search

openid / AppAuth-Android

Android client SDK for communicating with OAuth 2.0 and OpenID Connect providers.
https://openid.github.io/AppAuth-Android
Apache License 2.0
2.84k stars 884 forks source link

Authorization Code Exchange Failure #698

Closed giannischou closed 3 years ago

giannischou commented 3 years ago

Configuration

Description

Hello there,

I am running Keycloak Server on HTTPS/SSL in order to get the AppAuth Demo running. I am confronting two problems.

(1) if I fill the discovery_uri (in the auth_config.json), I get the message from the demo's ui "Network error when retrieving discovery document" and naturally nothing happens.

(2) if I fill all the other uris except the discovery_uri (in the auth_config.json), the demo is running and asking me the needed information. Then I get the message from the demo's ui "Authorization Code Exchange failed null" and the button "Reauathorize" appears.

Can anyone help me with this one? Thanks in advance!

agologan commented 3 years ago

Here's an example config for the demo app against Keycloak

{
  "client_id": "myappid",
  "redirect_uri": "myappid://auth",
  "end_session_redirect_uri":"myappid://auth",
  "authorization_scope": "openid email profile",
  "discovery_uri": "https://mydomain/realms/myrealm/.well-known/openid-configuration",
  "authorization_endpoint_uri": "",
  "token_endpoint_uri": "",
  "registration_endpoint_uri": "",
  "user_info_endpoint_uri": "",
  "https_required": true
}

Note: /realms/myrealm in the dicovery_uri assuming the Keycloak instance is hosted at https://mydomain/. The default realm is master. This also assumes you have created a client with ID myappid and myappid://auth as a Valid Redirect URIs

giannischou commented 3 years ago

Here's an example config for the demo app against Keycloak

{
  "client_id": "myappid",
  "redirect_uri": "myappid://auth",
  "end_session_redirect_uri":"myappid://auth",
  "authorization_scope": "openid email profile",
  "discovery_uri": "https://mydomain/realms/myrealm/.well-known/openid-configuration",
  "authorization_endpoint_uri": "",
  "token_endpoint_uri": "",
  "registration_endpoint_uri": "",
  "user_info_endpoint_uri": "",
  "https_required": true
}

Note: /realms/myrealm in the dicovery_uri assuming the Keycloak instance is hosted at https://mydomain/. The default realm is master. This also assumes you have created a client with ID myappid and myappid://auth as a Valid Redirect URIs

Thank you for your response.

Still getting the same errors, as I mentioned above.. I think an example of a keycloak realm and client setup (which are used in the auth_config.json) would be very helpfull, if it was not much of a trouble for you. Also, I would like to mention that mydomain is the localhost or the IP of the machine I use. Is that a problem and how I should deal with it.

Thank you once again!

agologan commented 3 years ago

I now realise you're the same person in #692 Given the two issues I'm no longer sure what problem you're encountering exactly.

As for an example client setup as explained in #692 you just do 3 steps, go to Keyloack config, in the clients section, create a new one, name it and add your redirect URI, that's it.

Elderic commented 3 years ago

No conclusion for this matter I presume ?

I'm trying to authenticate using the sample app against LemonLDAP (configured as OP), which is protecting an Apache Httpd resource with the mod_auth_oidc module. "Authorization Code Exchange failed null" appears though. Still added the setSkipIssuerHttpsCheck(True) in LoginActivity at the createAuthorizationService() function.

Accessing the resource after redirection is working on computer-based browser though.

I tried authenticating against LemonLDAP OP sample online ([https://oidctest.wsweet.org]) and it's working good.

Something's might be wrong with the OP I configured.

But since this thread had the same problem, I wondered if it was resolved in any way ??

Elderic commented 3 years ago

Hi again,

Seems that having SSL activated on OpenID Connect Provider side did the trick.

agologan commented 3 years ago

@Elderic glad to hear you got this resolved.

Closing this issue as there hasn't been any further replies from the OP in some time. Feel free to open a new issue and reference this if you think it's related.

ayoubAnbara commented 2 years ago

I have the same problem with keycloak 15.0.2, I resolved it by allowing HTTP Connection 

AppAuthConfiguration appAuthConfig = new AppAuthConfiguration.Builder()
    .setSkipIssuerHttpsCheck(true)
    .build()

Credit: #657