search

p2-inc / keycloak-magic-link

Magic Link Authentication for Keycloak
https://phasetwo.io
Other
222 stars 44 forks source link

Magic Link + NextAuth with Keycloak as a Provider - nonce mismatch #33

Closed egdelwonk closed 1 year ago

egdelwonk commented 1 year ago

Hello, first, thanks for the extensions for orgs and magic links. Great stuff.

I'm using NextAuth with Keycloak Provider. I'm also using the p2 containers, with the 0.13 extension installed for keycloak-magic-link.

When I login with user/name password, the oauth callbacks all work correctly and the user can login correctly.

However, when using the magic link flow, the OAuthCallback error is received once the magic link is clicked in the inbox.

Upon clicking signin with the keycloak provider, I see NextAuth creating the authorization url.

State

[next-auth][debug][CREATE_STATE] { value: 'x95OOMOeUbC3dSosVPafp2nzaq8ft2FJvieHMTjrlYA', maxAge: 900 }

Nonce

[next-auth][debug][CREATE_NONCE] { value: '8uMO9nPU9OSEaACq0RvrA5W9nelqNyX06U3I4uP9Qvk', maxAge: 900 }

Generated Authorization Url

[next-auth][debug][GET_AUTHORIZATION_URL] {
  url: 'http://localhost:8080/realms/myrealm/protocol/openid-connect/auth?client_id=nextjs-frontend&scope=openid%20email%20profile&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A3001%2Fapi%2Fauth%2Fcallback%2Fkeycloak&state=x95OOMOeUbC3dSosVPafp2nzaq8ft2FJvieHMTjrlYA&code_challenge=ZUP5pKRC5GHjjfQsxGj3D33xooUbyxtiFZQ8DXrHCZs&code_challenge_method=S256&nonce=8uMO9nPU9OSEaACq0RvrA5W9nelqNyX06U3I4uP9Qvk'}

The generated nonce from NextAuth is passed as a parameter to openid-connect/auth endpoint.

Upon clicking the magic link, I see the following OAuthCallback error:

[next-auth][error][OAUTH_CALLBACK_ERROR]
https://next-auth.js.org/errors#oauth_callback_error nonce mismatch, expected 8uMO9nPU9OSEaACq0RvrA5W9nelqNyX06U3I4uP9Qvk, got: 0f179f93-dd7a-4b63-8cc2-a79c3248317e {
  error: RPError: nonce mismatch, expected 8uMO9nPU9OSEaACq0RvrA5W9nelqNyX06U3I4uP9Qvk, got: 0f179f93-dd7a-4b63-8cc2-a79c3248317e
...
  providerId: 'keycloak',
  message: 'nonce mismatch, expected 8uMO9nPU9OSEaACq0RvrA5W9nelqNyX06U3I4uP9Qvk, got: 0f179f93-dd7a-4b63-8cc2-a79c3248317e'
}

Any ideas @xgp ?

xgp commented 1 year ago

Hi @egdelwonk thanks for the thorough report. Is it possible to capture a HAR of what is going on? Either that or some sample code that reproduces? The test that I have works for both state and nonce, but maybe NextAuth is doing something different.

egdelwonk commented 1 year ago

@xgp Happy to capture an HAR, but not sure what that is or how to do it. Any insight?

xgp commented 1 year ago

In chrome dev tools:

  1. open it to the network pane
  2. clear any previously recorded requests
  3. do the login you described above (you will have to paste the magic link into the same tab to get it to record there)
  4. once you are done, click the download button, which will prompt you to save the HAR file.

Screenshot from 2023-05-25 22-43-53

egdelwonk commented 1 year ago

Great, i've generated the HAR. What's the best way to send it to you? Github comments doesn't allow for it to be appended.

xgp commented 1 year ago

image

egdelwonk commented 1 year ago

@xgp it appears that the nonce being sent from NextAuth is a string but keycloak-magic-link is casting it to a uuid with uuid.fromString(nonce).

xgp commented 1 year ago

Good catch. That's because the Keycloak superclass DefaultActionTokenKey uses a java.util.UUID for the nonce. Given that the nonce value doesn't need to be a UUID, I think we can override that and store it as a String.

https://github.com/keycloak/keycloak/blob/main/server-spi/src/main/java/org/keycloak/models/DefaultActionTokenKey.java#L40

xgp commented 1 year ago

FYI @egdelwonk still working on this. I'm trying to understand why Keycloak used a UUID, and if I should override their nonce or create a separate one for the magic link.

egdelwonk commented 1 year ago

Great, thank you!

xgp commented 1 year ago

@egdelwonk Sorry this took forever. Been out with a new baby in the house. If this is still a problem for you, please test the xgp/nonce branch. Should fix the problem with non-UUID nonces.

https://github.com/p2-inc/keycloak-magic-link/pull/45

egdelwonk commented 1 year ago

No worries! Thank you for looking into this and a big congratulations to you for the new baby! ❤️

I’ll give branch a try and report back. Thank you again!

xgp commented 1 year ago

@egdelwonk Checking to see if you've had time to try this. I've been using it with no problems, but wanted to check with you before merging.

egdelwonk commented 1 year ago

@xgp looks good on my end, thank you!

xgp commented 1 year ago

closed by #45