search

p2-inc / keycloak-orgs

Single realm, multi-tenancy for SaaS apps
https://phasetwo.io
Other
418 stars 72 forks source link

OpenID Manual Config Creation Fails #256

Closed pnzrr closed 2 months ago

pnzrr commented 4 months ago

For manual, it does look like all values are being passed correctly to the import-config endpoint but getting a 400 back from the server when trying to validate manually

image image

Related: https://github.com/p2-inc/idp-wizard/issues/178

rtufisi commented 4 months ago

Hei @pnzrr . Could you please confirm that the bug is reproduced in KC 25.0.1?

I've managed to reproduce it using: the following curl:

curl --location 'http://localhost:8080/auth/realms/master/orgs/78372ef9-e5b7-41ee-b7d3-05b4b1035a43/idps/import-config' \ --header 'Content-Type: application/json' \ --header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI1b1JXMjNKVFg2eGtiUWIyQlB0UjNab3NMV2tKbDZZbXlyeWxnSk1HSFVNIn0.eyJleHAiOjE3MjExNDMxNTMsImlhdCI6MTcyMTE0MzA5MywiYXV0aF90aW1lIjoxNzIxMTQyOTcwLCJqdGkiOiI5MjQzMjI2Zi0xNjBjLTQ4ZTAtOTdlMy1mNWJhMDQ3OWExZjAiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvbWFzdGVyIiwic3ViIjoiNGRhYmQyYzEtMGI5Yi00NDMxLWFkNTItYTI3NjFhZGY5ZjQ0IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoic2VjdXJpdHktYWRtaW4tY29uc29sZSIsInNpZCI6ImY0OTk5ZjgzLTcxNzYtNDg5ZS04ZDUyLTQ1MzZhNTUzNTgwNyIsImFjciI6IjAiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovL2xvY2FsaG9zdDo4MDgwIl0sInNjb3BlIjoib3BlbmlkIHByb2ZpbGUgZW1haWwiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIn0.s4WRneNhUL-yGBLT3bo0bGlBxnHU9qEzUfO97oN-6w7rmMA8s2NjvsSR2imithj3wJdLShYEdPQ8IWEXzAbrPXT6kInv-tsYtyiWEE12EpwOAAOkW1P6KBs8SRwqRKyD_5rPcg-XB-tOcptg2_JkWa0H5QhIkBPn3-khvWJE6SwD6buviwcFTBKdu9B2ZpGo46l0rZ0LGqvZ1ZZ-53UOcUCI44gpUBTEyERNsfRVSOx4OijBQ9frsepl8jRvH_Sg9xpFBVhv9OH0VyQX3SYt7SqyruqKClQ-JLslCfGqYCaBkKocEFL_pXWXqDZS5KX3PmbAveSNCTgE2cVe6mC0hA' \ --data '{ "providerId": "oidc" }'

If I add the "fromUrl" I get a different result:

curl --location 'http://localhost:8080/auth/realms/master/orgs/78372ef9-e5b7-41ee-b7d3-05b4b1035a43/idps/import-config' \ --header 'Content-Type: application/json' \ --header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI1b1JXMjNKVFg2eGtiUWIyQlB0UjNab3NMV2tKbDZZbXlyeWxnSk1HSFVNIn0.eyJleHAiOjE3MjExNDMxNTMsImlhdCI6MTcyMTE0MzA5MywiYXV0aF90aW1lIjoxNzIxMTQyOTcwLCJqdGkiOiI5MjQzMjI2Zi0xNjBjLTQ4ZTAtOTdlMy1mNWJhMDQ3OWExZjAiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvbWFzdGVyIiwic3ViIjoiNGRhYmQyYzEtMGI5Yi00NDMxLWFkNTItYTI3NjFhZGY5ZjQ0IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoic2VjdXJpdHktYWRtaW4tY29uc29sZSIsInNpZCI6ImY0OTk5ZjgzLTcxNzYtNDg5ZS04ZDUyLTQ1MzZhNTUzNTgwNyIsImFjciI6IjAiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovL2xvY2FsaG9zdDo4MDgwIl0sInNjb3BlIjoib3BlbmlkIHByb2ZpbGUgZW1haWwiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIn0.s4WRneNhUL-yGBLT3bo0bGlBxnHU9qEzUfO97oN-6w7rmMA8s2NjvsSR2imithj3wJdLShYEdPQ8IWEXzAbrPXT6kInv-tsYtyiWEE12EpwOAAOkW1P6KBs8SRwqRKyD_5rPcg-XB-tOcptg2_JkWa0H5QhIkBPn3-khvWJE6SwD6buviwcFTBKdu9B2ZpGo46l0rZ0LGqvZ1ZZ-53UOcUCI44gpUBTEyERNsfRVSOx4OijBQ9frsepl8jRvH_Sg9xpFBVhv9OH0VyQX3SYt7SqyruqKClQ-JLslCfGqYCaBkKocEFL_pXWXqDZS5KX3PmbAveSNCTgE2cVe6mC0hA' \ --data '{ "providerId": "oidc", "fromUrl": "https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml" }'

Seems if you are not providing both providerId and fromUrl in the request body this will throw a 400 error.

Screenshot from 2024-07-16 18-42-11

pnzrr commented 4 months ago

@xgp I see the issue. For a manual config, we're trying to do an import-config but in this case, we shouldn't. We just need to validate that the required values are present in the form then submit them in one go.

The KC admin UI does this by validating the URL provide when using that method but doing no validation otherwise

image image

I'll update this particular case to not submit an API call check, but to only check form validity.

pnzrr commented 4 months ago

Fixed in PR