKS endpoint.
- Mike On Mon, Jan 16, 2023 at 10:29 AM Ionel GARDAIS < [email protected]> wrote: > Well, Keycloak 20.0.3 is working fine with auth-openid 1.4.0 for me. > > -- > Ionel GARDAIS > Tech'Advantage CIO - IT Team manager > > ------------------------------ > *De: *"Ionel GARDAIS" <[email protected]> > *À: *"user" <[email protected]> > *Envoyé: *Lundi 16 Janvier 2023 19:15:03 > *Objet: *Re: [*EXT*] auth-openid (1.4.0) not working with latest Keycloak > server > > Hi Timo, > > Can you give a try to Keycloak 20.0.2 ? > auth-openid 1.4.0 is working fine for me with this release. > This would point if its a 20.0.3 issue or an issue with the auth-openid > plugin. > > -- > Ionel GARDAIS > Tech'Advantage CIO - IT Team manager > > ------------------------------ > *De: *"Timo Nisula" <[email protected]> > *À: *"user" <[email protected]> > *Envoyé: *Lundi 16 Janvier 2023 18:01:57 > *Objet: *[*EXT*] auth-openid (1.4.0) not working with latest Keycloak > server > > Hi, > > > > I tried to change auth-openid to use new keycloak server but it doesn’t > work. Old keycloak server is version 17.0.0 and it works, but when I try to > use new keycloak server (latest 20.0.3 version) I got authentication loop. > > > > Guacamole server log shows following: > > > > 16:28:13.882 [http-nio-8080-exec-10] INFO > o.a.g.a.o.t.TokenValidationService - Rejected invalid OpenID token: JWT > processing failed. Additional details: [[17] Unable to process JOSE object > (cause: org.jose4j.lang.UnresolvableKeyException: Unable to find a suitable > verification key for JWS w/ header {"alg":"RS256","typ" : "JWT","kid" : > "LaAKcXQe35CMuemrPU3S3IrkTYh6DqKpF3fmx6kJJdE"} due to an unexpected > exception (java.io.IOException: Non 200 status code (403 Forbidden) > returned from > https://id.xxxxxxx.com/realms/master/protocol/openid-connect/certs) while > obtaining or using keys from JWKS endpoint at > https://id.xxxxxx.com/realms/master/protocol/openid-connect/certs): > JsonWebSignature{"alg":"RS256","typ" : "JWT","kid" : > "LaAKcXQe35CMuemrPU3S3IrkTYh6DqKpF3fmx6kJJdE"}->eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJMYUFLY1hRZTM1Q011ZW1yUFUzUzNJcmtUWWg2RHFLcEYzZm14NmtKSmRFIn0.eyJleHAiOjE2NzM4ODczOTIsImlhdCI6MTY3Mzg4NjQ5MiwiYXV0aF90aW1lIjoxNjczODg1NjI5LCJqdGkiOiJhYzRkNGY4Mi1iNzg2LTQ0NWMtYmNhZi1jMmQyYzQzYzI4MWEiLCJpc3MiOiJodHRwczovL2lkLm5pc3VsYWZvcmVzdC5jb20vcmVhbG1zL25pc3VsYSIsImF1ZCI6Imd1YWNhbW9sZSIsInN1YiI6Ijk4MTc0Y2NhLTZhYmUtNDY3NS04MGQ2LWRkYzBlOTQzN2E1ZSIsInR5cCI6IklEIiwiYXpwIjoiZ3VhY2Ftb2xlIiwibm9uY2UiOiJjdjE1ZW1oNTh0am9ubHF2YnNvcjVmbWdmMiIsInNlc3Npb25fc3RhdGUiOiI4OWE0NDZkOS03NzFmLTRjMTQtYmQxZi03YjdmNjA0MjVlN2EiLCJzaWQiOiI4OWE0NDZkOS03NzFmLTRjMTQtYmQxZi03YjdmNjA0MjVlN2EiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsIm5hbWUiOiJUaW1vIE5pc3VsYSIsImdyb3VwcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIiwiZGVmYXVsdC1yb2xlcy1uaXN1bGEiXSwicHJlZmVycmVkX3VzZXJuYW1lIjoidGltbmlzIiwiZ2l2ZW5fbmFtZSI6IlRpbW8iLCJmYW1pbHlfbmFtZSI6Ik5pc3VsYSIsImVtYWlsIjoidGltby5uaXN1bGFAbmlzdWxhZm9yZXN0LmNvbSJ9.FWmnWHfjxNuLH9aSv4W2oOHiqKYEmczIFA-qw8RioWoSHUZa1mMfMXAaA3VbbeyyXXHzjk-PiItO6V01_F4Y2zbpJCoOl5vN8Si0a80P8mtOPDCel5PoDpqEQU_loF89v4n-V8aoWtEnW6HygW_TePs9qLmMqhtzdt9v4Onytq2An6B6etfvnkGi37cD69z-6nnsPsRs7W9j-tinUKxRq8GZJh15LNmaCHgkZYB9OpDXARY2tbJnc9f3k8StHm6G33HJRv0bPAZGz5p-WbF1Z7Ep2Ts1DGVVVXvsrCT9ho8JTAsBN_7TRps3F5p3HntwA1psfktIHWQ8kGHWgkul5g] > > > > What could be the problem? > > > > -Timo > > > > > >
