search

jhipster / generator-jhipster

JHipster is a development platform to quickly generate, develop, & deploy modern web applications & microservice architectures.
https://www.jhipster.tech
Apache License 2.0
21.45k stars 4.02k forks source link

Content Security Policy issue with Oauth2 Keycloak for Anonymous users #24278

Open blivonnen opened 9 months ago

blivonnen commented 9 months ago
Overview of the issue

When a user is not logged in the following message appears:

Refused to connect to 'http://localhost:9080/realms/jhipster/protocol/openid-connect/auth?response…0/login/oauth2/code/oidc&nonce=QYUQTN10TFddVkukq1KEFczMdyWSFLDun7iGMAerFas' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.

Motivation for or Use Case

I assume this call shouldn't fail or shouldn't be done

Reproduce the error

Fresh generation: Gateway, oauth2 Keycloak, react Services launched in Docker: docker-compose -f src/main/docker/services.yml up -d

Jhipster v8.0.0 tested on Safari, Chrome, Postman (MacOS)

JHipster configuration
JDL definitions 
     application {
  config {
    applicationType gateway
    authenticationType oauth2
    baseName tmp
    buildTool maven
    cacheProvider no
    clientFramework react
    clientTheme cosmo
    clientThemeVariant light
    creationTimestamp 1700402191659
    databaseType mongodb
    devDatabaseType mongodb
    enableHibernateCache false
    enableSwaggerCodegen false
    enableTranslation true
    jhipsterVersion "8.0.0"
    jwtSecretKey "XXX"
    languages [fr, en]
    messageBroker false
    microfrontend false
    microfrontends []
    nativeLanguage fr
    packageName com.example.tmp
    prodDatabaseType mongodb
    reactive true
    searchEngine false
    serverPort 8080
    serviceDiscoveryType consul
    skipUserManagement true
    testFrameworks []
    websocket false
    withAdminUi false
  }
}
divukman commented 5 months ago

I am having the same issue, but on spring session timeout. Can we modify keycloak's security defenses to allow this?

mraible commented 5 months ago

@divukman You should be able to modify your local Keycloak instance to test a solution. If you figure out what works, please let us know how you fixed it.

divukman commented 5 months ago

Locally I am unable to get the CSP error, not sure why. But, I am getting different behavior. After spring session timeout, if any request is made from the app, it goes to login oidc page, which returns 302 to keycloak login. Since its ajax request, keycloak just says CORS error and we are stuck on the UI until we refresh whole web page (which shows keycloak login). Is this something that is expected or some misconfiguration on my part? (I thought there would be axios interceptor for 302's or something).