Closed yennor closed 6 months ago
This error is thrown by Keycloak.
Have you changed one of:
oauth2Login
)The last two points lead to a new authorization-code callback that could possibly not be allowed in Keycloak.
But according to the little log you join, it seems that you have an issue with the authorization-code itself.
Please attach more Keycloak logs.
Please also add your security conf (SecurityFilterChain
if you defined one and any other @Bean
injected into it or into spring-addons one).
What is the version of Keycloak you are using?
Can you setup a minimal reproducer? I don't have this kind of error with my OAuth2 clients authenticating users on Keycloak 23.0.1
2024-01-10T14:04:21.337-05:00 DEBUG 59833 --- [nio-8080-exec-1] mo.s.security.web.FilterChainProxy : Securing GET /
2024-01-10T14:04:21.340-05:00 DEBUG 59833 --- [nio-8080-exec-1] mo.s.s.w.a.AnonymousAuthenticationFilter : Set SecurityContextHolder to anonymous SecurityContext
2024-01-10T14:04:21.346-05:00 DEBUG 59833 --- [nio-8080-exec-1] mo.s.s.w.s.HttpSessionRequestCache : Saved request http://localhost:8080/?continue to session
2024-01-10T14:04:21.351-05:00 DEBUG 59833 --- [nio-8080-exec-1] ms.w.a.DelegatingAuthenticationEntryPoint : Trying to match using And [Not [RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]], Not [And [Or [Ant [pattern='/login'], Ant [pattern='/favicon.ico']], And [Not [RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]], MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.ContentNegotiationManager@5e221658, matchingMediaTypes=[application/xhtml+xml, image/*, text/html, text/plain], useEquals=false, ignoredMediaTypes=[*/*]]]]], org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer$$Lambda$1986/0x00007f38e0bb4f88@fd98f04]
2024-01-10T14:04:21.352-05:00 DEBUG 59833 --- [nio-8080-exec-1] ms.w.a.DelegatingAuthenticationEntryPoint : Match found! Executing org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint@34188df5
2024-01-10T14:04:21.352-05:00 DEBUG 59833 --- [nio-8080-exec-1] mo.s.s.web.DefaultRedirectStrategy : Redirecting to http://localhost:8080/oauth2/authorization/keycloak-user
2024-01-10T14:04:21.367-05:00 DEBUG 59833 --- [nio-8080-exec-2] mo.s.security.web.FilterChainProxy : Securing GET /oauth2/authorization/keycloak-user
2024-01-10T14:04:23.203-05:00 DEBUG 59833 --- [nio-8080-exec-3] mo.s.security.web.FilterChainProxy : Securing GET /login/oauth2/code/keycloak-user?state=QI86x4nj74M0bgYe_IGhinOiipNDuJTRyO3cfg_MkXQ%3D&session_state=f866f353-749c-4861-8e31-416f18763a1c&code=05eb52a0-9f44-4b09-8699-efba074b9b2b.f866f353-749c-4861-8e31-416f18763a1c.d0d36e71-da18-474d-95d6-a58a3af492fd
2024-01-10T14:04:23.669-05:00 DEBUG 59833 --- [nio-8080-exec-3] m.s.a.DefaultAuthenticationEventPublisher : No event was found for the exception org.springframework.security.oauth2.core.OAuth2AuthenticationException
2024-01-10T14:04:23.685-05:00 DEBUG 59833 --- [nio-8080-exec-4] mo.s.security.web.FilterChainProxy : Securing GET /
2024-01-10T14:04:23.686-05:00 DEBUG 59833 --- [nio-8080-exec-4] mo.s.s.w.a.AnonymousAuthenticationFilter : Set SecurityContextHolder to anonymous SecurityContext
2024-01-10T14:04:23.688-05:00 DEBUG 59833 --- [nio-8080-exec-4] mo.s.s.w.s.HttpSessionRequestCache : Saved request http://localhost:8080/?continue to session
2024-01-10T14:04:23.688-05:00 DEBUG 59833 --- [nio-8080-exec-4] ms.w.a.DelegatingAuthenticationEntryPoint : Trying to match using And [Not [RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]], Not [And [Or [Ant [pattern='/login'], Ant [pattern='/favicon.ico']], And [Not [RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]], MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.ContentNegotiationManager@5e221658, matchingMediaTypes=[application/xhtml+xml, image/*, text/html, text/plain], useEquals=false, ignoredMediaTypes=[*/*]]]]], org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer$$Lambda$1986/0x00007f38e0bb4f88@fd98f04]
2024-01-10T14:04:23.689-05:00 DEBUG 59833 --- [nio-8080-exec-4] ms.w.a.DelegatingAuthenticationEntryPoint : Match found! Executing org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint@34188df5
2024-01-10T14:04:23.689-05:00 DEBUG 59833 --- [nio-8080-exec-4] mo.s.s.web.DefaultRedirectStrategy : Redirecting to http://localhost:8080/oauth2/authorization/keycloak-user
2024-01-10T14:04:23.699-05:00 DEBUG 59833 --- [nio-8080-exec-5] mo.s.security.web.FilterChainProxy : Securing GET /oauth2/authorization/keycloak-user
2024-01-10T14:04:23.958-05:00 DEBUG 59833 --- [nio-8080-exec-6] mo.s.security.web.FilterChainProxy : Securing GET /login/oauth2/code/keycloak-user?state=49MqUTPNet-NDmHXDLH3xeTEXB_74b5yEgkX14NEX1k%3D&session_state=f866f353-749c-4861-8e31-416f18763a1c&code=48a870d8-ed20-4334-b2db-f976a2bc9b55.f866f353-749c-4861-8e31-416f18763a1c.d0d36e71-da18-474d-95d6-a58a3af492fd
2024-01-10T14:04:24.674-05:00 DEBUG 59833 --- [nio-8080-exec-6] m.s.a.DefaultAuthenticationEventPublisher : No event was found for the exception org.springframework.security.oauth2.core.OAuth2AuthenticationException
2024-01-10T14:04:24.687-05:00 DEBUG 59833 --- [nio-8080-exec-7] mo.s.security.web.FilterChainProxy : Securing GET /
2024-01-10T14:04:24.688-05:00 DEBUG 59833 --- [nio-8080-exec-7] mo.s.s.w.a.AnonymousAuthenticationFilter : Set SecurityContextHolder to anonymous SecurityContext
2024-01-10T14:04:24.690-05:00 DEBUG 59833 --- [nio-8080-exec-7] mo.s.s.w.s.HttpSessionRequestCache : Saved request http://localhost:8080/?continue to session
2024-01-10T14:04:24.690-05:00 DEBUG 59833 --- [nio-8080-exec-7] ms.w.a.DelegatingAuthenticationEntryPoint : Trying to match using And [Not [RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]], Not [And [Or [Ant [pattern='/login'], Ant [pattern='/favicon.ico']], And [Not [RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]], MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.ContentNegotiationManager@5e221658, matchingMediaTypes=[application/xhtml+xml, image/*, text/html, text/plain], useEquals=false, ignoredMediaTypes=[*/*]]]]], org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer$$Lambda$1986/0x00007f38e0bb4f88@fd98f04]
2024-01-10T14:04:24.690-05:00 DEBUG 59833 --- [nio-8080-exec-7] ms.w.a.DelegatingAuthenticationEntryPoint : Match found! Executing org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint@34188df5
2024-01-10T14:04:24.690-05:00 DEBUG 59833 --- [nio-8080-exec-7] mo.s.s.web.DefaultRedirectStrategy : Redirecting to http://localhost:8080/oauth2/authorization/keycloak-user
2024-01-10T14:04:24.701-05:00 DEBUG 59833 --- [nio-8080-exec-8] mo.s.security.web.FilterChainProxy : Securing GET /oauth2/authorization/keycloak-user
Could you please join the complete URI for the authorization-code flow (with scheme, authority and params). Something like:
Location
https://oidc.c4-soft.com/auth/realms/quiz/protocol/openid-connect/auth?response_type=code&client_id=quiz-bff&scope=openid%20profile%20email%20offline_access&state=HdZJNOz_cbm0wI3Q0X_l9SmjTnFgeqgJWNQwmfaRDbQ%3D&redirect_uri=https://quiz.c4-soft.com/login/oauth2/code/quiz-bff&nonce=kgtnPtYXv92-FLNQxHaTKcuR5Dn3m2Yu-O3xEvzOn9gLocation
https://quiz.c4-soft.com/login/oauth2/code/quiz-bff?state=HdZJNOz_cbm0wI3Q0X_l9SmjTnFgeqgJWNQwmfaRDbQ%3D&session_state=507e2f63-9476-40b8-b3aa-9760c82acde4&code=08457d66-58b0-42d7-8b23-17f4db0b8de4.507e2f63-9476-40b8-b3aa-9760c82acde4.44777276-7b4e-4678-b892-6a7631ec69b2Location
https://quiz.c4-soft.com/ui/here we go. I'll prepare a minimal setup and provide the link here in a moment..
GET http://localhost:8080/ => 302 http://localhost:8080/oauth2/authorization/keycloak-user
GET http://localhost:8080/oauth2/authorization/keycloak-user => 302 Location: https://auth.intranet.example.com/realms/example.com/protocol/openid-connect/auth?response_type=code&client_id=hotline-thurgau-dev&scope=openid%20profile%20email%20offline_access&state=2GoZQboLNYpOvEuyJE4WUgs8HMhM1ajJmEIZeyHMraY%3D&redirect_uri=http://localhost:8080/login/oauth2/code/keycloak-user&nonce=6dQBt6IKShPGPgBYKJHLk1j3vmBTXoV_732RCFaw5UM
POST https://auth.intranet.example.com/realms/example.com/login-actions/authenticate?session_code=ezx_VSj1RRrmYqnbS6D95XZVO1NxHNxfVhL0D4Q3xeQ&execution=d89c4380-50ef-4a97-a4cc-1a76df1d11a9&client_id=hotline-thurgau-dev&tab_id=WbntdJBVkh0 => 302 http://localhost:8080/login/oauth2/code/keycloak-user?state=2GoZQboLNYpOvEuyJE4WUgs8HMhM1ajJmEIZeyHMraY%3D&session_state=393fd19d-2163-40d6-880f-c9f94b6ca567&code=138186ac-15de-49c1-9977-4f75b493086a.393fd19d-2163-40d6-880f-c9f94b6ca567.d0d36e71-da18-474d-95d6-a58a3af492fd
GET http://localhost:8080/login/oauth2/code/keycloak-user?state=2GoZQboLNYpOvEuyJE4WUgs8HMhM1ajJmEIZeyHMraY%3D&session_state=393fd19d-2163-40d6-880f-c9f94b6ca567&code=138186ac-15de-49c1-9977-4f75b493086a.393fd19d-2163-40d6-880f-c9f94b6ca567.d0d36e71-da18-474d-95d6-a58a3af492fd => 302 http://localhost:8080/
GET http://localhost:8080/ => 302 http://localhost:8080/oauth2/authorization/keycloak-user
GET http://localhost:8080/oauth2/authorization/keycloak-user => 302 https://auth.intranet.example.com/realms/example.com/protocol/openid-connect/auth?response_type=code&client_id=hotline-thurgau-dev&scope=openid%20profile%20email%20offline_access&state=fHDCCU8sji8AHZkkw8HWanZfWVVoxoJA18ImNhwcFa8%3D&redirect_uri=http://localhost:8080/login/oauth2/code/keycloak-user&nonce=8xIWLJckGPv2oEFg8ssoISG3nmexWqCks5bo0_kkLDg
GET https://auth.intranet.example.com/realms/example.com/protocol/openid-connect/auth?response_type=code&client_id=hotline-thurgau-dev&scope=openid%20profile%20email%20offline_access&state=fHDCCU8sji8AHZkkw8HWanZfWVVoxoJA18ImNhwcFa8%3D&redirect_uri=http://localhost:8080/login/oauth2/code/keycloak-user&nonce=8xIWLJckGPv2oEFg8ssoISG3nmexWqCks5bo0_kkLDg => 302 http://localhost:8080/login/oauth2/code/keycloak-user?state=fHDCCU8sji8AHZkkw8HWanZfWVVoxoJA18ImNhwcFa8%3D&session_state=393fd19d-2163-40d6-880f-c9f94b6ca567&code=ddeb1751-5710-455d-b986-cd7811ceeda9.393fd19d-2163-40d6-880f-c9f94b6ca567.d0d36e71-da18-474d-95d6-a58a3af492fd
GET http://localhost:8080/login/oauth2/code/keycloak-user?state=fHDCCU8sji8AHZkkw8HWanZfWVVoxoJA18ImNhwcFa8%3D&session_state=393fd19d-2163-40d6-880f-c9f94b6ca567&code=ddeb1751-5710-455d-b986-cd7811ceeda9.393fd19d-2163-40d6-880f-c9f94b6ca567.d0d36e71-da18-474d-95d6-a58a3af492fd => 302 http://localhost:8080/
etc...
here i've added a minimal projekt https://github.com/yennor/springaddonsmin
@yennor thank you for the reproducer, it is of great help for investigations.
What I spotted so far is that inside DefaultAuthorizationCodeTokenResponseClient::getTokenResponse
, when inspecting the body
of the request
, the value of the redirect_uri
has changed from https://localhost:7080/login/oauth2/code/keycloak-user
to https://localhost:7080/oauth2/authorization/keycloak-user
(which is wrong as we gave https://localhost:7080/login/oauth2/code/keycloak-user
to Keycloak as redirect_uri
in the authorization request).
This is a regression I'll fix (haven't found why yet and have limited time today, but will do soon).
@yennor I published a 7.3.2
which should fix this issue. Please confirm and close.
This issue was specific to synchronized apps (servlets).
works like a charm. thanks a lot :-)
Describe the bug I use a webmvc client authenticating against keycloak. It works perfectly up to and with version
7.2.0
. From7.3.0
on it doesn't work anymore. The client always throws aKeycloak shows me a
I think I had a similar error in the past once. As far as I remember the problem was using different redirect_uri for the code and the token or something like that (long time ago). I've tried to look through the changes from
7.2.0
to7.3.0
but I don't understand them 100%. But something changed with the redirect_uri, as far as i can see.But the whole thing ends in an endless redirect from keycloak, to localhost, back to keycloak, ...
config looks like: