Closed habsim closed 7 months ago
This should be possible with this extension. The issue is how you do the authorization code flow, when you are using a confidential client. You will get a code
parameter to your callback endpoint. You need to use that, the client_id
and the client_secret
to exchange for a token. I don't know how mod_auth_openidc works, but I would suggest getting it working with a normal keycloak login first.
Thank you for the fast response! With normal keycloak login I got it working right away. When I look at the network traffic for normal login I get:
However, with passwordless I get:
So, with normal login it's a redirect response and with passwordless it's a normal 200 ok and additonally there's a session cookie set with normal login.
Also what I noticed in general (e.g. with angular angular-oauth2-oidc), when redirected back to the app after login with the magic link, there are session_state, state and code query parameters in the url. Here (on apache) the same
vs.
In the angular app, I have to remove the query parameters, so that upon reload there's no error (otherwise it tries to login again, which fails as the user is alread logged in). Maybe you can shed some light on this? Is this a missconfiguration on my side?
Thank you so much for your help!
Thanks for the detail. I'll look into why it's returning 200 instead of 302.
I can confirm that integration between magic_link and apache mod_auth_oidc does not work, but using normal keycloak login works (and Email OTP also works). In my case I see the following error in apache logs (when it returns 200 with error page):
the nonce value (88a6eee9-c68c-480d-8762-4b4fbc6f1d09) in the id_token did not match the one stored in the browser session (TLZC5tFac3OqOQKOUk5QldFxSEPsqCSnbfoMMUDp1m4)
and
id_token payload could not be validated, aborting
Relevant logs below
First log from first going to apache showing how apache sets nonce=TLZC5tFac3OqOQKOUk5QldFxSEPsqCSnbfoMMUDp1m4:
[Sun Dec 10 09:35:07.088994 2023] [auth_openidc:debug] [pid 8:tid 140129860794048] src/util.c(2621): [client 192.168.65.1:41158] oidc_util_hdr_table_set: Location: http://localhost:8443/realms/mytestrealm/protocol/openid-connect/auth?response_type=code&scope=openid%20email&client_id=graph&state=31cVPgjJZTIoj-qAXl_GIYIC-k0&redirect_uri=http%3A%2F%2Flocalhost%3A8041%2Foauth2callback&nonce=TLZC5tFac3OqOQKOUk5QldFxSEPsqCSnbfoMMUDp1m4
Then log from magic_link in keycloak, showing that it embeds this nonce into action token:
2023-12-10 09:36:18,995 DEBUG [io.phasetwo.keycloak.magic.auth.MagicLinkAuthenticator] (executor-thread-8) MagicLinkAuthenticator.authenticate
2023-12-10 09:36:25,598 DEBUG [io.phasetwo.keycloak.magic.auth.MagicLinkAuthenticator] (executor-thread-14) MagicLinkAuthenticator.action
2023-12-10 09:36:25,607 DEBUG [io.phasetwo.keycloak.magic.MagicLink] (executor-thread-14) Attempting MagicLinkAuthenticator for ddd@gmail.com, graph, http://localhost:8041/oauth2callback
2023-12-10 09:36:25,608 DEBUG [io.phasetwo.keycloak.magic.MagicLink] (executor-thread-14) MagicLinkAuthenticator extra vars openid email 31cVPgjJZTIoj-qAXl_GIYIC-k0 TLZC5tFac3OqOQKOUk5QldFxSEPsqCSnbfoMMUDp1m4 false
2023-12-10 09:36:25,608 DEBUG [io.phasetwo.keycloak.magic.MagicLink] (executor-thread-14) realm mytestrealm session.context.realm mytestrealm
2023-12-10 09:36:25,609 DEBUG [io.phasetwo.keycloak.magic.MagicLink] (executor-thread-14) baseUri: http://localhost:8443, tokenString: eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJhMzNlNjhhOC1iNGNjLTRjNTUtYTFmNy02YTRmNTgyNTAyYzEifQ.eyJleHAiOjE3MDIyODczODUsImlhdCI6MTcwMjIwMDk4NSwic2NvcGUiOiJvcGVuaWQgZW1haWwiLCJqdGkiOiI4OGE2ZWVlOS1jNjhjLTQ4MGQtODc2Mi00YjRmYmM2ZjFkMDkiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0Ojg0NDMvcmVhbG1zL21vb25zcGVhayIsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODQ0My9yZWFsbXMvbW9vbnNwZWFrIiwic3ViIjoiYzEwYzhiYzAtMDcyMy00NjE5LTgyZmYtYzg3N2RlNjE3YTcxIiwidHlwIjoiZXh0LW1hZ2ljLWxpbmsiLCJhenAiOiJncmFwaCIsIm5vbmNlIjoiODhhNmVlZTktYzY4Yy00ODBkLTg3NjItNGI0ZmJjNmYxZDA5IiwicmR1IjoiaHR0cDovL2xvY2FsaG9zdDo4MDQxL29hdXRoMmNhbGxiYWNrIiwic3RhdGUiOiIzMWNWUGdqSlpUSW9qLXFBWGxfR0lZSUMtazAiLCJybWUiOmZhbHNlfQ.kMkAKY-0mmZzNOmZmgyJBgj_rO1nFMYKvcCPtyaU5yA, clientId: graph
Finally after clicking on magic link, login to keycloak happens, then redirect to apache, then apache queries keycloak for user's token. This time apache sees a different NONCE, not the one it set when initially redirected to keycloak. The exact error related to nonce on apache's side (and which leads to web page being shown Error: OpenID Connect Provider error: Error in handling response type.
) is the following:
[Sun Dec 10 09:38:36.844448 2023] [auth_openidc:debug] [pid 8:tid 140129861002944] src/proto.c(1348): [client 192.168.65.1:41945] oidc_proto_validate_idtoken: enter, jwt.header="{"alg":"RS256","typ":"JWT","kid":"5OmVN41EsgtS7hETE-HnJrsv_wkiwUOnVHoUi_Ft_gY"}", jwt.payload="{"exp":1702201416,"iat":1702201116,"auth_time":1702201062,"jti":"8de8e871-fe88-4a5d-9ef1-18a053f5b8e3","iss":"http://localhost:8443/realms/mytestrealm","aud":"graph","sub":"c10c8bc0-0723-4619-82ff-c877de617a71","typ":"ID","azp":"graph","nonce":"88a6eee9-c68c-480d-8762-4b4fbc6f1d09","session_state":"9f839683-f336-48da-a464-48d4e9e307c1","at_hash":"Lzd1bfMi7DPODfEyUIjoSQ","acr":"1","sid":"9f839683-f336-48da-a464-48d4e9e307c1","email_verified":true,"preferred_username":"ddd@gmail.com","email":"ddd@gmail.com"}", nonce="TLZC5tFac3OqOQKOUk5QldFxSEPsqCSnbfoMMUDp1m4"
[Sun Dec 10 09:38:36.844789 2023] [auth_openidc:error] [pid 8:tid 140129861002944] [client 192.168.65.1:41945] oidc_proto_validate_nonce: the nonce value (88a6eee9-c68c-480d-8762-4b4fbc6f1d09) in the id_token did not match the one stored in the browser session (TLZC5tFac3OqOQKOUk5QldFxSEPsqCSnbfoMMUDp1m4)
[Sun Dec 10 09:38:36.844795 2023] [auth_openidc:error] [pid 8:tid 140129861002944] [client 192.168.65.1:41945] oidc_proto_parse_idtoken: id_token payload could not be validated, aborting
In my opinion the issue is that when apache's mod redirects to keycloak it sets the NONCE, and expects to receive that NONCE in the JWT token for user. However after apache sets the nonce in the beginning it gets embedded into the action token url. When URL is clicked from email, the user gets logged in correctly but the NONCE is now expired. Then the user is redirected to the client (that is apache) which sends request to keycloak expecting to get original NONCE that it set in the very beginning. But it gets a new NONCE that was generated by keycloak. They don't match up and login fails. If page is requested anew then the login goes well (because the keycloak reads cookie, auths the user hence skipping the email step and returning apache's NONCE to it as expected).
Turns out I was using magic link version 0.15 with keycloak 22. Updating to magic link version 0.22 with keycloak version 23.0.1 solved the problem for me. Sorry for the noise!
Hello,
Thanks for looking into it! We switched to OTP, which works and we feel serves our use case pretty well anyway. If we wanna try magic link in the future, we'll try with the newer versions.
Best, Simon
Gesendet von Outlook für Androidhttps://aka.ms/AAb9ysg
From: temach @.> Sent: Sunday, December 10, 2023 6:46:46 PM To: p2-inc/keycloak-magic-link @.> Cc: SimHab88 @.>; Author @.> Subject: Re: [p2-inc/keycloak-magic-link] Apache Server Authentication and Authorization (Issue #51)
Turns out I was using magic link version 0.15 with keycloak 22. Updating to magic link version 0.23 with keycloak version 23.0.1 solved the problem for me. Sorry for the noise!
— Reply to this email directly, view it on GitHubhttps://github.com/p2-inc/keycloak-magic-link/issues/51#issuecomment-1849032186, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AWAE5PDK6JAHG5SIB5JFFN3YIXYQNAVCNFSM6AAAAAA4EQZ6C2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNBZGAZTEMJYGY. You are receiving this because you authored the thread.Message ID: @.***>
I would like to try the plugin for authentication of old websites running on Apache.
For this purpose there exists an apache module called mod_auth_openidc.so which is configured with a client secret.
So, it uses client credential instead of authentication code flow. When clicking on the magic link, a session is created in keycloak, however upon redirect there's following error:
Error:
OpenID Connect Provider error: Error in handling response type.
I'm wondering if the action token has to be created differently for this type of flow or whether the problem lies in the configuration of the Apache module?
Really appreciate you're help!