I have keycloak 9.0.0 installed on ubuntu 18, and have set up ORCiD as an identity provider.
When a user tries to log in using ORCiD, they get the message: We are sorry... Unexpected error when authenticating with identity provider
When I look at the logs, there is an error Numeric value (2225265999) out of range of int. It seems like "exp" is being returned as a large integer, but keycloak isn't accepting it**.
The log is below (partly anonymized for security)
Caused by: org.keycloak.jose.jws.JWSInputException: com.fasterxml.jackson.databind.JsonMappingException: Numeric value (2225265999) out of range of int
at [Source: (byte[])"{"at_hash":"c_ZGpdmc4SRhqu_HuKraMg","aud":"CLIENT-ID","sub":"0000-0000-0000-0000","auth_time":1594127478,"iss":"https:\/\/orcid.org","exp":2225265999,"given_name":"Name","iat":1594127480,"nonce":"xiYL_3IyrnkbPel78RtPgQ","family_name":"Lastname","jti":"25414b35-39a0-44c2-8333-d69378d878f9"}"; line: 1, column: 151] (through reference chain: org.keycloak.representations.JsonWebToken["exp"])
at org.keycloak.jose.jws.JWSInput.readJsonContent(JWSInput.java:104)
at org.keycloak.broker.oidc.OIDCIdentityProvider.validateToken(OIDCIdentityProvider.java:530)
... 75 more
Caused by: com.fasterxml.jackson.databind.JsonMappingException: Numeric value (2225265999) out of range of int
at [Source: (byte[])"{"at_hash":"c_ZGpdmc4SRhqu_HuKraMg","aud":"CLIENT-ID","sub":"0000-0000-0000-0000","auth_time":1594127478,"iss":"https:\/\/orcid.org","exp":2225265999,"given_name":"Name","iat":1594127480,"nonce":"xiYL_3IyrnkbPel78RtPgQ","family_name":"Lastname","jti":"25414b35-39a0-44c2-8333-d69378d878f9"}"; line: 1, column: 151] (through reference chain: org.keycloak.representations.JsonWebToken["exp"])
at com.fasterxml.jackson.databind.JsonMappingException.wrapWithPath(JsonMappingException.java:394)
at com.fasterxml.jackson.databind.JsonMappingException.wrapWithPath(JsonMappingException.java:353)
at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.wrapAndThrow(BeanDeserializerBase.java:1711)
at com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:290)
at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:151)
at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4014)
at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3092)
at org.keycloak.util.JsonSerialization.readValue(JsonSerialization.java:71)
at org.keycloak.jose.jws.JWSInput.readJsonContent(JWSInput.java:102)
... 76 more
Caused by: com.fasterxml.jackson.core.JsonParseException: Numeric value (2225265999) out of range of int
at [Source: (byte[])"{"at_hash":"c_ZGpdmc4SRhqu_HuKraMg","aud":"CLIENT-ID","sub":"0000-0000-0000-0000","auth_time":1594127478,"iss":"https:\/\/orcid.org","exp":2225265999,"given_name":"Name","iat":1594127480,"nonce":"xiYL_3IyrnkbPel78RtPgQ","family_name":"Lastname","jti":"25414b35-39a0-44c2-8333-d69378d878f9"}"; line: 1, column: 161]
at com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:1804)
at com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:693)
at com.fasterxml.jackson.core.base.ParserBase.convertNumberToInt(ParserBase.java:886)
at com.fasterxml.jackson.core.base.ParserBase._parseIntValue(ParserBase.java:801)
at com.fasterxml.jackson.core.base.ParserBase.getIntValue(ParserBase.java:645)
at com.fasterxml.jackson.databind.deser.std.NumberDeserializers$IntegerDeserializer.deserialize(NumberDeserializers.java:472)
at com.fasterxml.jackson.databind.deser.std.NumberDeserializers$IntegerDeserializer.deserialize(NumberDeserializers.java:452)
at com.fasterxml.jackson.databind.deser.impl.FieldProperty.deserializeAndSet(FieldProperty.java:138)
at com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:288)
... 81 more
** I realize this question is similar to the one asked here, but since ORCiD is a major identity provider, I want to know if anyone else has had success using it with keycloak and how they set it up.
** EDIT (2020-10-06): This issue has been resolved by an update in the ORCiD code.
This concern is currently being addressed on the ORCID product roadmap. It is being actively worked on, but there isn't a timeline on when this will happen. You can follow the progress at that link.
There is also a discussion thread about this on the ORCID API User Group.
This information was given to me by an ORCiD representative.
** EDIT (2020-10-06): This issue has been resolved by an update in the ORCiD code.