Keycloak OIDC and AWS ALBs - keycloak

Is there a way to get Keycloak to work as an OIDC Provider for AWS ALBs?
I have tried and tried and I am just getting stuck with 500 Internal Server.
I created a new confidential client and provided the ALB with the clientID and secret as well as the OIDC Urls. I read a few years back about an issue with Bearer vs bearer in the headers, but I couldn't validate that this was the issue, or that it is still an issue with ALBs.
Any help is appreciated.
EDIT: This is my configuration. I have adjusted the URLs to be generic.
AWS -
Issuer: https://login.example.com/auth/realms/example
Auth Endpoint: https://login.example.com/auth/realms/example/protocol/openid-connect/auth
Token Endpoint: https://login.example.com/auth/realms/example/protocol/openid-connect/token
User info Endpoint: https://login.example.com/auth/realms/example/protocol/openid-connect/userinfo
Client ID: ExampleApp
Client secret: supersecret
aws_oidc_settings
Keycloak -
Client ID: ExampleApp
Root URL: https://li.stagingweb.example.com
Valid Redirect URIs: https://li.stagingweb.example.com/*
Admin URL: https://li.stagingweb.example.com
Web Origins: https://li.stagingweb.example.com/*
keycloak_client_settings
keycloak_cred_settings
The response I get back from this configuration is just a 500 error. The Load Balancer logs report:
5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.122 Safari/537.36" ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 -"li.stagingweb.example.com" -1 2020-04-27T18:11:34.497000Z "authenticate" "-" "AuthTokenEpRequestFailed" "-" "-"
This is the request that gets the 500 error:
https://li.stagingweb.example.com/oauth2/idpresponse?state=PWISnbHmRCVpxmqyn%2FrKsHdJzbKFnfz5GxhnlCyVdnxRVV%2F9kvj7O0JCjQOuf1DNL08h821PorJGGa3%2F4fzFymulG8sS%2FxhLFQS5gNrpuQyCf9DCzrwFxkIbG3I2sHywK7%2FeDmfYUH6Rej%2FEJ4RQwdjpjm76Z1wycw%2FGjQIRxehaTqNtCS%2FdXhm2oag%2FBnY%2FkuMiB8Q%3D&session_state=3a94a1d6-5e75-491b-a231-e4a1a469e5cb&code=23364bac-92e9-4094-9dc3-19c15eb42e7c.3a94a1d6-5e75-491b-a231-e4a1a469e5cb.9723ee49-5bca-4ff6-8a13-f7539b0bc28c
Hopefully I didn't post any info I shouldn't have :)

Related

Rocket Chat SAML - ADFS Logout issue

I’m trying to use SAML with ADFS as identity provider but I got an issue during log-out that is blocking it. When I click on log-out I’m redirect to the ADFS webpage but I get stucked on error MSIS7054. As far as I understand it seems to be an issue with the certification during the log-out procedure.
Anyone could help me?
Here the details and logs…
Error from the log-out ADFS webpage:
Activity ID: 02d14948-b72a-4ae4-720d-0080010000d5
Error details: MSIS7054: The SAML logout did not complete properly.
Node name: 07f6ffc9-3f3b-4eed-96ab-2d56388c1d68
Error time: Wed, 09 Nov 2022 16:19:16 GMT
Cookie: enabled
User agent string: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0
ADFS logs:
The verification of the SAML message signature failed.
Message issuer: https://**********/rocket-chat/_saml/metadata/adfs-*****-com
Exception details:
MSIS7084: SAML logout request and logout response messages must be signed when using SAML HTTP Redirect or HTTP POST binding.
This request failed.
User Action
Verify that the message issuer configuration in the AD FS configuration database is up to date.
Configure the signing certificate for the specified issuer.
Verify that the issuer’s certificate is up to date.
Verify the issuer and server message signing requirements.
Rocket Chat logs:
I20221110-16:26:30.571(1) [2022-11-10T15:26:30.570Z] USERLVL (Meteor/31310 on ip-172-31-31-65): method: “samlLogout” userId: “iBDrzNcQ6B2W8DWgd” userAgent: “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36” referer: “” remoteIP: “*******” instanceId: “S7hZq3dHP8DMjA6EJ” I20221110-16:26:30.577(1) [2022-11-10T15:26:30.577Z] USERLVL (API/31310 on ip-172-31-31-65): status: 200 responseTime: 7 method: “POST” url: “/api/v1/method.call/samlLogout” userId: “iBDrzNcQ6B2W8DWgd” userAgent: “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36” length: “111” host: “**" referer: “” remoteIP: "”
Server Setup Information
Version of Rocket.Chat Server: 4.1.0-17.7
Operating System: Debian 9
Deployment Method: tar
Number of Running Instances: 1
DB Replicaset Oplog:
NodeJS Version: 12.22.1
MongoDB Version: 5.0.2
Proxy: nginx
Firewalls involved: yes
I've tried multiple configurations on either side but nothing worked.

Trying to get user credentials to pass through a ProxyPass

We have a site using Windows authentication sitting behind a firewall that we are accessing through ProxyPass. We then need to access an API application on the same server, but are receiving a 401 unauthorized error when using rewrite_proxy rules when we try to access it. How can we pass the credentials for authentication?
To perform the initial redirect from the secure serve to the internal application server:
In the https.conf file
ProxyPass /blastdev/ http://10.0.212.198/blastdev/
This seems to be working correctly and is loading the content on the page until we reach the api calls:
in the .htaccess file
RewriteCond %{REQUEST_URI} ^/blastdev/blast(.*)
RewriteHeader X-Remote-User: .* %{REMOTE_USER}
RewriteHeader X-Logon-User: .* %{LOGON_USER}
RewriteHeader AUTH_TYPE: .* %{AUTH_TYPE}
RewriteProxy ^/blast/(.*)$ http://10.0.212.198/blast/$1 [NC, A, CR]
simply to try to show any user information. All fields are showing blank though.
Here are the headers we are currently sending:
Headers:
'Cache-Control'='no-cache'
'Pragma'='no-cache'
'Expires'='Sat, 01 Jan 2000 00:00:00 GMT'
'Accept'='application/json, text/plain, */*'
'Accept-Encoding'='gzip, deflate'
'Accept-Language'='en-US,en;q=0.9'
'Referer'='http://dev.*******.com/blastdev/'
'User-Agent'='Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36'
'X-REQUEST-URI'='/blastdev/blast/api/usermanager/'
'X-Rewrite-Url'='/blastdev/blast/api/usermanager/'
'X-Original-Url'='/blastdev/blast/api/usermanager/'
'X-logio_http_input_size'='0'
'X-logio_request_headers_size'='746'
'X-Remote-User'=''
'X-Logon-User'=''
'AUTH_TYPE'=''
'Max-Forwards'='10'
'X-Forwarded-Host'='dev.*******.com'
'X-Forwarded-For'='10.1.13.42'
'X-Forwarded-Server'='10.0.90.54'
We need to be able to access the current user if they are AD authenticated and see that they are anonymous if not.
Any additional assistance in tests we can run for further troubleshooting would also be appreciated.

Why cannot my app create fitness.runs for test users?

My web app can successfully create fitness.runs for myself and friends, but not for test users (created in the Test Users view of the Roles tab of the App's Dashboard). So I have a problem getting the app approved in the review, required for explicit sharing.
The app makes the following HTTP request to create (line breaks in content for readability):
POST /me/fitness.runs HTTP/1.1
Content-Type: application/x-www-form-urlencoded
course=https%3A%2F%2Fbroker-web.appspot.com%2Fpub%2Fcourse%2FagxzfmJyb2tlci13ZWJyLAsSDERQYXJ0aWNpcGFudBiAgICA_fCfCgwLEgZEU3BsaXQYgICAgICAgAoM
&start_time=2014-04-30T13%3A43%3A46
&expires_in=86400
&object=%7B%22app_id%22%3A%22255653361131262%22%2C%22title%22%3A%22Demo+410m%22%7D
&access_token=ACCESS_TOKEN
The successful response contains the action id (for myself and friends), and for test users the following error message is returned:
HTTP 500 OK
{error={message=An unexpected error has occurred. Please retry your request later., type=OAuthException, code=2}}
The crawler was successful visiting the object:
89.236.16.14 - - [30/Apr/2014:06:45:13 -0700] "GET /pub/course/agxzfmJyb2tlci13ZWJyLAsSDERQYXJ0aWNpcGFudBiAgICA_fCfCgwLEgZEU3BsaXQYgICAgICAgAoM HTTP/1.1" 200 6211 -
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36"
"broker-web.appspot.com" ms=135 cpu_ms=41 cpm_usd=0.000694 app_engine_release=1.9.4 instance=00c61b117ce48a0349d573d3cd16b02587ffe00b
My app was using the wrong FB app ID when creating the action. That is an issue only for Test Users, as they exist for the correct FB App only.

Google Chrome doesn't perform POST in a Facebook Canvas Tab application

I believe this is a difficult question to answer.
I've configured my facebook application with the following options:
Page Tab URL: https://www.myapp.com.br/
Secure Page Tab URL: https://www.myapp.com.br/
(both are secure urls and use HTTPS protocol)
Browsers like Firefox and Safari are working fine, sending a POST request to the server when I open the Page Tab with http or https protocol.
However, Google Chrome performs a GET request when using facebook with http. This request doesn't contain the signed_request.
I've spent a lot of time trying to fix this and I still don't understand why this is happening. Can anyone explain and provide a solution?
Update (more info)
The application was written with Ruby on Rails. It was deployed with Nginx + Passenger. The following is the configuration of the application with nginx:
server {
listen 80;
listen 443 default ssl;
server_name www.myapp.com.br;
passenger_enabled on;
root /my/app/rails/folder/public;
# workaround to get rid of infinite loops while using ssl
passenger_set_cgi_param HTTP_X_FORWARDED_PROTO https;
}
Rails configuration is to force ssl.
Nginx access log with a Firefox request to the facebook page tab:
201.87.25.128 - - [25/Nov/2011:19:16:47 -0200] "POST / HTTP/1.1" 200 9693 "http://static.ak.facebook.com/platform/page_proxy.php?v=4"
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:6.0.2) Gecko/20100101
Firefox/6.0.2"
Nginx access log with a Google Chrome request to the facebook page tab:
201.87.25.128 - - [25/Nov/2011:19:19:07 -0200] "GET / HTTP/1.1" 200 9678 "http://static.ak.facebook.com/platform/page_proxy.php?v=4"
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/535.2
(KHTML, like Gecko) Chrome/15.0.874.121 Safari/535.2"
Nginx access log with a Google Chrome request to the facebook SECURE page tab:
201.87.25.128 - - [25/Nov/2011:19:18:43 -0200] "POST / HTTP/1.1" 200 9678 "https://s-static.ak.facebook.com/platform/page_proxy.php?v=4"
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/535.2
(KHTML, like Gecko) Chrome/15.0.874.121 Safari/535.2"

How to access url that requires http authenticate in c/c++/command line?

http://admin:123456#192.168.1.178/videostream.cgi
To access a url that doesn't require http authenticate it's quite easy:
telnet 192.168.1.178 80
Get /videostream.cgi HTTP/1.1
Accept: text/html;text/plain
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.13) Gecko/20100914 Firefox/3.5.13
Connection: close
But how to specify admin:123456?
See the RFC or This Wikipedia article.
It can be educational to use Wireshark, or some other LAN sniffer, to watch what a browser and server do when you access a URL with embedded credentials such as your http://admin:123456#192.168.1.178/videostream.cgi
For basic authentication, you specify the username and password as username:password, then Base64-encode it and use it as an argument to the Authentication header:
Authorization: Basic YXNkZjoxMjM0
YXNkZjoxMjM0 decodes to asdf:1234; I used curl -u adsf:1234 (specifying the username "asdf" and password "1234") to produce this result.