search

BenjaminFavre / keycloak-apple-social-identity-provider

Apple Social Identity Provider for Keycloak
Apache License 2.0
108 stars 53 forks source link

Invalid redirect URI/Oauth callback failure after attaining authorization code #28

Closed Vidxyz closed 1 year ago

Vidxyz commented 1 year ago

When I try to login using Apple oAuth by hitting the URL http://my.example.app/api/auth/login/apple?client_id=webapp&state=ae6cfa04-2b97-443d-89d6-735ca87e1164&response_type=code&nonce=3bf581b7-59ec-4f91-9caf-bf02b9913a67&kc_idp_hint=apple&redirect_uri=https://my.example.app/api/auth/apple/callback/webapp&scope=openid email

I get the following error Screen Shot 2022-08-20 at 3 48 00 PM

Upon further inspection, it seems like it is due to the redirected authorization URL having indeed a bad URI (it uses HTTP instead of HTTPS) - https://appleid.apple.com/auth/authorize?response_mode=form_post&scope=openid+email+name&state=MHsd34r2J1DOdLgnx7G8qVbhZ7k-FGLxHM6E7qOqTDs.jKtRwBXmZUw.webapp&response_type=code&client_id=my.app.clientId&redirect_uri=http%3A%2F%2Fmy.example.app%2Fauth%2Frealms%2FAppleAuth%2Fbroker%2Fapple%2Fendpoint&nonce=GxRbWFg_lmpH3mZ_ZE2QOg

Now, if I change the redirect_uri query string parameter to ensure it is https instead of http, I am able to login with my apple ID. HOWEVER, the callback URL fails with the following error

Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: No access_token from server. error='invalid_grant', error_description='redirect_uri mismatch. The code was not issued to http://api.vid.app/auth/realms/AppleAuth/broker/apple/endpoint.', error_uri='null'

I suspect this is due to the initial redirect URL being HTTP instead of HTTPS - is there a way around this? Id like for the redirected request to have the parameter for redirect_uri follow the HTTPS scheme instead, as Apple does not allow for HTTP URLs as callbacks

Or maybe I am doing something wrong... my keycloak server is configured via a helm chart using the following command - helm install auth-keycloak codecentric/keycloak --version 18.1.1

Vidxyz commented 1 year ago

Responding to my own issue as I found the solution...

The problem was a lack of an env variable for the keycloak container PROXY_ADDRESS_FORWARDING=true. The keycloak docs make note of this over here - https://github.com/codecentric/helm-charts/tree/master/charts/keycloak#running-keycloak-behind-a-reverse-proxy

Since I installed my keycloak server using a helm chart, I had to do the following

  1. Create a file extra-config.yaml comprising of the folllowing contents - 
    • extraEnv: |
      - name: PROXY_ADDRESS_FORWARDING
        value: "true"
  2. helm upgrade --reuse-values -f extra-config.yaml auth-keycloak codecentric/keycloak

The redirect URLs are now in https as expected.