Unexpected error when authenticating with identity provider KC25

[vi-buuuk]

Describe the bug
After I completed with app credentials (user/pass). Then it redirect to my domain with that error.

Do I miss anything for configuration ?
I already enabled kc_features="preview" (already included token-exchange)

This is logs from keycloak server

2024-09-10 07:00:15,705 WARN [org.keycloak.events] (executor-thread-30) type="RESTART_AUTHENTICATION_ERROR", realmId="73d1d53f-3291-4571-a37f-8690b19fa3ea", realmName="dev", clientId="account-console", userId="null", ipAddress="127.0.0.1", error="invalid_code"

2024-09-10 06:43:55,965 WARN [at.klausbetz.provider.AppleIdentityProvider] (executor-thread-30) Error response from apple: status=400, body={"error":"invalid_client"}

2024-09-10 06:43:55,966 ERROR [at.klausbetz.provider.AppleIdentityProviderEndpoint] (executor-thread-30) Failed to complete apple identity provider oauth callback: java.lang.NullPointerException: Cannot invoke "org.keycloak.broker.provider.BrokeredIdentityContext.getIdpConfig()" because "context" is null

at org.keycloak.services.resources.IdentityBrokerService.authenticated(IdentityBrokerService.java:524)

[klausbetz]

Hi @vi-buuuk,
thx for creating this issue.

Which version of Keycloak and the extension do you use?

At a first glance the logs suggest a problem with the extension itself, as there's a NullPointerException.
However, before the exception occurred, there's a message that indicates a configuration issue:
2024-09-10 06:43:55,965 WARN [at.klausbetz.provider.AppleIdentityProvider] (executor-thread-30) Error response from apple: status=400, body={"error":"invalid_client"}

I know, that setting up Sign-In-With-Apple can get complicated. May I ask you to try to generate an access_token from Apple using this guide?
If that works, your configuration within your Apple Developer Account is valid. Then it's just about Keycloak configuration.

[vi-buuuk]

Hi @klausbetz

Thanks for replying to me.

My current keycloak version is 25.0.4
I already tried guide. But phase 2 already failed

{
"error": "invalid_client"
}

I did as guild from your document for setting apple acoount developer. But don't know what I am missing for that. Can you help me to check it ?

[klausbetz]

Now we know that Keycloak is not part of the equation finding the issue.
May I ask you to check your Apple Developer configuration or create a new configuration using this guide from okta?

[vi-buuuk]

Hi @klausbetz ,

yes I followed by guide from okta

[vi-buuuk]

Hi @klausbetz ,

any news for me. I'm still stuck on that.

[klausbetz]

I'm sorry. I was busy the last days. I still have your issue in mind.

invalid_client is a tricky error, since there's no hint what's wrong.
What we know so far, is, that Keycloak/this extension doesn't cause the issue.

Within the Apple-Developer configuration there can be some obstacles.
Let me think loud here.

You have a Team-ID. So, this one should be valid as this value is set in stone when you register an Apple-Developer account.
You have a Service-ID. The identifier of your app or a specific service, e.g. at.deckweiss.example.service
You have a Key which consists of a Key-ID and the raw p8 key.

When you configure a Service-ID and a Key you have to specify the Primary-App-ID. The Primary-App-ID has to be the same for both.

My guess is that the Primary-App-ID is not the same for both Service-ID and Key.
Can you confirm that the Primary-App-ID is the same?

[vi-buuuk]

Hi @klausbetz,

yes, certainly they're the same, cuz I have only one to select.

[klausbetz]

This issue makes me curious.
I created a new configuration within our company Apple Developer Account... and it works (using Keycloak 25.0.4 and 1.13.0).
Here's what I've done (SIWA = Sign In With Apple):

1. I created a new App ID that has SIWA enabled

2. Then I created a new Service ID with SIWA enabled and related to the App ID

Make sure to use the App ID created in the previous step.
Enter the redirect URI to your Keycloak instance.

3. Then I created a new Key with SIWA enabled and related to the App ID

With this configuration I got a Team ID, Service ID, Key ID and p8 Key.
I used this configuration in our Keycloak instance and I was able to login successfully using SIWA via the browser.

Hope this helps?

Let me know, if there's anything new to you.

[RobinBially]

I did the same but I am also getting this error:

"Error response from apple: status=400, body={\"error\":\"invalid_client\"}"

"Cannot invoke \"org.keycloak.broker.provider.BrokeredIdentityContext.getIdpConfig()\" because \"context\" is null"

edit: fixed it. There were two problems

• I used the newest version of the idp plugin with Keycloak 24 which is incompatible
• I used the Bundle Id (App Id) instead of the Service Id for generating the client secret.

[vi-buuuk]

Hi @RobinBially .

could you share your script to generate secret ?

[vi-buuuk]

Hi @klausbetz could you make a demo video for steps setup

#!/bin/bash

# Function to display usage instructions
function usage() {
    echo "Usage: $0 <key_file> <team_id> <client_id> <key_id>"
    echo
    echo "Arguments:"
    echo "  <key_file>    Path to the private key file (e.g., key.txt)"
    echo "  <team_id>     The team ID (issuer)"
    echo "  <client_id>   The client ID (subject)"
    echo "  <key_id>      The key ID"
    echo
    echo "Example:"
    echo "  $0 key.txt TEAM_ID CLIENT_ID KEY_ID"
    exit 1
}

# Check if exactly 4 arguments are provided
if [ "$#" -ne 4 ]; then
    usage
fi

# Assign command-line arguments to variables
key_file="$1"
team_id="$2"
client_id="$3"
key_id="$4"

# Check if the key file exists
if [ ! -f "$key_file" ]; then
    echo "Error: Key file '$key_file' not found!"
    exit 1
fi

# Read the private key from the key file
ecdsa_key=$(cat "$key_file")

# Create the JWT header
header=$(jq -n --arg kid "$key_id" '{"alg": "ES256", "kid": $kid}' | base64 | tr -d '=' | tr '/+' '_-' | tr -d '\n')

# Create the JWT claims
iat=$(date +%s)
exp=$(($iat + 86400 * 180))

claims=$(jq -n --arg iss "$team_id" --arg iat "$iat" --arg exp "$exp" --arg aud "https://appleid.apple.com" --arg sub "$client_id" \
    '{"iss": $iss, "iat": ($iat | tonumber), "exp": ($exp | tonumber), "aud": $aud, "sub": $sub}' | base64 | tr -d '=' | tr '/+' '_-' | tr -d '\n')

# Combine header and claims for signature
unsigned_token="${header}.${claims}"

# Sign the JWT using the private key (ES256)
signature=$(echo -n "$unsigned_token" | openssl dgst -sha256 -sign <(echo "$ecdsa_key") | openssl dgst -sha256 -binary | base64 | tr -d '=' | tr '/+' '_-' | tr -d '\n')

# Create the final JWT
jwt_token="${unsigned_token}.${signature}"

# Output the JWT
echo "$jwt_token"

This is my bash script to get client secret.
Can you help me try it?

[klausbetz]

Thx for providing the bash script you're using, @vi-buuuk.

Unfortunately, the script threw some errors on my machine and produced invalid tokens. I tried to make the script run on my Mac, but after one hour I gave up on it. Something related to generating the signature did not work as it should.

The ruby script from the troubleshooting guide produced valid tokens.

require 'jwt'

key_file = 'path/to/AuthKey_XYZ.p8'
team_id = ''
client_id = ''
key_id = ''

ecdsa_key = OpenSSL::PKey::EC.new IO.read key_file

headers = {
  'kid' => key_id
}

claims = {
	'iss' => team_id,
	'iat' => Time.now.to_i,
	'exp' => Time.now.to_i + 86400*180,
	'aud' => 'https://appleid.apple.com',
	'sub' => client_id,
}

token = JWT.encode claims, ecdsa_key, 'ES256', headers

puts token

May I ask you to try that instead? Do you need the script for bash specifically?

[vi-buuuk]

Hi @klausbetz ,

Thanks for supported me, actually I'm using mac, so I just wanna use available bash shell in system, it should sync for all scripts as bash shell. It'll break env if some for bash shell , some for different as ruby .

For that's if can you can provide me bash script for consistence.

And for overall , I guess the problem maybe in client secret.

I have just tried ruby script, my bash script generate invalid secret. Now it works with ruby.

Thank you so much!