search

Sunbird-RC / community

Repo to enable discussions, issue tracking & documentation for the Sunbird-RC projects
MIT License
12 stars 23 forks source link

Registry server does not send `client_id` and `client_secret` to keycloak server #76

Open gamemaker1 opened 2 years ago

gamemaker1 commented 2 years ago

To Reproduce

  1. Run the setup script: 
    curl https://gist.githubusercontent.com/gamemaker1/055875c27d3af1bb27c408223b390767/raw/cb9da7d886d6fef54383567ffff363e72e8bbd75/setup.sh | bash
  2. Go to http://localhost:8080/auth/admin.
  3. Login using user admin and password admin.
  4. On the top left, click 'CREATE REALM'.
  5. Import this file while creating a new realm.
  6. Go to http://localhost:8081/sso/login and login using user test and password test.
  7. You will see the following:

image

Expected behavior

Registry server should have gotten an auth token from keycloak and authenticated me.

Logs

https://gist.github.com/gamemaker1/48132a2e2c69ff3de13fd3b0a27f09fa

Versions

Additional context

Looking at the logs, specifically this part, the registry does not send the client_id and client_secret to keycloak, resulting in a 400 response with the error unauthorized_client. If I do a POST request via httpie with the client_id and client_secret, it works and keycloak returns a bearer token:

~ > http --form post :8080/auth/realms/sunbird/protocol/openid-connect/token grant_type=authorization_code code=... redirect_uri=http://localhost:8081/sso/login client_session_state=.... client_session_host=mycomputer client_id=sunbird client_secret=f2d72d52-8aac-4b90-856c-1ab8fb45c974

HTTP/1.1 200 OK
Cache-Control: no-store
Connection: keep-alive
Content-Length: 3139
Content-Type: application/json
Date: Sat, 02 Oct 2021 11:35:00 GMT
Pragma: no-cache
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block

{
    "access_token": "...",
    "expires_in": 300,
    "id_token": "...",
    "not-before-policy": 0,
    "refresh_expires_in": 1800,
    "refresh_token": "...",
    "scope": "openid email profile",
    "session_state": "e3981283-d290-429b-b236-41edd943f0aa",
    "token_type": "bearer"
}
gamemaker1 commented 2 years ago

@dileepbapat @ChakshuGautam I noticed that issue #37 was similar to what I am reporting. Is there any fix or known workaround for this issue? Or anything I should do differently?

Thanks in advance

rahul101001000 commented 2 years ago

@dileepbapat could you please point out what @gamemaker1 has done wrong in the script or the config used. Specific error is called out above.

I think all the config elements of the keycloak file you pointed to in issue #37 have been incorporated but will check again.

gamemaker1 commented 2 years ago

@rahul101001000 @dileepbapat @parthlawate I tried incorporating the keycloak config mentioned in https://github.com/Sunbird-RC/community/issues/48#issuecomment-934050428, but I still get the same error.

The problem seems to be that the registry does not send the client_id and client_secret back to keycloak once the user authenticates with keycloak.

This is the relevant portion of the logs that shows the error:

rg          | 07:12:03.788 [http-nio-8081-exec-6] DEBUG org.apache.http.headers:278 - >> POST /auth/realms/sunbird/protocol/openid-connect/token HTTP/1.1
rg          | 07:12:03.789 [http-nio-8081-exec-6] DEBUG org.apache.http.headers:281 - >> Content-Length: 289
rg          | 07:12:03.789 [http-nio-8081-exec-6] DEBUG org.apache.http.headers:281 - >> Content-Type: application/x-www-form-urlencoded; charset=UTF-8
rg          | 07:12:03.789 [http-nio-8081-exec-6] DEBUG org.apache.http.headers:281 - >> Host: kc:8080
rg          | 07:12:03.789 [http-nio-8081-exec-6] DEBUG org.apache.http.headers:281 - >> Connection: Keep-Alive
rg          | 07:12:03.789 [http-nio-8081-exec-6] DEBUG org.apache.http.wire:87 -  >> "grant_type=authorization_code&code=d3794c64-0a1f-41f5-a809-d96bd36b6941.c6243c78-555a-491e-98e5-f1ec09016933.ab6c7d34-386c-4de3-83ab-bde492bc0a38&redirect_uri=http%3A%2F%2Flocalhost%3A8081%2Fsso%2Flogin&client_session_state=66759BB29628EAFAD0D329677C9586C4&client_session_host=ecc26f7d92cf"
kc          | 07:12:03,791 WARN  [org.keycloak.events] (default task-3) type=CODE_TO_TOKEN_ERROR, realmId=sunbird, clientId=null, userId=null, ipAddress=172.22.0.5, error=invalid_client_credentials, grant_type=authorization_code
rg          | 07:12:03.792 [http-nio-8081-exec-6] DEBUG org.apache.http.wire:73 -  << "HTTP/1.1 400 Bad Request[\r][\n]"
rg          | 07:12:03.797 [http-nio-8081-exec-6] DEBUG org.apache.http.wire:87 -  << "{"error":"unauthorized_client","error_description":"INVALID_CREDENTIALS: Invalid client credentials"}"

This is the docker-compose file I am using:

version: '3.9'
services:
  es:
    container_name: es
    image: docker.elastic.co/elasticsearch/elasticsearch:7.10.1
    environment:
      - discovery.type=single-node
      - 'ES_JAVA_OPTS=-Xms512m -Xmx512m'
    ports:
      - '9200:9200'
      - '9300:9300'
  db:
    container_name: db
    image: postgres
    ports:
      - '5432:5432'
    environment:
      - POSTGRES_DB=registry
      - POSTGRES_USER=postgres
      - POSTGRES_PASSWORD=postgres
  keycloak:
    container_name: kc
    image: dockerhub/keycloak:1.23.3-generic
    environment:
      - DB_VENDOR=postgres
      - DB_ADDR=db
      - DB_PORT=5432
      - DB_DATABASE=registry
      - DB_USER=postgres
      - DB_PASSWORD=postgres
      - KEYCLOAK_USER=admin
      - KEYCLOAK_PASSWORD=admin
    ports:
      - '8080:8080'
      - '9990:9990'
  registry:
    container_name: rg
    image: openjdk:8
    ports:
      - '8081:8081'
    volumes:
      - ./sources/core/java/registry/target/registry.jar:/registry.jar
    command:
      java -jar -Xms1024m -Xmx2048m -XX:+UseG1GC -XX:+UseGCLogFileRotation
      -XX:NumberOfGCLogFiles=5 -XX:GCLogFileSize=50M
      -Xloggc:logs/opensaber_gc.log /registry.jar
    environment:
      - sunbird_sso_url=http://kc:8080/auth
      - sunbird_sso_realm=sunbird
      - sunbird_sso_client_id=sunbird
      - sunbird_sso_client_secret=ede412c7-08e3-4916-9aa4-28cc406ee112
      - connectionInfo_uri=jdbc:postgresql://db:5432/registry
      - connectionInfo_username=postgres
      - connectionInfo_password=postgres