Open solsson opened 7 years ago
It looks like this is an unintended side effect but I'm not sure it is wrong yet.
What does your .conf file look like? Are you using a public client in a multi-provider setup?
Setting OIDCClientSecret
should not affect OIDCOAuthIntrospectionEndpoint
but perhaps you meant to say OIDCProviderTokenEndpoint
?
The conf is here: https://github.com/Reposoft/openidc-keycloak-test/blob/master/build-contracts/openidc/000-default.conf. It's a public client but is it multi-provider?
I need to get back to you on the directives because I can't test again right now. This was something I guessed based on the error message with OIDCClientSecret
, but I might be mistaken.
I'm sorry, the comment I made about directives is irrelevant. We changed from confidential to public in https://github.com/Reposoft/openidc-keycloak-test/pull/18/files#diff-b3a249a260ce1f8ad7085fdc2697dd43L14. This is to support 3rd party integrations. The problem persists at re-test.
With info level, this is the success log, from 2.3.0.
openidc_1 | 172.18.0.4 - - [19/Aug/2017:18:53:10 +0000] "GET /auth/realms/Testrealm/.well-known/openid-configuration HTTP/1.1" 200 1785 "-" "mod_auth_openidc"
openidc_1 | 172.18.0.1 - - [19/Aug/2017:18:53:10 +0000] "GET /protected/ HTTP/1.1" 302 464 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/60.0.3112.78 Chrome/60.0.3112.78 Safari/537.36"
openidc_1 | 172.18.0.1 - - [19/Aug/2017:18:53:10 +0000] "GET /auth/realms/Testrealm/protocol/openid-connect/auth?response_type=code&scope=openid&client_id=openid1&state=n45LGhhZ4e8jEZjZ0pBtPRO095I&redirect_uri=http%3A%2F%2Fopenidc%2Fprotected%2Fredirect_uri&nonce=kLkZt466DWoR1IOGJ4gWwnFnT-RNeHbd83Qvgpq8Lhs HTTP/1.1" 200 3597 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/60.0.3112.78 Chrome/60.0.3112.78 Safari/537.36"
openidc_1 | 172.18.0.1 - - [19/Aug/2017:18:53:14 +0000] "POST /auth/realms/Testrealm/login-actions/authenticate?code=fZbDgV96wt3ZiIqAEMbqkMc0ByY4gdDYXIYoGDDOBGM.0cd133f7-319d-43b9-97f7-e1e6909d6203&execution=6c605ee1-ede5-44b9-965e-2417a7d625c2 HTTP/1.1" 302 - "http://openidc/auth/realms/Testrealm/protocol/openid-connect/auth?response_type=code&scope=openid&client_id=openid1&state=n45LGhhZ4e8jEZjZ0pBtPRO095I&redirect_uri=http%3A%2F%2Fopenidc%2Fprotected%2Fredirect_uri&nonce=kLkZt466DWoR1IOGJ4gWwnFnT-RNeHbd83Qvgpq8Lhs" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/60.0.3112.78 Chrome/60.0.3112.78 Safari/537.36"
openidc_1 | 172.18.0.4 - - [19/Aug/2017:18:53:14 +0000] "POST /auth/realms/Testrealm/protocol/openid-connect/token HTTP/1.1" 200 3907 "-" "mod_auth_openidc"
openidc_1 | 172.18.0.4 - - [19/Aug/2017:18:53:14 +0000] "GET /auth/realms/Testrealm/protocol/openid-connect/certs HTTP/1.1" 200 462 "-" "mod_auth_openidc"
openidc_1 | 172.18.0.4 - - [19/Aug/2017:18:53:14 +0000] "GET /auth/realms/Testrealm/protocol/openid-connect/userinfo HTTP/1.1" 200 169 "-" "mod_auth_openidc"
openidc_1 | [Sat Aug 19 18:53:14.564140 2017] [auth_openidc:warn] [pid 11:tid 140237585999616] [client 172.18.0.1:48516] oidc_save_in_session: session management disabled: no "session_state" value is provided in the authentication response even though "check_session_iframe" (http://openidc/auth/realms/Testrealm/protocol/openid-connect/login-status-iframe.html) is set in the provider configuration, referer: http://openidc/auth/realms/Testrealm/protocol/openid-connect/auth?response_type=code&scope=openid&client_id=openid1&state=n45LGhhZ4e8jEZjZ0pBtPRO095I&redirect_uri=http%3A%2F%2Fopenidc%2Fprotected%2Fredirect_uri&nonce=kLkZt466DWoR1IOGJ4gWwnFnT-RNeHbd83Qvgpq8Lhs
openidc_1 | 172.18.0.1 - fc4aa9a3-9154-430d-86c9-eb4a32793a15 [19/Aug/2017:18:53:14 +0000] "GET /protected/redirect_uri?state=n45LGhhZ4e8jEZjZ0pBtPRO095I&code=fOkWhgAS4i6ir3lbEaBLS545fY2oeYy7UcxcpyrEl7Q.0cd133f7-319d-43b9-97f7-e1e6909d6203 HTTP/1.1" 302 209 "http://openidc/auth/realms/Testrealm/protocol/openid-connect/auth?response_type=code&scope=openid&client_id=openid1&state=n45LGhhZ4e8jEZjZ0pBtPRO095I&redirect_uri=http%3A%2F%2Fopenidc%2Fprotected%2Fredirect_uri&nonce=kLkZt466DWoR1IOGJ4gWwnFnT-RNeHbd83Qvgpq8Lhs" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/60.0.3112.78 Chrome/60.0.3112.78 Safari/537.36"
openidc_1 | 172.18.0.1 - fc4aa9a3-9154-430d-86c9-eb4a32793a15 [19/Aug/2017:18:53:14 +0000] "GET /protected/ HTTP/1.1" 200 607 "http://openidc/auth/realms/Testrealm/protocol/openid-connect/auth?response_type=code&scope=openid&client_id=openid1&state=n45LGhhZ4e8jEZjZ0pBtPRO095I&redirect_uri=http%3A%2F%2Fopenidc%2Fprotected%2Fredirect_uri&nonce=kLkZt466DWoR1IOGJ4gWwnFnT-RNeHbd83Qvgpq8Lhs" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/60.0.3112.78 Chrome/60.0.3112.78 Safari/537.36"
openidc_1 | 172.18.0.1 - - [19/Aug/2017:18:53:14 +0000] "GET /style.css HTTP/1.1" 304 - "http://openidc/protected/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/60.0.3112.78 Chrome/60.0.3112.78 Safari/537.36"
openidc_1 | 172.18.0.1 - fc4aa9a3-9154-430d-86c9-eb4a32793a15 [19/Aug/2017:18:53:14 +0000] "GET /protected/script.js HTTP/1.1" 304 - "http://openidc/protected/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/60.0.3112.78 Chrome/60.0.3112.78 Safari/537.36"
openidc_1 | 172.18.0.1 - fc4aa9a3-9154-430d-86c9-eb4a32793a15 [19/Aug/2017:18:53:14 +0000] "HEAD /protected/ HTTP/1.1" 304 - "http://openidc/protected/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/60.0.3112.78 Chrome/60.0.3112.78 Safari/537.36"
openidc_1 | 172.18.0.1 - fc4aa9a3-9154-430d-86c9-eb4a32793a15 [19/Aug/2017:18:53:14 +0000] "GET /protected/ HTTP/1.1" 304 - "http://openidc/protected/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/60.0.3112.78 Chrome/60.0.3112.78 Safari/537.36"
This is the log with identical conf but 2.3.1:
openidc_1 | 172.18.0.4 - - [19/Aug/2017:18:55:17 +0000] "GET /auth/realms/Testrealm/.well-known/openid-configuration HTTP/1.1" 200 1785 "-" "mod_auth_openidc"
openidc_1 | 172.18.0.1 - - [19/Aug/2017:18:55:17 +0000] "GET /protected/ HTTP/1.1" 302 464 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/60.0.3112.78 Chrome/60.0.3112.78 Safari/537.36"
openidc_1 | 172.18.0.1 - - [19/Aug/2017:18:55:17 +0000] "GET /auth/realms/Testrealm/protocol/openid-connect/auth?response_type=code&scope=openid&client_id=openid1&state=Dy8545hMI6aUcIQXWNB-CpZD85Y&redirect_uri=http%3A%2F%2Fopenidc%2Fprotected%2Fredirect_uri&nonce=3twHstQbLoQi1dEO3_bqcQb1udLkBW6RMoIcMuwG1DA HTTP/1.1" 200 3597 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/60.0.3112.78 Chrome/60.0.3112.78 Safari/537.36"
openidc_1 | 172.18.0.1 - - [19/Aug/2017:18:55:21 +0000] "POST /auth/realms/Testrealm/login-actions/authenticate?code=ctFbvCIclpgz3PlV08ir3FMPhbOuHnPrzjhuL3vEt5I.98dfe6c1-0721-4e5c-8e1f-0ed440c23589&execution=6c605ee1-ede5-44b9-965e-2417a7d625c2 HTTP/1.1" 302 - "http://openidc/auth/realms/Testrealm/protocol/openid-connect/auth?response_type=code&scope=openid&client_id=openid1&state=Dy8545hMI6aUcIQXWNB-CpZD85Y&redirect_uri=http%3A%2F%2Fopenidc%2Fprotected%2Fredirect_uri&nonce=3twHstQbLoQi1dEO3_bqcQb1udLkBW6RMoIcMuwG1DA" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/60.0.3112.78 Chrome/60.0.3112.78 Safari/537.36"
openidc_1 | [Sat Aug 19 18:55:21.713533 2017] [auth_openidc:error] [pid 10:tid 140217503696640] [client 172.18.0.1:48664] oidc_proto_endpoint_auth_basic: no client secret is configured, referer: http://openidc/auth/realms/Testrealm/protocol/openid-connect/auth?response_type=code&scope=openid&client_id=openid1&state=Dy8545hMI6aUcIQXWNB-CpZD85Y&redirect_uri=http%3A%2F%2Fopenidc%2Fprotected%2Fredirect_uri&nonce=3twHstQbLoQi1dEO3_bqcQb1udLkBW6RMoIcMuwG1DA
openidc_1 | [Sat Aug 19 18:55:21.713558 2017] [auth_openidc:error] [pid 10:tid 140217503696640] [client 172.18.0.1:48664] oidc_proto_resolve_code_and_validate_response: failed to resolve the code, referer: http://openidc/auth/realms/Testrealm/protocol/openid-connect/auth?response_type=code&scope=openid&client_id=openid1&state=Dy8545hMI6aUcIQXWNB-CpZD85Y&redirect_uri=http%3A%2F%2Fopenidc%2Fprotected%2Fredirect_uri&nonce=3twHstQbLoQi1dEO3_bqcQb1udLkBW6RMoIcMuwG1DA
openidc_1 | 172.18.0.1 - - [19/Aug/2017:18:55:21 +0000] "GET /protected/redirect_uri?state=Dy8545hMI6aUcIQXWNB-CpZD85Y&code=DjkDeMbk0UAjhgwkLu9lv20hUjjXKeOoFJUK4A-HJv4.98dfe6c1-0721-4e5c-8e1f-0ed440c23589 HTTP/1.1" 200 335 "http://openidc/auth/realms/Testrealm/protocol/openid-connect/auth?response_type=code&scope=openid&client_id=openid1&state=Dy8545hMI6aUcIQXWNB-CpZD85Y&redirect_uri=http%3A%2F%2Fopenidc%2Fprotected%2Fredirect_uri&nonce=3twHstQbLoQi1dEO3_bqcQb1udLkBW6RMoIcMuwG1DA" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/60.0.3112.78 Chrome/60.0.3112.78 Safari/537.36"
openidc_1 | 172.18.0.1 - - [19/Aug/2017:18:55:21 +0000] "GET /favicon.ico HTTP/1.1" 404 209 "http://openidc/protected/redirect_uri?state=Dy8545hMI6aUcIQXWNB-CpZD85Y&code=DjkDeMbk0UAjhgwkLu9lv20hUjjXKeOoFJUK4A-HJv4.98dfe6c1-0721-4e5c-8e1f-0ed440c23589" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/60.0.3112.78 Chrome/60.0.3112.78 Safari/537.36"
Are we doing something wrong after the switch from confidential to public? Everything works with 2.3.1 if I switch the client in Keycloak to confidential and re-introduce OIDCClientSecret
. With confidential client and no OIDCClientSecret
I get an identical error as with public.
By definition a public client is a client without a secret (or any other credential) and a confidential client does have one.
I believe I broke using public clients in 2.3.1 when using configuration metadata: mod_auth_openidc will (always) pick an authentication method for the token endpoint that the Provider publishes in its Discovery metadata.
Yet I would like to emphasize that using mod_auth_openidc as a public client is needlessly insecure. You should use mod_auth_openidc as a confidential client since public clients were only introduced for mobile and in-browser use cases and a so-called web client (which is what mod_auth_openidc is) is perfectly capable of keeping client secrets.
These are the options going forward:
OIDCMetadataURL
but configure OIDCProvider*
settings individually and manually; I believe that's a workaround that does allow for public clientsMy advice is 3.
Thanks for your advice, I appreciate it. Let me know if I can help with testing the patch, we've been building from source before. We're actually using mod_auth_openidc 1.x in production still, with confidential clients.
Our reason to mess with this is to support mobile applications that retrieve a token and use that for API requests. My research that lead to the decision is summarized in https://github.com/Reposoft/openidc-keycloak-test/pull/17#issuecomment-304363138. In short we're validating redirect URIs.
Are there better ways to do that than switching to public? Is there a pattern for authenticating with mod_auth_openidc as confidential client and retrieve something like an API token?
Mobile users do expect to authenticate on first use, and after that very rarely. We've been testing with code along the lines of https://github.com/Reposoft/openidc-keycloak-test/blob/171bb6e99d0fd160785f27c9548faf96a2ca91ce/build-contracts/keycloak-setup/spec.js#L41 and use that as a Bearer token to gain access through mod_auth_openidc.
The recommendation for mobile clients is for the app itself to be an OIDC client. It may create some credential after registering with an OpenID Connect provider using Dynamic Client Registration to increase security.
The pattern you describe is also possible, see: https://hanszandbelt.wordpress.com/2017/02/24/openid-connect-for-single-page-applications/ where you can replace "SPA" with "Mobile Client".
I have uploaded 2.3.2rc4 with an untested patch (attached) for public clients here: http://mod-auth-openidc.org/download/?C=M;O=D
I've confirmed that the patch works with the config that previously failed (9801d65). I also noticed that an arbitrary OIDCClientSecret
will have no effect with a public client; possibly a security gotcha.
Thanks for all your advice. I'd be happy to ask more questions but you've actually solved the issue already, so I'll read up on the resources and quite possibly get back through the mailing list.
Will close this issue once 2.3.2 is released.
What would be the security gotcha? In the end it is up to the configuration on the OP side to determine what is a public client or a confidential client no matter what the client thinks or sends. I'm not sure there's anything that can be done wrt. that.
I guess that was just a note to self. Keycloak's openid-connect clients default to public. It would be better if they default to confidential, now that we're leaning towards public being needlessly insecure. When we set up new realms we tend to copy configuration from some existing vhost and modify. There's a risk that some realm is misconfigured while appearing confidential in apache conf.
Upon successful login the page shows "Error: OpenID Connect Provider error: Error in handling response type."
Logs:
Endpoint:
Now if I downgrade to 2.3.0, i.e. revert ed44401, auth works again. Endpoint json is identical. Log:
@zandbelt Might this be an effect of https://github.com/pingidentity/mod_auth_openidc/commit/0039c54253e970706a52f61a62869a1dd3d0eade?
I've tried to set
OIDCClientSecret
but then startup fails unless I have aOIDCOAuthIntrospectionEndpoint
which ishttp
in this test setup, so I got stuck there.