Proxy setting for Twitter social login

[Dheeraj Joshi]

Hello

Keycloak server is deployed in lab and can access external IDP providers like google, facebook, twitter using a proxy.

We are adding the proxy using SPI

/opt/keycloak/bin/jboss-cli.sh --commands='embed-server --server-config=standalone-ha.xml --remove-existing --std-out=echo, /subsystem=keycloak-server/spi=connectionsHttpClient/provider=default:write-attribute(name=properties.proxy-mappings,value=[".*\\.(google|googleapis|facebook|twitter)\\.com;http://PROXY_IP:PROXY_PORT"])'

With this configuration social login Google and Facebook works. However twitter fails with time out exception

Caused by: connect timed out

Relevant discussions can be found on the Internet at:

http://www.google.co.jp/search?q=8e063946 or

http://www.google.co.jp/search?q=fe607b57

TwitterException{exceptionCode=[8e063946-fe607b57 8e063946-fe607b2d], statusCode=-1, message=null, code=-1, retryAfter=-1, rateLimitStatus=null, version=4.0.7}

at org.tw...@4.0.7//twitter4j.HttpClientImpl.handleRequest(HttpClientImpl.java:185)

at org.tw...@4.0.7//twitter4j.HttpClientBase.request(HttpClientBase.java:57)

at org.tw...@4.0.7//twitter4j.HttpClientBase.post(HttpClientBase.java:86)

at org.tw...@4.0.7//twitter4j.auth.OAuthAuthorization.getOAuthRequestToken(OAuthAuthorization.java:115)

at org.tw...@4.0.7//twitter4j.auth.OAuthAuthorization.getOAuthRequestToken(OAuthAuthorization.java:92)

at org.tw...@4.0.7//twitter4j.TwitterBaseImpl.getOAuthRequestToken(TwitterBaseImpl.java:296)

at org.keycloak.ke...@12.0.4//org.keycloak.social.twitter.TwitterIdentityProvider.performLogin(TwitterIdentityProvider.java:93)

... 75 more

Caused by: java.net.SocketTimeoutException: connect timed out

at java.base/java.net.PlainSocketImpl.socketConnect(Native Method)

at java.base/java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:399)

at java.base/java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:242)

Clearly proxy has no effect here. I was checking twitter doc https://twitter4j.org/en/configuration.html#HTTP%20proxy%20server And base api looks like https://api.twitter.com/1.1/. Does it mean proxy definition should add /1.1 to SPI configurations? 

[Stian Thorgersen]

Not sure what http library is used for Twitter, but it's not integrated in the same way as the others as Twitter didn't have ouath 2.0 support at the time we added it. One option would be to se if we can use http client configured properly from our SPIs or a better option would be to drop twitter4j and use oauth 2.0 / OIDC instead as that would integrate better with Keycloak and remove the twitter4j dependency.

--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/11673844-29dc-48af-9821-80816de6c6ccn%40googlegroups.com.

[Dheeraj Joshi]

Thanks for the reply. 
As per twitter doc https://twitter4j.org/en/configuration.html#HTTP%20proxy%20server http proxy server can be specified using http.proxyHost and http.proxyPort parameters.

Does SPI internally sets same properties? (http.proxyHost and http.proxyPort) 

[Stian Thorgersen]

Here's the code that sets proxy for everything that uses Apache HttpClient:

https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/connections/httpclient/DefaultHttpClientFactory.java#L160

I do think the more proper solution is to drop Twitter4j though.

To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/be5e306e-bead-4ef5-afa5-641b2331daeen%40googlegroups.com.

[Dheeraj Joshi]

Hi

I was able to get it to work by passing proxy as JAVA_OPTS

-Dhttp.proxyHost=87.254.212.120 -Dhttp.proxyPort=8080

Now authentication is working as expected.