search

Gwojda / keycloakopenid

keycloakopenid
40 stars 16 forks source link

Problems with DUO MFA #16

Open olsenlid opened 1 year ago

olsenlid commented 1 year ago

Hello!

I'm writing this since you are one of the active developers for a keycloak "gateway" to be used with traefik.

Using the plugin has been great so far for me, and I've been able to secure my web apps with a simple "traefik" client in Keycloak.

To further increase the security, I've also tried to implement 2FA/MFA through DUO Security, with a plugin(!) for Keycloak - https://github.com/instipod/DuoUniversalKeycloakAuthenticator

This plugin I have tested against https://www.keycloak.org/app/ - and it is working as intended.

But when I use it with my own production environment, I get a "too many redirects" error in my browser after completing the DUO 2FA process.

Here is my traefiks' dynamic.yml configuration:

http:
  routers:
    giza:
      entryPoints:
        - "https"
      rule: "Host(`giza.example.org`)"
      middlewares:
        - default-headers
        - https-redirectscheme
        - keycloak
      tls: {}
      service: giza
    giza-local:
      entryPoints:
        - "https"
      rule: "Host(`giza.local.example.org`)"
      middlewares:
        - default-headers
        - https-redirectscheme
      tls: {}
      service: giza

  services:
    giza:
      loadBalancer:
        servers:
          - url: "https://10.0.10.201:8000"
        passHostHeader: true

  middlewares:

    https-redirectscheme:
      redirectScheme:
        scheme: https

    default-headers:
      headers:
        frameDeny: true
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 15552000
        customFrameOptionsValue: SAMEORIGIN
        customRequestHeaders:
          X-Forwarded-Proto: https

    keycloak:
      plugin:
        keycloakopenid:
          ClientID: traefik
          ClientSecret: oAe5HFqkadfg9iaLADFKG0CWlABUYtN
          KeycloakRealm: traefik
          KeycloakURL: https://auth.example.org

After successfully logging in with my keycloak credentials, my authentication flow passes me to the DUO 2FA checks. After completing them, I spot this warning in my keycloak logs:

19 00:59:18,172 WARN  [org.keycloak.protocol.oidc.utils.OAuth2CodeParser] (executor-thread-47) Code '76e214cd-cce5-4713-b8b3-be38f45888d6' already used for userSession 'dc09d00c-cd18-4f73-9457-374b2d703ada' and client 'bffb5066-11c4-4771-92e0-49273c50acaa'.
2023-11-19 00:59:18,172 WARN  [org.keycloak.events] (executor-thread-47) type=CODE_TO_TOKEN_ERROR, realmId=325600bf-8829-435c-aa68-910fef2bfea3, clientId=traefik, userId=null, ipAddress=172.19.0.1, error=invalid_code, grant_type=authorization_code, code_id=dc09d00c-cd18-4f73-9457-374b2d703ada, client_auth_method=client-secret
2023-11-19 01:06:17,705 WARN  [org.keycloak.events] (executor-thread-51) type=CODE_TO_TOKEN_ERROR, realmId=325600bf-8829-435c-aa68-910fef2bfea3, clientId=traefik, userId=null, ipAddress=172.19.0.1, error=invalid_client_credentials, grant_type=authorization_code

In the browser window, all I see is this error: received bad response from Keycloak:

{"error":"invalid_grant","error_description":"Code not valid"}

I think the problem lies in that when I complete the DUO 2FA, it sends me back to the URL that traefik uses for the keycloakopenid middleware:

https://auth.example.org/realms/traefik/protocol/openid-connect/auth?client_id=traefik&redirect_uri=https%3A%2F%2Fgiza.example.org%2F&response_type=code&state=eyJyZWRpcmVjdF91cmwiOiJodHRwczovL3RydWVuYXMubWFyZ2lkby5vcmcvIn0%3D

Or does it try to again exchange an authorized session for a token again?

The funny part is, if I just type the url in my browser, for the web app I'm trying to log into, in this case giza.example.org, I'm authenticated. Its just the part where I get sent back from DUO to keycloak, and from keycloak to my web app that is not working.

Thanks for taking the time to look at this. And thank you for an otherwise great plugin!

menardorama commented 1 year ago

Same issue for me...

Gwojda commented 1 year ago

Hi, I dont have time to look at this for now, feel free to submit a fix and i'll try to review it and validate quickly. Gautier