search

jhipster / jhipster-registry

JHipster Registry, based on Spring Cloud Netflix Eureka and Spring Cloud Config
Apache License 2.0
698 stars 657 forks source link

Authorization using AWS Cognito caused infinite loop #473

Closed vrijmetse closed 3 years ago

vrijmetse commented 4 years ago
Overview of the issue

I cant seem to make this work with AWS Cognito

Motivation for or Use Case

It would be great to make this work with Cognito since this service works well with other AWS services.

Reproduce the error
  1. I changed portion of jhipster-registry.yml to
- SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_OIDC_ISSUER_URI=https://cognito-idp.ap-southeast-1.amazonaws.com/ap-southeast-1_xxxx
      - SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_OIDC_CLIENT_ID=22222
      - SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_OIDC_CLIENT_SECRET=33333
  1. I tried to login to jhipster-registry. I can see it hits http://localhost:8761/oauth2/authorization/oidc

I can see the following calls in the network tab

  1. https://www.example.com/oauth2/authorize?response_type=code&client_id=2q6l26cpiv62apg5iev05pb7nc&scope=openid%20email%20phone%20profile&state=OWNPVBzsIvYROAUh2ReAkuK8QlSwmwpwxGYbBphPbNM%3D&redirect_uri=http://localhost:8761/login/oauth2/code/oidc&nonce=UxN531_-oQWjF4qpzGgUF-IhQgxBdUEl5vCUkj8bfXQ (which returns 302)

  2. http://localhost:8761/management/info (200)

  3. http://localhost:8761/api/account (403)

  4. Lastly it goes back to the first URL, and all the call are repeated endlessly....

Related issues
Suggest a Fix
JHipster Registry Version(s)

6.9

Browsers and Operating System

I tried this in Chrome on Ubuntu but I doubt this is related to the issue I am facing.

cplaetzinger commented 3 years ago

I'm facing the same issue using Keycloak as identity provider. My configuration works with jhipster-registry version 5.0.2 and 6.0.2 but using 6.1.2 or higher it fails

pascalgrimaud commented 3 years ago

I applied this fix https://github.com/jhipster/jhipster-registry/pull/493 It should be in v6.6.0, can you try this version plz?

vishal423 commented 3 years ago

I also noticed similar issue on registry while testing out the keycloak upgrade. However, mine was only reproducible when I authenticate with user.

cplaetzinger commented 3 years ago

V6.6.0 does not fix the issue for me

zzl221000 commented 3 years ago

V6.7.1 same issue All requests have no authorization header and the page says You are not authenticated. Please sign in The user role field must be named roles and to have the role of ROLE_ADMIN

Zernov-A commented 3 years ago

We have the same issue. This is a big problem. We can't properly work with JHipster Registry using oauth2 authentication and Keycloak. This is a problem with checking user permissions, and #501 might fix it.