Configuring Liferay 7.2 OpenID Connect for Keycloak?

1
votes

I have a fresh Liferay 7.2 and Keycloak 7 install I created a Keycloak Client for Liferay I enable Openid Connect in Liferay In Liferay I configure an OpenID Connect provider with the Keycloak OpenID Connect discovery endpoint

In Liferay I click Login, Login is presented I click OpenID Connect, OpenID Connect Login page is presented I click Login with the Keycloak provider selected, the browser is redirected to the Keycloak log in page I enter my user and password and Click log in My browser is redirected back to Liferay In the Liferay the console looks like this https://gist.github.com/smitopher/ca8bcb2ccb564eff3a42a1944e8daed7

and the browser shows a Liferay Internal Server Error message

Any suggestions?

Some further debugging shows that When Liferay calls the Keycloak token endpoint, Keycloak returns a 400 http status and an invalid grant message.

1
keycloakopenid-connectliferay-7
Unable to validate tokens -> Is Liferay able to reach Keycloak OpenID Connect discovery endpoint?Jan Garaj
Yes. Otherwise it would not redirectChristopher Smith
Do you have more detail on what the Keycloak token endpoint error shows?Rob Oxspring

1 Answers

1
votes

I ran into the same problem but later stumbled across a blog post showing a successful configuration which I've reproduced with Liferay 7.2 + Keycloak 4.8.

The key difference between the failures and successes appears to be skipping auto-discovery and instead to populate the individual settings directly. It would appear that Liferay doesn't like something in Keycloaks discovery endpoint.