search

p2-inc / keycloak-magic-link

Magic Link Authentication for Keycloak
https://phasetwo.io
Other
222 stars 44 forks source link

Issues when configuring provider plugin #6

Closed tstec-polypoly closed 1 year ago

tstec-polypoly commented 1 year ago

Hey, hoping to get some help configuring the provider. Sorry in advance for my ignorance of Java and Keycloak...

My environment:

I made the following steps to configure:

Screen Shot 2022-08-29 at 14 13 11 Screen Shot 2022-08-29 at 14 13 50 Screen Shot 2022-08-29 at 14 26 16 Screen Shot 2022-08-29 at 14 16 02 Screen Shot 2022-08-29 at 14 20 09 Screen Shot 2022-08-29 at 14 20 15 Screen Shot 2022-08-29 at 14 20 22 Screen Shot 2022-08-29 at 14 25 17

I then tested by navigating a private window to https://localhost:8037/realms/test/account/#/ as seen here:

Screen Shot 2022-08-29 at 16 05 53

Then I clicked "Sign in" which resulted in:

Screen Shot 2022-08-29 at 16 05 58

The previous action triggered the following message in the Keycloak logs:

keycloak | 2022-08-29 14:09:03,245 WARN  [org.keycloak.services] (executor-thread-50) KC-SERVICES0013: Failed authentication: org.keycloak.authentication.AuthenticationFlowException
keycloak |  at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:1038)
keycloak |  at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:892)
keycloak |  at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:151)
keycloak |  at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:338)
keycloak |  at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.process(AuthorizationEndpoint.java:194)
keycloak |  at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildGet(AuthorizationEndpoint.java:112)
keycloak |  at jdk.internal.reflect.GeneratedMethodAccessor644.invoke(Unknown Source)
keycloak |  at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
keycloak |  at java.base/java.lang.reflect.Method.invoke(Method.java:566)
keycloak |  at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:170)
keycloak |  at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:130)
keycloak |  at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:660)
keycloak |  at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:524)
keycloak |  at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$2(ResourceMethodInvoker.java:474)
keycloak |  at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364)
keycloak |  at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:476)
keycloak |  at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:434)
keycloak |  at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:192)
keycloak |  at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:152)
keycloak |  at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:183)
keycloak |  at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:141)
keycloak |  at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:32)
keycloak |  at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:492)
keycloak |  at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:261)
keycloak |  at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:161)
keycloak |  at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364)
keycloak |  at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:164)
keycloak |  at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:247)
keycloak |  at io.quarkus.resteasy.runtime.standalone.RequestDispatcher.service(RequestDispatcher.java:73)
keycloak |  at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.dispatch(VertxRequestHandler.java:151)
keycloak |  at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:82)
keycloak |  at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:42)
keycloak |  at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1212)
keycloak |  at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:163)
keycloak |  at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:141)
keycloak |  at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:67)
keycloak |  at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:55)
keycloak |  at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1212)
keycloak |  at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:163)
keycloak |  at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:141)
keycloak |  at io.quarkus.vertx.http.runtime.VertxHttpRecorder$5.handle(VertxHttpRecorder.java:380)
keycloak |  at io.quarkus.vertx.http.runtime.VertxHttpRecorder$5.handle(VertxHttpRecorder.java:358)
keycloak |  at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1212)
keycloak |  at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:163)
keycloak |  at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:141)
keycloak |  at org.keycloak.quarkus.runtime.integration.web.QuarkusRequestFilter.lambda$createBlockingHandler$1(QuarkusRequestFilter.java:71)
keycloak |  at io.vertx.core.impl.ContextImpl.lambda$null$0(ContextImpl.java:159)
keycloak |  at io.vertx.core.impl.AbstractContext.dispatch(AbstractContext.java:100)
keycloak |  at io.vertx.core.impl.ContextImpl.lambda$executeBlocking$1(ContextImpl.java:157)
keycloak |  at io.quarkus.vertx.core.runtime.VertxCoreRecorder$13.runWith(VertxCoreRecorder.java:543)
keycloak |  at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2449)
keycloak |  at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1478)
keycloak |  at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
keycloak |  at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
keycloak |  at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
keycloak |  at java.base/java.lang.Thread.run(Thread.java:829)
keycloak |
keycloak | 2022-08-29 14:09:03,249 WARN  [org.keycloak.events] (executor-thread-50) type=LOGIN_ERROR, realmId=test, clientId=account-console, userId=null, ipAddress=172.25.0.1, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, response_type=code, redirect_uri=https://localhost:8037/realms/test/account/#/, code_id=6e39432e-93a0-4eeb-bc9f-e09babb21a82, response_mode=fragment, authSessionParentId=6e39432e-93a0-4eeb-bc9f-e09babb21a82, authSessionTabId=SK8QgVyzKeI

I also tried a few permutations of the request mentioned in the README.md with the following results:

As suggested in README.md

curl --insecure --request POST https://localhost:8037/auth/realms/test/magic-link \
 --header "Accept: application/json" \
 --header "Content-Type: application/json" \
 --header "Authorization: Bearer" \
 --data '{"email":"foo@foo.com","client_id":"account-console","redirect_uri":"https://localhost:8037/auth/realms/test/account/","expiration_seconds":3600,"force_create":true,"update_profile":true,"send_email":true}'

# Result
{"error":"RESTEASY003210: Could not find resource for full path: https://localhost:8037/auth/realms/test/magic-link"}%

Fixes redirect URI to what I assume is correct. Tries /realms/test/magic-link as POST path. Guessing this one is closest?

curl --insecure --request POST https://localhost:8037/realms/test/magic-link \
 --header "Accept: application/json" \
 --header "Content-Type: application/json" \
 --header "Authorization: Bearer" \
 --data '{"email":"foo@foo.com","client_id":"account-console","redirect_uri":"https://localhost:8037/realms/test/account/","expiration_seconds":3600,"force_create":true,"update_profile":true,"send_email":true}'

# Result
{"error":"HTTP 401 Unauthorized"}%

Fixes redirect URI to what I assume is correct. Tries /realms/test/protocol/openid-connect/auth as POST path.

curl --insecure --request POST https://localhost:8037/realms/test/protocol/openid-connect/auth \
 --header "Accept: application/json" \
 --header "Content-Type: application/json" \
 --header "Authorization: Bearer" \
 --data '{"email":"foo@foo.com","client_id":"account-console","redirect_uri":"https://localhost:8037/realms/test/account/","expiration_seconds":3600,"force_create":true,"update_profile":true,"send_email":true}'

# Result
{"error":"RESTEASY003065: Cannot consume content type"}

Fixes redirect URI to what I assume is correct. Tries /realms/test/protocol/openid-connect/auth/magic-link as POST path.

curl --insecure --request POST https://localhost:8037/realms/test/protocol/openid-connect/auth/magic-link \
 --header "Accept: application/json" \
 --header "Content-Type: application/json" \
 --header "Authorization: Bearer" \
 --data '{"email":"foo@foo.com","client_id":"account-console","redirect_uri":"https://localhost:8037/realms/test/account/","expiration_seconds":3600,"force_create":true,"update_profile":true,"send_email":true}'

# Result
{"error":"RESTEASY003210: Could not find resource for full path: https://localhost:8037/realms/test/protocol/openid-connect/auth/magic-link"}%

Fixes redirect URI to what I assume is correct. Tries /realms/test/protocol/openid-connect/magic-link as POST path.

curl --insecure --request POST https://localhost:8037/realms/test/protocol/openid-connect/magic-link \
 --header "Accept: application/json" \
 --header "Content-Type: application/json" \
 --header "Authorization: Bearer" \
 --data '{"email":"foo@foo.com","client_id":"account-console","redirect_uri":"https://localhost:8037/realms/test/account/","expiration_seconds":3600,"force_create":true,"update_profile":true,"send_email":true}'

# Result
{"error":"RESTEASY003210: Could not find resource for full path: https://localhost:8037/realms/test/protocol/openid-connect/magic-link"}%
tstec-polypoly commented 1 year ago

FYI, I also tried toggling the authentication "Condition - User Configured" to "Required" and got the same results.

tstec-polypoly commented 1 year ago

I also tried messing with the Authentication "Required Actions." The following don't seem to have any effect:

Screen Shot 2022-08-29 at 16 41 49 Screen Shot 2022-08-29 at 16 41 44
tstec-polypoly commented 1 year ago

I got this working. Here are screenshots of the exact steps (excluding email configuration). Please feel free to re-use them.

01 02 03 04 05 06 07 08 09 10 11 12 13
xgp commented 1 year ago

@tstec-polypoly This is great. I'm going to add this to the docs.

dsputnikk commented 3 months ago

@tstec-polypoly any chance you could post an example of using MagicLink as a second alternative?