keycloakopenid-connectpingfederate

Failed to make identity provider oauth callback: javax.net.ssl.SSLHandshakeException:


Im trying to use PingFed as an IDP in Keycloak for my application. Keycloak is a standalone server in localhost. Every thing works fine when redirecting to PingFed for authentication. After the user is authenticated, it getting failed with message in keycloak "Unexpected error when authenticating with identity provider "

In the logs its showing :

024-09-10 10:26:51,402 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-12) Failed to make identity provider oauth callback: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:130)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:378)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:316)
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1326)
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1203)
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1146)

I have done IDP integration with Azure AD, OKTA and Google haven't faced this error. Im connecting to PingFed using OIDC.


Solution

  • It seems like as if your keycloak application wants to retrieve the OIDC result from PingFed, after the user authenticated. Unfortunately, the TLS handshake between your keycloak and PingFed fails. The most likely reason is that your keycloak instance does not trust the TLS certificate of PingFed.

    Make sure that either you use