Invalid redirect URI - Githubissues

instipod / DuoUniversalKeycloakAuthenticator

Keycloak Authenticator for Duo's new Universal Prompt

GNU General Public License v3.0

50 stars 15 forks source link

Invalid redirect URI #16

Closed richhoude closed 11 months ago

richhoude commented 1 year ago

I am getting an error": "invalid_grant", "error_description": "Invalid redirect URI https://{My IP and Port}/realms/{My realm}/login-actions/authenticate?client_id=security-admin-console&tab_id=XGWgZba-EpI'

Have you seen this before?

Thank you

instipod commented 1 year ago

Is this error appearing after the Duo redirect back to Keycloak or before? Does it happen for clients other than the built-in Keycloak ones?

richhoude commented 1 year ago

After the redirect it happens I believe. This is happening for both built-in keycloak Keycloak and external clients.. But The url it is showing is the DUO url so It might be before

instipod commented 1 year ago

Sorry for the extended delay in my response. I just tested this morning with a fresh install of Keycloak 22.0.1 (docker quarkus) and release 1.0.6 of the authenticator and was able to login fine with the built-in "account console" client.

Based on the error in your initial report, do you have your redirect urls set correctly under the client in Keycloak (mainly hostname and port)?

Nihal987 commented 1 year ago

Hi @instipod I am getting the same error and I believe it's because we are missing some steps in the configuration. What I'm unclear of is:

What do you mean when you said you were able to login fine with the built-in "account console" client? Since the default client for the browser login is the "security admin console"
Are you specifying something in the Redirect URL for this client? I assumed that because the default value for the redirect URL was * anything would work.

richhoude commented 1 year ago

I do have the redirect uri set. Sorry for late response. And please share more of your configuration

instipod commented 1 year ago

I didn't change any settings outside of the authenticator settings and the settings required by Keycloak to have a custom flow. Here is my testing workflow:

Duplicate the default browser flow
Remove built-in keycloak 2FA subflows
Add the Duo Universal authentication extension after username and password
Navigate to Duo Admin, create a new Web SDK client, copy the Integration Key, Secret Key, and API hostname from Duo Admin. Make sure you have Duo Universal enabled on your Duo account, and for the Web SDK entry (I'm not sure if you have to do this anymore, Duo may default to this enabled now)
Input the values into the Duo Universal authenticator settings and well as an alias (i.e. duo-1 or similar)
Set the duplicated flow to be the default browser flow
In an incognito or private window, navigate to the Keycloak Account Portal (http://localhost:8080/realms/master/account) and attempt to login