Reload Loop in Homepage and Community Highlights

HCL-TECH-SOFTWARE / hclds-keycloak

The HCL Digital Solutions (DS) Keycloak service is based on Keycloak and adds configuration, an HCL branded login UI and more. It serves as a reference for OIDC based authentication across DS products.

Apache License 2.0

1 stars 3 forks source link

Reload Loop in Homepage and Community Highlights #4

Closed stoeps13 closed 7 months ago

stoeps13 commented 11 months ago

Hi, when I configure this like described in: https://github.com/HCL-TECH-SOFTWARE/hclds-keycloak/blob/8b7d76407079caef10c96a165b7973ed550c1e9e/docs/integration/ds-integration/cnx-integration.md?plain=1#L104-L106 I get a loading loop for Highlights and Homepage.

Doing the opposite, deleting com.ibm.websphere.security.InvokeTAIbeforeSSO and set com.ibm.websphere.security.DeferTAItoSSO=com.ibm.ws.security.oidc.client.RelyingParty, then everything works, except of the RTE widget.

So not sure about this setting.

The Ansible project does the same (deleting InvokeTAIbeforeSSO) in their script: https://github.com/HCL-TECH-SOFTWARE/connections-automation/blob/f23269a34de6c3233941cc1d76b3e395fcfeb899/roles/third_party/ibm/wasnd/was-dmgr-oidc/templates/config_oidc.py.j2#L296-L297

Can you please clarify this?

Regards Christoph

VinayakPatilHcl commented 7 months ago

Hi @stoeps13 ,

We tried using the approach you have suggested. We followed below steps and its working fine at our end including RTE. Can you please follow and verify as per below steps:

Delete custom property com.ibm.websphere.security.InvokeTAIbeforeSSO and set com.ibm.websphere.security.DeferTAItoSSO=com.ibm.ws.security.oidc.client.RelyingParty
In the administrative console, go to Security -> Global security -> Web and SIP security -> Trust association -> Interceptors. Select com.ibm.ws.security.oauth20.tai.OAuthTAI and set the provider_1.filter name to some dummy value to disable intercepting requests. For example provider_1.filter_Dummy
Delete provider_1.mapIdentityToRegistryUser TAI property from com.ibm.ws.security.oidc.client.RelyingParty interceptor
Verify below three properties are enabled in lcc.xml ` true true true
`
Restart server and Test

Please let us know if its fixes this issue for you, so we can update the doc accordingly. @caiaga FYI

stoeps13 commented 7 months ago

Hi,

Meanwhile, I tried all possible combinations and gave up (with mapIdentityToRegistryUser and some tweaks, everything worked). I don't think your steps are enough. In my research, it was dependent on j2ee access roles of anonymous and everyone, but in none of my tested combinations RTE and /social work, all the time one of these apps showed an error (without mapIdentitiyToRegistryUser).

There is too much black magic involved, for me, to make this configuration acceptable for productive environments for now.

Maybe you should document the steps in more detail (with all access rights) and add an explanation of how profile mapping is working. As in plenty of deployments access rights are configured with LDAP groups, I'm curious how these mappings work in the end.

But thanks for your update.

stoeps13 commented 7 months ago

Hi,

I gave up on this and will not do further test. Wasted tons of time on this.

Thanks for your update.