search

Reposoft / openidc-keycloak-test

zmartzone/mod_auth_openidc and keycloak combined - self hosted cloud auth
19 stars 6 forks source link

Session management is disabled: no "session_state" value #23

Open solsson opened 6 years ago

solsson commented 6 years ago 
[auth_openidc:warn] [pid 15:tid 139947583420160] [client 172.19.0.1:43096] oidc_save_in_session: session management disabled: no "session_state" value is provided in the authentication response even though "check_session_iframe" (http://openidc/auth/realms/Testrealm/protocol/openid-connect/login-status-iframe.html) is set in the provider configuration, referer: http://openidc/auth/realms/Testrealm/protocol/openid-connect/auth?response_type=code&scope=openid&client_id=testclient&state=coSkGo-UDklQ3GdazdcomW2X9k8&redirect_uri=http%3A%2F%2Fopenidc%2Fprotected%2Fredirect_uri&nonce=shCh1KsyHNVZ74siMW8XXYfDWKaG-1IPlsVqdXcHOzc
solsson commented 6 years ago

Keycloak 3.4.0 + curl -s http://openidc/auth/realms/Testrealm/.well-known/openid-configuration | jq '.'

{
  "issuer": "http://openidc/auth/realms/Testrealm",
  "authorization_endpoint": "http://openidc/auth/realms/Testrealm/protocol/openid-connect/auth",
  "token_endpoint": "http://openidc/auth/realms/Testrealm/protocol/openid-connect/token",
  "token_introspection_endpoint": "http://openidc/auth/realms/Testrealm/protocol/openid-connect/token/introspect",
  "userinfo_endpoint": "http://openidc/auth/realms/Testrealm/protocol/openid-connect/userinfo",
  "end_session_endpoint": "http://openidc/auth/realms/Testrealm/protocol/openid-connect/logout",
  "jwks_uri": "http://openidc/auth/realms/Testrealm/protocol/openid-connect/certs",
  "check_session_iframe": "http://openidc/auth/realms/Testrealm/protocol/openid-connect/login-status-iframe.html",
  "grant_types_supported": [
    "authorization_code",
    "implicit",
    "refresh_token",
    "password",
    "client_credentials"
  ],
  "response_types_supported": [
    "code",
    "none",
    "id_token",
    "token",
    "id_token token",
    "code id_token",
    "code token",
    "code id_token token"
  ],
  "subject_types_supported": [
    "public",
    "pairwise"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "userinfo_signing_alg_values_supported": [
    "RS256"
  ],
  "request_object_signing_alg_values_supported": [
    "none",
    "RS256"
  ],
  "response_modes_supported": [
    "query",
    "fragment",
    "form_post"
  ],
  "registration_endpoint": "http://openidc/auth/realms/Testrealm/clients-registrations/openid-connect",
  "token_endpoint_auth_methods_supported": [
    "private_key_jwt",
    "client_secret_basic",
    "client_secret_post"
  ],
  "token_endpoint_auth_signing_alg_values_supported": [
    "RS256"
  ],
  "claims_supported": [
    "sub",
    "iss",
    "auth_time",
    "name",
    "given_name",
    "family_name",
    "preferred_username",
    "email"
  ],
  "claim_types_supported": [
    "normal"
  ],
  "claims_parameter_supported": false,
  "scopes_supported": [
    "openid",
    "offline_access"
  ],
  "request_parameter_supported": true,
  "request_uri_parameter_supported": true
}
solsson commented 6 years ago

https://github.com/zmartzone/mod_auth_openidc/issues/276, with https://issues.jboss.org/browse/KEYCLOAK-4478 still open.

solsson commented 6 years ago

Debug logging suggests that Keycloak does include a session_state UUID (in both oidc_util_json_merge entries). Maybe I fail to grasp the expected behavior.

openidc_1         | [Thu Nov 23 13:12:51.339880 2017] [auth_openidc:debug] [pid 17:tid 140203989636864] src/util.c(1937): [client 172.19.0.1:42466] oidc_util_json_merge: src={"jti":"f3ba4802-e597-4eeb-8409-958367d52c6b","exp":1511443071,"nbf":0,"iat":1511442771,"iss":"http://openidc/auth/realms/Testrealm","aud":"testclient","sub":"e7ebf587-7fb6-4103-82df-2bea3274f855","typ":"ID","azp":"testclient","nonce":"NZg5l-EFjaiJ6XKYTEt-it3LdGU2v2TFk0uWYWsv6YY","auth_time":1511442204,"session_state":"4accf2a6-4d67-4fc6-8c87-01ec30782bec","acr":"0","name":"Test Openidc","preferred_username":"test1","given_name":"Test","family_name":"Openidc","email":"test1@example.net"}, dst={"sub":"e7ebf587-7fb6-4103-82df-2bea3274f855","name":"Test Openidc","preferred_username":"test1","given_name":"Test","family_name":"Openidc","email":"test1@example.net"}, referer: http://openidc/
openidc_1         | [Thu Nov 23 13:12:51.339932 2017] [auth_openidc:debug] [pid 17:tid 140203989636864] src/util.c(1948): [client 172.19.0.1:42466] oidc_util_json_merge: result dst={"sub":"e7ebf587-7fb6-4103-82df-2bea3274f855","name":"Test Openidc","preferred_username":"test1","given_name":"Test","family_name":"Openidc","email":"test1@example.net","jti":"f3ba4802-e597-4eeb-8409-958367d52c6b","exp":1511443071,"nbf":0,"iat":1511442771,"iss":"http://openidc/auth/realms/Testrealm","aud":"testclient","typ":"ID","azp":"testclient","nonce":"NZg5l-EFjaiJ6XKYTEt-it3LdGU2v2TFk0uWYWsv6YY","auth_time":1511442204,"session_state":"4accf2a6-4d67-4fc6-8c87-01ec30782bec","acr":"0"}, referer: http://openidc/
openidc_1         | [Thu Nov 23 13:12:51.339956 2017] [auth_openidc:debug] [pid 17:tid 140203989636864] src/mod_auth_openidc.c(1623): [client 172.19.0.1:42466] oidc_set_request_user: set remote_user to "e7ebf587-7fb6-4103-82df-2bea3274f855" based on claim: "sub", referer: http://openidc/
openidc_1         | [Thu Nov 23 13:12:51.340022 2017] [auth_openidc:warn] [pid 17:tid 140203989636864] [client 172.19.0.1:42466] oidc_save_in_session: session management disabled: no "session_state" value is provided in the authentication response even though "check_session_iframe" (http://openidc/auth/realms/Testrealm/protocol/openid-connect/login-status-iframe.html) is set in the provider configuration, referer: http://openidc/
solsson commented 6 years ago

I get "unsupported_response_type" for any OIDCResponseType except the default. Maybe this isn't the same as https://github.com/zmartzone/mod_auth_openidc/issues/276 after all.

Actually there is session_state in the response= there too. I might just wait for next Keycloak release, as https://issues.jboss.org/browse/KEYCLOAK-4478 is scheduled to be fixed by then.