search

FraunhoferIOSB / FROST-Server

A Complete Server implementation of the OGC SensorThings API
https://fraunhoferiosb.github.io/FROST-Server/
GNU Lesser General Public License v3.0
200 stars 74 forks source link

/DatabaseStatus wrong redirect_uri when using Keycloak? #898

Open StefanSchuhart opened 2 years ago

StefanSchuhart commented 2 years ago

Hi,

using Keycloak as auth-provider, it seems that the redirect_uri parameter for the redirection from Keycloak-Login page back to https://{myDomain}/DatabaseStatus is incorrect.

When clicking on DatabaseStatus the Login-URL (_auth/realms/frostrealm/protocol/openid-connect/auth?response_type=code&client_id={myClientID}&redirecturi=http%3A%2F%2F{myDomain}%2FFROST-Server%2FDatabaseStatus&state=123&login=true&scope=openid) contains a parameter redirect_uri with value {myDomain}%2FFROST-Server%2FDatabaseStatus.

This leads to a 404-Message: The requested resource [/FROST-Server/FROST-Server/DatabaseStatus] is not available

Changing redirect_uri to http%3A%2F%2F{myDomain}%2FDatabaseStatus leads to 403 Forbidden.

I think the redirect_uri interferes with our rewrite from / to /FROST-Server in our Ingress. Could it be, that the "redirect-rewrite-rules"-Parameter has to be adjusted accordingly (see https://www.keycloak.org/docs/latest/securing_apps/#_java_adapter_config)?

hylkevds commented 2 years ago

You could try doing the auth procedure with the browser-debugger open, so you can see what keycloak actually redirects to. Then you can see if the problem is in keycloak, or in the ingress configuration.