search

c0c0n3 / kitt4sme.live

On a mission to bring AI to the shop floor: https://kitt4sme.eu/
MIT License
1 stars 28 forks source link

[Adaptive Questionnaire] Faulty SSO redirect #310

Open c0c0n3 opened 1 year ago

c0c0n3 commented 1 year ago

Describe the bug

307 configured AQ for SSO with RAMP. It seems to work fine in some cases but in others we get a nasty redirect to a dead-end URL after login.

To Reproduce

Steps to reproduce the behavior:

  1. Start a browser in incognito mode.
  2. Browse to AQ: https://kitt4sme.collab-cloud.eu/aq
  3. You should get redirected to RAMP (https://ramp.eu/) where a login form should display
  4. Login with the RAMP test user man@test.com and password the RAMP guys gave you
  5. After successfully logging in, your browser should be redirected to a nonsensical URL similar to this---notice the port of 0: https://kitt4sme.collab-cloud.eu:0/aq/sso/login?state=1f42469e-67ad-4b85-9025-8356ff089d16&session_state=447c1893-ce2a-4951-9b85-b42c130155f7&code=96caf1ac-d256-4e12-8ebf-9743cca1a94a.447c1893-ce2a-4951-9b85-b42c130155f7.750cae43-f2b4-4082-8119-bdcf8cccc427
  6. But now if you browse again to AQ (https://kitt4sme.collab-cloud.eu/aq), you should be able to get in and see the start page.

Expected behavior

If you aren't logged into RAMP and browse to AQ, you should get redirected to the RAMP login form. After successfully logging into RAMP, you should get redirected back to AQ's start page.

Additional context

At the moment KITT4SME's Keycloak has a kitt4sme realm, RAMP as an identity provider for that realm, and an OIDC client for AQ still in the same realm.

The identity provider got configured as follows.

  1. Download RAMP OIDC https://ramp.eu/auth/realms/ramp/.well-known/openid-configuration
  2. Go to keycloak admin interface and log in as admin
  3. Select 'Identity providers' -> 'Add provider' -> 'Keycloak OpenID connect'
  4. Change the display name to 'RAMP account'
  5. Import RAMP OIDC config (1)
  6. 'OpenID Connect Config' -> 'Client authentication', select 'Client secret sent as post'
  7. Enter client ID: kitt4sme_testing , Client Secret: <what the RAMP guys gave you>
  8. Save and note down the Alias field at the top of the page.

The auth flow was configured as follows.

  1. At the keycloak admin UI, go to 'Authentication'
  2. Go to 'Flows' tab and select the 'Browser' flow
  3. In the 'Identity Provider Redirector' row, click 'Actions' -> 'Config'
  4. Add the RAMP identity provider you created earlier as a 'Default Identity provider' by using its alias
  5. Save

AQ's OIDC client was configured with the following fields:

c0c0n3 commented 1 year ago

As a side note, Datasheets works flawlessly with a similar setup, except I think the OIDC client is defined in RAMP

RyanKelvinFord commented 1 year ago

I have just retested this and the problem is still there, I will start investigating it.

RyanKelvinFord commented 1 year ago

I will look into how the authentication is managed however first assumption would be some issue with the keycloak integration

RyanKelvinFord commented 1 year ago

Have not had time to continue with this as there is some extraction work required for the datasheets tool

RyanKelvinFord commented 1 year ago

Could someone from RAMP not confirm the configuration of this?

vcutrona commented 10 months ago

While trying to reproduce this issue, I got the following error:

ERR_TOO_MANY_REDIRECTS

I've been redirected to https://kitt4sme.collab-cloud.eu/aq/sso/login?state=a2c2c6ed-0932-4b54-8fbd-bdfa83693cb1&session_state=74335a47-a4ae-4346-be53-d806ac6fa6eb&code=96abe796-915b-4e80-b5d6-f0f59e75bc04.74335a47-a4ae-4346-be53-d806ac6fa6eb.750cae43-f2b4-4082-8119-bdcf8cccc427 after the RAMP login.

Here is my configuration:

OS: Ubuntu 22.04 Browser: Chrome -- version 117.0.5938.88 (Official Build) (64-bit) Browser mode: Incognito User: janedoe@supsi.ch

pmpoukli commented 10 months ago

Just tested SSO with digital datasheets and works fine. The redirection happens within the collab-cloud server. Have you set up the SSO with Keycloak client?

vcutrona commented 10 months ago

this is the current configuration we use for AQ:

        - name: KEYCLOAK_REALM
          value: "kitt4sme"
        - name: KEYCLOAK_AUTH_SERVER_URL
          value: "https://kitt4sme.collab-cloud.eu/auth"
        - name: KEYCLOAK_RESOURCE
          value: "aq"
        - name: KEYCLOAK_CREDENTIALS_SECRET
          valueFrom:
            secretKeyRef:
              name: oidc-clients
              key: aq.oidc.client.secret

RAMP is registered as an Identity Provider in Keycloak

pmpoukli commented 10 months ago

The SSO between the Keycloaks look fine, this looks like an issue on the integration of the app to your local keycloak

karikolehmainen commented 9 months ago

Please verify if the problem still exists in periodic manner to see if it reappers