Keycloak with external Identity Provider fails

Question

I have setup keycloak using kubernetes with new realm created with google and github as external Identity Providers. I created a simple spring security app configuring the authorization with keycloak. I could authenticate with internal users and the flow is working as expected. But when using the external Identity providers google or github, it fails with similar exception. In the log, it shows

ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-33) Failed to make identity provider oauth callback: java.net.UnknownHostException: oauth2.googleapis.com: Name or service not known
at java.base/java.net.Inet4AddressImpl.lookupAllHostAddr(Native Method)
at java.base/java.net.InetAddress$PlatformNameService.lookupAllHostAddr(InetAddress.java:929) at java.base/java.net.InetAddress.getAddressesFromNameService(InetAddress.java:1515)
at java.base/java.net.InetAddress$NameServiceAddresses.get(InetAddress.java:848)
at java.base/java.net.InetAddress.getAllByName0(InetAddress.java:1505)
at java.base/java.net.InetAddress.getAllByName(InetAddress.java:1364)
at java.base/java.net.InetAddress.getAllByName(InetAddress.java:1298)
at org.apache.httpcomponents.core//org.apache.http.impl.conn.SystemDefaultDnsResolver.resolve(SystemDefaultDnsResolver.java:45) at org.apache.httpcomponents.core//org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:112) at org.apache.httpcomponents.core//org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376) at org.apache.httpcomponents.core//org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393) at org.apache.httpcomponents.core//org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) at org.apache.httpcomponents.core//org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186) at org.apache.httpcomponents.core//org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) at org.apache.httpcomponents.core//org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) at org.apache.httpcomponents.core//org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) at org.apache.httpcomponents.core//org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) at org.apache.httpcomponents.core//org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108) at org.apache.httpcomponents.core//org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56) at org.keycloak.keycloak-server-spi-private@10.0.0//org.keycloak.broker.provider.util.SimpleHttp.makeRequest(SimpleHttp.java:222) at org.keycloak.keycloak-server-spi-private@10.0.0//org.keycloak.broker.provider.util.SimpleHttp.asResponse(SimpleHttp.java:180) at org.keycloak.keycloak-server-spi-private@10.0.0//org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:172) at org.keycloak.keycloak-services@10.0.0//org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:470) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.jboss.resteasy.resteasy-jaxrs@3.11.0.Final//org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:138) at org.jboss.resteasy.resteasy-jaxrs@3.11.0.Final//org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:526)

Is that because, keycloak running under kubernetes cluster? The stack shows java.net.UnknownHostException: oauth2.googleapis.com and not sure how to overcome this error. Please let me know.

Answer 1

Little background of this issue. Environment: Minikube started with driver=none, kubernetes, keycloak with helm cluster using exiting postgres-ha 11 running on ubuntu 19.04

To test ping: I deployed kuberentes dnsutils and followed the debugging steps. I could not ping any google.com from inside the pod. Also the command

kubectl get pods --namespace=kube-system -l k8s-app=kube-dns

showed that the coredns were not ready or running. This was the cause of this issue. After digging through few others posts, espcially this one, I fixed the coredns to start and the rest of things got worked. HTH.