Keycloak "there was no code" after authentication with a custom OpenID Provider - keycloak
I followed a quickstart called "app-profile-jee-vanilla" to add an application to a Keycloak server. After that, I enabled log in with Google. So far, so good.
Now, I wanted to add a custom OpenID provider. I developed the openid provider (still, work in progress.. I need to add all error responses still), however, when the flow finishes with success, the user is redirected to Keycloak's login page, instead of going to Vanilla authenticated. "Vanilla" logs say:
10:48:18,845 DEBUG [io.undertow.request] (default I/O-1) Matched prefix path /vanilla for path /vanilla/profile.jsp
10:48:18,847 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (default task-57) adminRequest https://localhost:8443/vanilla/profile.jsp
10:48:18,848 DEBUG [io.undertow.request.security] (default task-57) Security constraints for request /vanilla/profile.jsp are [SingleConstraintMatch{emptyRoleSemantic=AUTHENTICATE, requiredRoles=[]}]
10:48:18,848 DEBUG [io.undertow.request.security] (default task-57) Authenticating required for request HttpServerExchange{ GET /vanilla/profile.jsp request {accept=[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8], accept-language=[en-GB,en-US;q=0.9,en;q=0.8], cache-control=[max-age=0], accept-encoding=[gzip, deflate, br], dnt=[1], user-agent=[Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36], cookie=[JSESSIONID=Cqd-3jIqTC4Mpszlilw-0HxgAEFyKLZ6i49X7irA.id3698, JSESSIONID=6B32E6C903620A3ACCB305C764A239AE], referer=[https://localhost:8444/Login.jsp?scope=openid&state=wjLUKD-74VoKSIxMNrGgxfsfk2iT7PkELy3RWoB9tg4.0dafd6d9-6253-4356-88fa-29d565dcbc49&response_type=code&client_id=this-is-a-client-id&redirect_uri=https%3A%2F%2Flocalhost%3A8543%2Fauth%2Frealms%2Fdemo%2Fbroker%2Fcustom-oidc%2Fendpoint], upgrade-insecure-requests=[1], Host=[localhost:8443]} response {X-Powered-By=[Undertow/1], Server=[WildFly/10]}}
10:48:18,849 DEBUG [io.undertow.request.security] (default task-57) Setting authentication required for exchange HttpServerExchange{ GET /vanilla/profile.jsp request {accept=[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8], accept-language=[en-GB,en-US;q=0.9,en;q=0.8], cache-control=[max-age=0], accept-encoding=[gzip, deflate, br], dnt=[1], user-agent=[Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36], cookie=[JSESSIONID=Cqd-3jIqTC4Mpszlilw-0HxgAEFyKLZ6i49X7irA.id3698, JSESSIONID=6B32E6C903620A3ACCB305C764A239AE], referer=[https://localhost:8444/Login.jsp?scope=openid&state=wjLUKD-74VoKSIxMNrGgxfsfk2iT7PkELy3RWoB9tg4.0dafd6d9-6253-4356-88fa-29d565dcbc49&response_type=code&client_id=this-is-a-client-id&redirect_uri=https%3A%2F%2Flocalhost%3A8543%2Fauth%2Frealms%2Fdemo%2Fbroker%2Fcustom-oidc%2Fendpoint], upgrade-insecure-requests=[1], Host=[localhost:8443]} response {X-Powered-By=[Undertow/1], Server=[WildFly/10]}}
10:48:18,851 DEBUG [org.keycloak.adapters.elytron.KeycloakHttpServerAuthenticationMechanismFactory] (default task-57) Evaluating request for path [https://localhost:8443/vanilla/profile.jsp]
10:48:18,852 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (default task-57) adminRequest https://localhost:8443/vanilla/profile.jsp
10:48:18,861 DEBUG [org.keycloak.adapters.elytron.ElytronSessionTokenStore] (default task-57) Account was not in session, returning null
10:48:18,861 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-57) there was no code
10:48:18,861 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-57) redirecting to auth server
10:48:18,862 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-57) callback uri: https://localhost:8443/vanilla/profile.jsp
10:48:18,863 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-57) Sending redirect to login page: https://localhost:8543/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=vanilla&redirect_uri=https%3A%2F%2Flocalhost%3A8443%2Fvanilla%2Fprofile.jsp&state=65f979c1-e062-4e71-9c14-f350c5189b16&login=true&scope=openid
Keycloak logs say:
10:48:14,533 DEBUG [org.keycloak.services.resources.IdentityBrokerService] (default task-19) Got authorization code from client [vanilla].
10:48:14,549 DEBUG [org.keycloak.services.resources.IdentityBrokerService] (default task-19) Authorization code is valid.
...
10:48:14,750 DEBUG [org.keycloak.events] (default task-21) type=LOGIN, realmId=demo, clientId=vanilla, userId=b87b0a03-2418-4274-af4a-34dec666d376, ipAddress=127.0.0.1, auth_method=broker, identity_provider=custom-oidc, response_type=code, redirect_uri=https://localhost:8443/vanilla/profile.jsp, consent=persistent_consent, identity_provider_identity=tentativa123oiu123oiu, code_id=0dafd6d9-6253-4356-88fa-29d565dcbc49, username=tentativa123oiu123oiu, response_mode=query
10:48:14,751 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-21) Removing old user session: session: 553c5ae6-c713-4009-96c3-d7cd5798f702
10:48:14,761 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-21) Create login cookie - name: KEYCLOAK_IDENTITY, path: /auth/realms/demo, max-age: -1
...
10:48:15,505 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-18) AUTHENTICATE CLIENT
10:48:15,512 DEBUG [org.keycloak.authentication.ClientAuthenticationFlow] (default task-18) client authenticator: client-secret
10:48:15,513 DEBUG [org.keycloak.authentication.ClientAuthenticationFlow] (default task-18) client authenticator SUCCESS: client-secret
10:48:15,513 DEBUG [org.keycloak.authentication.ClientAuthenticationFlow] (default task-18) Client vanilla authenticated by client-secret
10:48:15,514 DEBUG [org.keycloak.protocol.oidc.endpoints.TokenEndpoint] (default task-18) Adapter Session 'Cqd-3jIqTC4Mpszlilw-0HxgAEFyKLZ6i49X7irA' saved in ClientSession for client 'vanilla'. Host is 'id3698'
10:48:15,650 DEBUG [org.keycloak.events] (default task-18) type=CODE_TO_TOKEN, realmId=demo, clientId=vanilla, userId=b87b0a03-2418-4274-af4a-34dec666d376, ipAddress=127.0.0.1, client_session_host=id3698, token_id=834c1b6f-9692-453b-94ee-604db2a1ffc4, grant_type=authorization_code, refresh_token_type=Refresh, client_session_state=Cqd-3jIqTC4Mpszlilw-0HxgAEFyKLZ6i49X7irA, refresh_token_id=b8d8ba7c-3a0c-4012-9cdb-ab99d6ccaa11, code_id=0dafd6d9-6253-4356-88fa-29d565dcbc49, client_auth_method=client-secret
In Keycloak, I tried to turn on the Cookie authentication flow. When I do this, after logging in, the browser just enters a redirect loop.
Does anyone have any idea of what might be wrong here? What am I missing?
Related
Kerberos is not set up . You cannot login - Keycloak
I had configured the keycloak under the user federation settings as kerberos. I had also entered the realm ,service principal and the keytab file directory as stated . But I get the issue as : Kerberos is not set up . You cannot login In firefox I has enabled SPNEGO as per the below docs : http://www.microhowto.info/howto/configure_firefox_to_authenticate_using_spnego_and_kerberos.html I am attaching from the log snippet : 2021-06-30 11:43:31,234 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-1) Selections when trying execution 'auth-spnego' : [ authSelection - auth-spnego] 2021-06-30 11:43:31,234 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-1) invoke authenticator.authenticate: auth-spnego 2021-06-30 11:43:31,235 TRACE [org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator] (default task-1) Sending back WWW-Authenticate: Negotiate Reference to the same issue : https://marc.info/?l=keycloak-user&m=154803677131797&w=2 Do consider to help us with the concrete solution . Thanks in advance !
Handling Keycloak error "Could not pocess response from SAML identity provider"
I am trying to setup ADFS (Windows Server 2012 R2) SSO using Keycloak (12.0.2). On ADFS side all looks fine, but when I run test (using IdP-initiated logon on ADFS and trying to proceed to Keycloak), I see "internal error" Web page and the below in Keycloak logs:
ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-1) Uncaught server error: org.keycloak.broker.provider.IdentityBrokerException: Could not process response from SAML identity provider.
at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLEndpoint.java:512)
at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLEndpoint.java:559)
at org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.java:259)
at org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:174)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [...]
Are there any typical hints on how to study that ("could not process" isn't awfully informative)?
Thanks.
Keycloak OIDC and AWS ALBs
Is there a way to get Keycloak to work as an OIDC Provider for AWS ALBs? I have tried and tried and I am just getting stuck with 500 Internal Server. I created a new confidential client and provided the ALB with the clientID and secret as well as the OIDC Urls. I read a few years back about an issue with Bearer vs bearer in the headers, but I couldn't validate that this was the issue, or that it is still an issue with ALBs. Any help is appreciated. EDIT: This is my configuration. I have adjusted the URLs to be generic. AWS - Issuer: https://login.example.com/auth/realms/example Auth Endpoint: https://login.example.com/auth/realms/example/protocol/openid-connect/auth Token Endpoint: https://login.example.com/auth/realms/example/protocol/openid-connect/token User info Endpoint: https://login.example.com/auth/realms/example/protocol/openid-connect/userinfo Client ID: ExampleApp Client secret: supersecret aws_oidc_settings Keycloak - Client ID: ExampleApp Root URL: https://li.stagingweb.example.com Valid Redirect URIs: https://li.stagingweb.example.com/* Admin URL: https://li.stagingweb.example.com Web Origins: https://li.stagingweb.example.com/* keycloak_client_settings keycloak_cred_settings The response I get back from this configuration is just a 500 error. The Load Balancer logs report: 5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.122 Safari/537.36" ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 -"li.stagingweb.example.com" -1 2020-04-27T18:11:34.497000Z "authenticate" "-" "AuthTokenEpRequestFailed" "-" "-" This is the request that gets the 500 error: https://li.stagingweb.example.com/oauth2/idpresponse?state=PWISnbHmRCVpxmqyn%2FrKsHdJzbKFnfz5GxhnlCyVdnxRVV%2F9kvj7O0JCjQOuf1DNL08h821PorJGGa3%2F4fzFymulG8sS%2FxhLFQS5gNrpuQyCf9DCzrwFxkIbG3I2sHywK7%2FeDmfYUH6Rej%2FEJ4RQwdjpjm76Z1wycw%2FGjQIRxehaTqNtCS%2FdXhm2oag%2FBnY%2FkuMiB8Q%3D&session_state=3a94a1d6-5e75-491b-a231-e4a1a469e5cb&code=23364bac-92e9-4094-9dc3-19c15eb42e7c.3a94a1d6-5e75-491b-a231-e4a1a469e5cb.9723ee49-5bca-4ff6-8a13-f7539b0bc28c Hopefully I didn't post any info I shouldn't have :)
invalid_token error when exchanging google id_token for a set of keycloak tokens
I'm creating an auth flow between a mobile application and keycloak using google as identity provider.I have run into problems when trying to exchange google id-token for a keycloak set of JWT tokens.
For the client (app side) I've set up the native GoogleSignin (called with "userinfo.profile" and "userinfo.email" scopes] and created an OAuth2 android client in the Google Developer Console.
I've also created a web client in the Google console to obtain the client_id and client_secret credentials (for use with keycloak), and added the redirect_url
In the keycloak dashboard I've set up google as identity provider using the web-client credentials, with a token-exchange policy for my-app client within my-realm.
At this point after signing-in in the app I get a JWT id_token from Google:
{:scopes #js ["https://www.googleapis.com/auth/userinfo.profile" "https://www.googleapis.com/auth/userinfo.email"], :serverAuthCode nil, :idToken "eyJhb...", :user #js {:photo "http://photo.jpg", :email "fubar#fu.bar", :familyName "Bar", :givenName "Fu", :name "Fu Bar", :id "1234"}}
I than ask keycloak to exchange it for its own tokens within the realm, so that the app can go back to a "normal" auth flow:
curl -X POST \
-d "client_id=my-app" \
-d "client_secret=mkU..." \
--data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
--data-urlencode "subject_token_type=urn:ietf:params:oauth:token-type:access_token" \
-d "subject_issuer=google" \
-d "audience=my-app" \
-d "subject_token=${idToken}" \
http://localhost:8080/auth/realms/my-realm/protocol/openid-connect/token
but it fails, with keycloak logging a "call failure" :
keycloak_1 | 12:17:39,810 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-1) AUTHENTICATE CLIENT
keycloak_1 | 12:17:39,810 DEBUG [org.keycloak.authentication.ClientAuthenticationFlow] (default task-1) client authenticator: client-secret
keycloak_1 | 12:17:39,811 DEBUG [org.keycloak.authentication.ClientAuthenticationFlow] (default task-1) client authenticator SUCCESS: client-secret
keycloak_1 | 12:17:39,811 DEBUG [org.keycloak.authentication.ClientAuthenticationFlow] (default task-1) Client authenticated by client-secret
keycloak_1 | 12:17:39,839 DEBUG [org.keycloak.broker.oidc.OIDCIdentityProvider] (default task-1) GOOGLE userInfoUrl: https://openidconnect.googleapis.com/v1/userinfo
keycloak_1 | 12:17:39,892 DEBUG [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-1) Failed to invoke user info status: 401
keycloak_1 | 10:49:10,055 WARN [org.keycloak.events] (default task-9) type=TOKEN_EXCHANGE_ERROR, realmId=my-realm, clientId=my-app, userId=null, ipAddress=172.18.0.1, error=invalid_token, reason='user info call failure', auth_method=token_exchange, grant_type=urn:ietf:params:oauth:grant-type:token-exchange, subject_issuer=google, validation_method='user info', client_auth_method=client-secret
To answer my own question: the solution is to obtain access_token (not identity_token) from google, which can than be exchanged without problems.
Client secret not provided in request error with Keycloak
I am facing the following issue after changing Access Type to confidential for the server-side client. It was working fine with public type.
Here is my adapter setting:
<subsystem xmlns="urn:jboss:domain:keycloak:1.1">
<secure-deployment name="appWEB.war">
<realm>demo</realm>
<resource>app</resource>
<public-client>true</public-client>
<auth-server-url>http://localhost:8180/auth</auth-server-url>
<ssl-required>EXTERNAL</ssl-required>
<principal-attribute>preferred_username</principal-attribute>
<use-resource-role-mappings>true</use-resource-role-mappings>
<credential name="secret">b35f1121-93a4-4483-a70a-0048b95fd250</credential>
</secure-deployment>
</subsystem>
Here is the error found in log during login:
[Server:node-00] 17:29:06,924 ERROR
[org.keycloak.adapters.OAuthRequestAuthenticator] (default task-6)
failed to turn code into token [Server:-node-00] 17:29:06,924 ERROR
[org.keycloak.adapters.OAuthRequestAuthenticator] (default task-6)
status from server: 400 [Server:node-00] 17:29:06,924 ERROR
[org.keycloak.adapters.OAuthRequestAuthenticator]
{"error":"unauthorized_client","error_description":"Client secret not provided in request"}
Any thoughts?
Error: Client secret not provided in request I guess, you didn't configure client secret in your app, which is required for confidential clients.