search

p2-inc / keycloak-magic-link

Magic Link Authentication for Keycloak
Other
217 stars 43 forks source link

Apache Server Authentication and Authorization #51

Closed habsim closed 7 months ago

habsim commented 10 months ago

I would like to try the plugin for authentication of old websites running on Apache.

For this purpose there exists an apache module called mod_auth_openidc.so which is configured with a client secret.

So, it uses client credential instead of authentication code flow. When clicking on the magic link, a session is created in keycloak, however upon redirect there's following error:

Error:

OpenID Connect Provider error: Error in handling response type.

I'm wondering if the action token has to be created differently for this type of flow or whether the problem lies in the configuration of the Apache module?

Really appreciate you're help!

xgp commented 10 months ago

This should be possible with this extension. The issue is how you do the authorization code flow, when you are using a confidential client. You will get a code parameter to your callback endpoint. You need to use that, the client_id and the client_secret to exchange for a token. I don't know how mod_auth_openidc works, but I would suggest getting it working with a normal keycloak login first.

habsim commented 10 months ago

Thank you for the fast response! With normal keycloak login I got it working right away. When I look at the network traffic for normal login I get:

Screenshot 2023-08-31 at 10 08 42

However, with passwordless I get:

Screenshot 2023-08-31 at 10 21 01

So, with normal login it's a redirect response and with passwordless it's a normal 200 ok and additonally there's a session cookie set with normal login.

Also what I noticed in general (e.g. with angular angular-oauth2-oidc), when redirected back to the app after login with the magic link, there are session_state, state and code query parameters in the url. Here (on apache) the same

http://localhost:8888/

vs.

http://localhost:8888/redirect_url?state=h7ici2oYtRKdS3xHR0-eJi2GxqY&session_state=0e8793a3-f100-4f48-a4b9-b978d8443f0d&code=4cad53b9-4cb4-4f93-aeec-9e7a437de41f.0e8793a3-f100-4f48-a4b9-b978d8443f0d.18d05907-2ad2-489e-b602-1a93dde14003

In the angular app, I have to remove the query parameters, so that upon reload there's no error (otherwise it tries to login again, which fails as the user is alread logged in). Maybe you can shed some light on this? Is this a missconfiguration on my side?

Thank you so much for your help!

xgp commented 10 months ago

Thanks for the detail. I'll look into why it's returning 200 instead of 302.

temach commented 7 months ago

I can confirm that integration between magic_link and apache mod_auth_oidc does not work, but using normal keycloak login works (and Email OTP also works). In my case I see the following error in apache logs (when it returns 200 with error page):

the nonce value (88a6eee9-c68c-480d-8762-4b4fbc6f1d09) in the id_token did not match the one stored in the browser session (TLZC5tFac3OqOQKOUk5QldFxSEPsqCSnbfoMMUDp1m4)

and 

id_token payload could not be validated, aborting

Relevant logs below

First log from first going to apache showing how apache sets nonce=TLZC5tFac3OqOQKOUk5QldFxSEPsqCSnbfoMMUDp1m4:

[Sun Dec 10 09:35:07.088994 2023] [auth_openidc:debug] [pid 8:tid 140129860794048] src/util.c(2621): [client 192.168.65.1:41158] oidc_util_hdr_table_set: Location: http://localhost:8443/realms/mytestrealm/protocol/openid-connect/auth?response_type=code&scope=openid%20email&client_id=graph&state=31cVPgjJZTIoj-qAXl_GIYIC-k0&redirect_uri=http%3A%2F%2Flocalhost%3A8041%2Foauth2callback&nonce=TLZC5tFac3OqOQKOUk5QldFxSEPsqCSnbfoMMUDp1m4

Then log from magic_link in keycloak, showing that it embeds this nonce into action token:

2023-12-10 09:36:18,995 DEBUG [io.phasetwo.keycloak.magic.auth.MagicLinkAuthenticator] (executor-thread-8) MagicLinkAuthenticator.authenticate
2023-12-10 09:36:25,598 DEBUG [io.phasetwo.keycloak.magic.auth.MagicLinkAuthenticator] (executor-thread-14) MagicLinkAuthenticator.action
2023-12-10 09:36:25,607 DEBUG [io.phasetwo.keycloak.magic.MagicLink] (executor-thread-14) Attempting MagicLinkAuthenticator for ddd@gmail.com, graph, http://localhost:8041/oauth2callback
2023-12-10 09:36:25,608 DEBUG [io.phasetwo.keycloak.magic.MagicLink] (executor-thread-14) MagicLinkAuthenticator extra vars openid email 31cVPgjJZTIoj-qAXl_GIYIC-k0 TLZC5tFac3OqOQKOUk5QldFxSEPsqCSnbfoMMUDp1m4 false
2023-12-10 09:36:25,608 DEBUG [io.phasetwo.keycloak.magic.MagicLink] (executor-thread-14) realm mytestrealm session.context.realm mytestrealm
2023-12-10 09:36:25,609 DEBUG [io.phasetwo.keycloak.magic.MagicLink] (executor-thread-14) baseUri: http://localhost:8443, tokenString: eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJhMzNlNjhhOC1iNGNjLTRjNTUtYTFmNy02YTRmNTgyNTAyYzEifQ.eyJleHAiOjE3MDIyODczODUsImlhdCI6MTcwMjIwMDk4NSwic2NvcGUiOiJvcGVuaWQgZW1haWwiLCJqdGkiOiI4OGE2ZWVlOS1jNjhjLTQ4MGQtODc2Mi00YjRmYmM2ZjFkMDkiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0Ojg0NDMvcmVhbG1zL21vb25zcGVhayIsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODQ0My9yZWFsbXMvbW9vbnNwZWFrIiwic3ViIjoiYzEwYzhiYzAtMDcyMy00NjE5LTgyZmYtYzg3N2RlNjE3YTcxIiwidHlwIjoiZXh0LW1hZ2ljLWxpbmsiLCJhenAiOiJncmFwaCIsIm5vbmNlIjoiODhhNmVlZTktYzY4Yy00ODBkLTg3NjItNGI0ZmJjNmYxZDA5IiwicmR1IjoiaHR0cDovL2xvY2FsaG9zdDo4MDQxL29hdXRoMmNhbGxiYWNrIiwic3RhdGUiOiIzMWNWUGdqSlpUSW9qLXFBWGxfR0lZSUMtazAiLCJybWUiOmZhbHNlfQ.kMkAKY-0mmZzNOmZmgyJBgj_rO1nFMYKvcCPtyaU5yA, clientId: graph

Finally after clicking on magic link, login to keycloak happens, then redirect to apache, then apache queries keycloak for user's token. This time apache sees a different NONCE, not the one it set when initially redirected to keycloak. The exact error related to nonce on apache's side (and which leads to web page being shown Error: OpenID Connect Provider error: Error in handling response type.) is the following:

[Sun Dec 10 09:38:36.844448 2023] [auth_openidc:debug] [pid 8:tid 140129861002944] src/proto.c(1348): [client 192.168.65.1:41945] oidc_proto_validate_idtoken: enter, jwt.header="{"alg":"RS256","typ":"JWT","kid":"5OmVN41EsgtS7hETE-HnJrsv_wkiwUOnVHoUi_Ft_gY"}", jwt.payload="{"exp":1702201416,"iat":1702201116,"auth_time":1702201062,"jti":"8de8e871-fe88-4a5d-9ef1-18a053f5b8e3","iss":"http://localhost:8443/realms/mytestrealm","aud":"graph","sub":"c10c8bc0-0723-4619-82ff-c877de617a71","typ":"ID","azp":"graph","nonce":"88a6eee9-c68c-480d-8762-4b4fbc6f1d09","session_state":"9f839683-f336-48da-a464-48d4e9e307c1","at_hash":"Lzd1bfMi7DPODfEyUIjoSQ","acr":"1","sid":"9f839683-f336-48da-a464-48d4e9e307c1","email_verified":true,"preferred_username":"ddd@gmail.com","email":"ddd@gmail.com"}", nonce="TLZC5tFac3OqOQKOUk5QldFxSEPsqCSnbfoMMUDp1m4"
[Sun Dec 10 09:38:36.844789 2023] [auth_openidc:error] [pid 8:tid 140129861002944] [client 192.168.65.1:41945] oidc_proto_validate_nonce: the nonce value (88a6eee9-c68c-480d-8762-4b4fbc6f1d09) in the id_token did not match the one stored in the browser session (TLZC5tFac3OqOQKOUk5QldFxSEPsqCSnbfoMMUDp1m4)
[Sun Dec 10 09:38:36.844795 2023] [auth_openidc:error] [pid 8:tid 140129861002944] [client 192.168.65.1:41945] oidc_proto_parse_idtoken: id_token payload could not be validated, aborting

In my opinion the issue is that when apache's mod redirects to keycloak it sets the NONCE, and expects to receive that NONCE in the JWT token for user. However after apache sets the nonce in the beginning it gets embedded into the action token url. When URL is clicked from email, the user gets logged in correctly but the NONCE is now expired. Then the user is redirected to the client (that is apache) which sends request to keycloak expecting to get original NONCE that it set in the very beginning. But it gets a new NONCE that was generated by keycloak. They don't match up and login fails. If page is requested anew then the login goes well (because the keycloak reads cookie, auths the user hence skipping the email step and returning apache's NONCE to it as expected).

temach commented 7 months ago

Turns out I was using magic link version 0.15 with keycloak 22. Updating to magic link version 0.22 with keycloak version 23.0.1 solved the problem for me. Sorry for the noise!

habsim commented 7 months ago

Hello,

Thanks for looking into it! We switched to OTP, which works and we feel serves our use case pretty well anyway. If we wanna try magic link in the future, we'll try with the newer versions.

Best, Simon

Gesendet von Outlook für Androidhttps://aka.ms/AAb9ysg

From: temach @.> Sent: Sunday, December 10, 2023 6:46:46 PM To: p2-inc/keycloak-magic-link @.> Cc: SimHab88 @.>; Author @.> Subject: Re: [p2-inc/keycloak-magic-link] Apache Server Authentication and Authorization (Issue #51)

Turns out I was using magic link version 0.15 with keycloak 22. Updating to magic link version 0.23 with keycloak version 23.0.1 solved the problem for me. Sorry for the noise!

— Reply to this email directly, view it on GitHubhttps://github.com/p2-inc/keycloak-magic-link/issues/51#issuecomment-1849032186, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AWAE5PDK6JAHG5SIB5JFFN3YIXYQNAVCNFSM6AAAAAA4EQZ6C2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNBZGAZTEMJYGY. You are receiving this because you authored the thread.Message ID: @.***>