[BUG]Redirects do not perform this validation

sventorben / keycloak-restrict-client-auth

A Keycloak authenticator to restrict authorization on clients

MIT License

314 stars 21 forks source link

[BUG]Redirects do not perform this validation #336

Closed wtj1206 closed 2 weeks ago

wtj1206 commented 3 weeks ago

Is there an existing issue for this?

[X] I have searched the existing issues

Current Behavior

Two clients, Login to the second client using the Identity Provider Redirector direct redirection does not perform permission verification for this plug-in

Expected Behavior

Open the second application, and the redirect should also start this plug-in

Steps To Reproduce

No response

Version

- Keycloak:26.0.1
- This extension:26.0.1

Anything else?

No response

sventorben commented 3 weeks ago

Hey @wtj1206

can you please provide the correct version that you are using. There is no version 26.0.1 of this extension. Please also add a screenshot or export of your flow configuration in use.

Thanks Sven-Torben

wtj1206 commented 3 weeks ago

I am sorry that I used 26.0.0 to start the Cookie and Identity Provider Redirector. When I log in to the second client, I can log in automatically. If I log out, I cannot log in to the second client by manually entering the account and password. This means that the login redirect will not execute this plugin, what should I do to ensure that the plugin executes this at any time? @sventorben

sventorben commented 3 weeks ago

It's highly likely that your flow has not been set up correctly and/or you forgot to configure a post broker login flow.

I would need to see your flows for a better advise.

wtj1206 commented 3 weeks ago

I made a copy using browser Built-in, adding Restrict user authentication on clients and configuring aliases at the end. restricted-access roles are added to clients respectively, and restricted-access policies are configured according to the instructions. When I use my account and password to log in to client B, the interception succeeds. After I successfully log in to client A. When accessing client B, the user account and password are not entered at this time, and the switch is automatically performed without interception. @sventorben

wtj1206 commented 3 weeks ago

{ "allowRemoteResourceManagement": true, "policyEnforcementMode": "ENFORCING", "resources": [ { "name": "Default Resource", "type": "urn:gitlab:resources:default", "ownerManagedAccess": false, "attributes": {}, "uris": [ "/*" ] } ], "policies": [ { "name": "test", "description": "", "type": "role", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { "fetchRoles": "false", "roles": "[{\"id\":\"gitlab/restricted-access\",\"required\":true}]" } }, { "name": "test2", "description": "", "type": "resource", "logic": "POSITIVE", "decisionStrategy": "AFFIRMATIVE", "config": { "resources": "[\"Default Resource\"]", "applyPolicies": "[\"test\"]" } } ], "scopes": [], "decisionStrategy": "UNANIMOUS" }

wtj1206 commented 3 weeks ago

Please help check and thank you @sventorben

sventorben commented 3 weeks ago

You cannot simply copy the browser flow and add the authenticator at the end. Please check this picture for a correct implementation:

https://github.com/sventorben/keycloak-restrict-client-auth/blob/main/docs/images/flow_explained.jpg

wtj1206 commented 3 weeks ago

Thank you very much for your feedback, the preliminary test has passed. Sorry, I am not familiar with the keycloak process.