p2-inc / keycloak-events

Useful Keycloak event listener implementations and utilities.
https://phasetwo.io
Other
195 stars 36 forks source link

Invalid Keycloak Signature #37

Closed MarcinBondaruk closed 1 year ago

MarcinBondaruk commented 1 year ago

Hey, We have set up 3 keycloak instances on k8s. We are using keycloak events for webhooks on multiple user actions. Our backend processes these webhooks but from time to time we cannot validate signature resulting in invalid keycloak signature. Can you please try to turn me in right direction in debugging this issue? We are using keycloak 20 and events plugin v 0.12 database is shared across instances.

Best regards!

xgp commented 1 year ago

@MarcinBondaruk thanks for the message. Is your issue that the signature is wrong? Or that it is missing?

The HMAC gets computed here https://github.com/p2-inc/keycloak-events/blob/main/src/main/java/io/phasetwo/keycloak/events/HttpSenderEventListenerProvider.java#L95 based on a String that is created by the same code that the SimpleHttp client uses https://github.com/keycloak/keycloak/blob/main/server-spi-private/src/main/java/org/keycloak/broker/provider/util/SimpleHttp.java#L319

For debugging, I would recommend taking a String of an event that you know fails and running it through your client/receiver code and the Java code. Should be possible to write a main method to run this https://github.com/p2-inc/keycloak-events/blob/main/src/main/java/io/phasetwo/keycloak/events/HttpSenderEventListenerProvider.java#L108

If you find that the exact String is producing two different HMAC values, please post the String and client code here. Otherwise, my guess is that the input in slightly different for the Java and client code.