search

byo-software / steam-openid-connect-provider

Steam OpenID Connect Identity Provider (IdP)
MIT License
67 stars 24 forks source link

The authentication response was rejected because the anti-forgery token was invalid #5

Closed Siljesc closed 4 years ago

Siljesc commented 4 years ago

Hello, I'm pretty new to keycloak so this might be a misconfiguration error from my part. After clicking sign-in in steam openid page, I'm redirected to /signin-steam?state=... where i'm getting HTTP Error 500. The console shows this:

[00:54:49 Information] AspNet.Security.OpenId.Steam.SteamAuthenticationHandler
steam_1     | AuthenticationScheme: Steam was challenged.
steam_1     | 
steam_1     | [00:54:52 Warning] AspNet.Security.OpenId.Steam.SteamAuthenticationHandler
steam_1     | '.AspNetCore.Correlation.Steam.pLhGj9via3PPAI9BdOHCYAqivQc3FD8dd0jES3lYOEY' cookie not found.
steam_1     | 
steam_1     | [00:54:52 Information] AspNet.Security.OpenId.Steam.SteamAuthenticationHandler
steam_1     | Error from RemoteAuthentication: The authentication response was rejected because the anti-forgery token was invalid..
steam_1     | 
steam_1     | [00:54:52 Error] Microsoft.AspNetCore.Server.Kestrel
steam_1     | Connection id "0HM3047JETCD1", Request id "0HM3047JETCD1:00000003": An unhandled exception was thrown by the application.
steam_1     | System.Exception: An error was encountered while handling the remote login.
steam_1     |  ---> System.Exception: The authentication response was rejected because the anti-forgery token was invalid.
steam_1     |    --- End of inner exception stack trace ---
steam_1     |    at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
steam_1     |    at IdentityServer4.Hosting.FederatedSignOut.AuthenticationRequestHandlerWrapper.HandleRequestAsync()
steam_1     |    at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
steam_1     |    at IdentityServer4.Hosting.BaseUrlMiddleware.Invoke(HttpContext context)
steam_1     |    at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)

This is my config in keycloak: https://i.imgur.com/UmFLLXd.png

Trojaner commented 4 years ago

I believe this is a cookie issue. Does it work when using a different browser? Are you using https?

If it only happens on Chrome https://www.chromestatus.com/feature/5633521622188032 might be the reason.

Siljesc commented 4 years ago

I believe this is a cookie issue. Does it work when using a different browser? Are you using https?

If it only happens on Chrome chromestatus.com/feature/5633521622188032 might be the reason.

Yeah, that looks to be the issue. Any ideas how to fix it?

Also, now in Firefox I'm getting this error 

keycloak_1  | 14:23:13,074 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-1) Failed to make identity provider oauth callback: org.apache.http.conn.HttpHostConnectException: Connect to localhost:3000 [localhost/127.0.0.1] failed: Connection refused (Connection refused)

It works fine when i use localhost:3000/ExternalLogin.

Trojaner commented 4 years ago

Yeah, that looks to be the issue. Any ideas how to fix it?

Use a reverse proxy like nginx to provide https connections or edit the code so it uses https (you will need to handle certificates in either case). If you really want to use http, edit the code so sets a proper SameSite policy.

It works fine when i use localhost:3000/ExternalLogin

Connection refused can not be based on path, e.g. it wont make a difference if you use localhost:3000 or localhost:3000/ExternalLogin. It just means Keycloak was not able to connect to that IP or port.

Siljesc commented 4 years ago

Use a reverse proxy like nginx to provide https connections or edit the code so it uses https (you will need to handle certificates in either case). If you really want to use http, edit the code so sets a proper SameSite policy.

Thank you, i will try that.

It just means Keycloak was not able to connect to that IP or port.

What could be the cause of this? Doesn't keycloak needs to connect to localhost:3000 to get the steam authentication url?

I don't know if it's relevant but i'm running keycloak, postgress and this service with docker-compose

Trojaner commented 4 years ago

What could be the cause of this? Doesn't keycloak needs to connect to localhost:3000 to get the steam authentication url?

I don't know if it's relevant but i'm running keycloak, postgress and this service with docker-compose

You need to use the DNS hostname of the container instead of localhost.

e.g. if its like this:

services:
  keycloak: 
     ...
  steamconnect:
    ...

you will need to use "http://steamconnect:3000"

Use a reverse proxy like nginx to provide https connections or edit the code so it uses https (you will need to handle certificates in either case). If you really want to use http, edit the code so sets a proper SameSite policy.

Thank you, i will try that.

I have added this now. Pull latest container again (might take about 30 minutes until it is built).

Siljesc commented 4 years ago

Yeah using the DNS hostname of the container worked. Thank you for answering so fast