search

skooner-k8s / skooner

Simple Kubernetes real-time dashboard and management.
http://skooner.io/
Apache License 2.0
1.33k stars 181 forks source link

Open ID Manifests with `authorization_response_iss_parameter_supported=true` 500's on authorization flows with `iss missing from the response` #441

Open yacman opened 9 months ago

yacman commented 9 months ago

Utilizing keycloak version 23.0.4 which contains a realm with multiple clients where one or more contain authorization_response_iss_parameter_supported=true, this value will always be true for the /.well-known/openid-configuration.

https://github.com/keycloak/keycloak/issues/25419

Given this, when the node-openid-client is hydrated by this endpoint, the following validation takes place and throws:

    if ('iss' in params) {
      assertIssuerConfiguration(this.issuer, 'issuer');
      if (params.iss !== this.issuer.issuer) {
        throw new RPError({
          printf: ['iss mismatch, expected %s, got: %s', this.issuer.issuer, params.iss],
          params,
        });
      }
    } else if (
      this.issuer.authorization_response_iss_parameter_supported &&
      !('id_token' in params) &&
      !('response' in parameters)
    ) {
      throw new RPError({
        message: 'iss missing from the response',
        params,
      });
    }

https://github.com/panva/node-openid-client/blob/main/lib/client.js#L437

Fri, 26 Jan 2024 19:53:59 GMT express:router trim prefix (/oidc) from url /oidc
Fri, 26 Jan 2024 19:53:59 GMT express:router <anonymous> /oidc : /oidc
Fri, 26 Jan 2024 19:53:59 GMT express:router handleErrors  : /oidc
An error occurred during the request RPError: iss missing from the response
    at Client.callback (/usr/src/app/node_modules/openid-client/lib/client.js:419:13)
    at oidcAuthenticate (/usr/src/app/index.js:211:37)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at async postOidc (/usr/src/app/index.js:146:23) {
  params: {
    code: '<some code here>'
  }
} POST /oidc
2024-01-26T19:53:59.695Z POST /oidc 500

Reviewing the auth flow for Skooner it is declaring specific keys to proxy when submitting /oidc requests where the issuer is also required.

https://github.com/skooner-k8s/skooner/blob/master/client/src/services/api.ts#L122 https://github.com/skooner-k8s/skooner/blob/master/server/index.js#L145

These endpoints should, when supplied, also proxy the iss parameter. When the iss parameter is provided and valid, the 500 is corrected.

stefankubis commented 8 months ago

Same issue here - any fixes?

mhkarimi1383 commented 8 months ago

Facing the same problem with Keycloak + K8s 1.28 I have not found any workaround to this

alexmarkowitsch commented 5 months ago

same problem here, is there any solution to this?

mhkarimi1383 commented 5 months ago

same problem here, is there any solution to this?

I have just switched to Headlamp :)

bmgeek commented 2 months ago

I tried to switch to Headlamp, but my developers said - It’s a nuisance

I have the same problem, need help.

mhkarimi1383 commented 2 months ago

@bmgeek

It was easy to use for us :)

mhkarimi1383 commented 2 months ago

But you can fork and fix the PR if you are interested then use your port

SFQEP commented 1 month ago

Encountered the same issue! Any solution?