search

travisghansen / external-auth-server

easy auth for reverse proxies
MIT License
330 stars 44 forks source link

EAS + Keycloak - Logout #191

Open dnikoloski opened 1 month ago

dnikoloski commented 1 month ago

Hi

I am using EAS + Keycloak

EAS Config:

    ****-com-eas:
      aud: ****-com-eas
      eas:
        plugins:
          - type: oidc
            issuer:
              discover_url: "https://iam****.com/realms/Portal/.well-known/openid-configuration"

              issuer: "https://iam.****.com/realms/Portal"
              authorization_endpoint: "https://iam.****.com/realms/Portal/protocol/openid-connect/auth"

              token_endpoint: "https://iam.****.com/realms/Portal/protocol/openid-connect/token"
              userinfo_endpoint: "https://iam.****.com/realms/Portal/protocol/openid-connect/userinfo"
              jwks_uri: "https://iam.****.com/realms/Portal/protocol/openid-connect/certs"

            client:
              client_id: ****-com-eas
              client_secret: j********************B

              registration_client_uri: "https://iam.****.com/realms/Portal/clients-registrations/openid-connect/portal-eas"
              registration_access_token: "eyJ*********************************************************************************************************************************************************************************************************************************************H2s"

            scopes:
              - openid
              - email
              - profile

            custom_authorization_parameters: { }
            custom_authorization_code_parameters: { }
            custom_refresh_parameters: { }
            custom_revoke_parameters: { }

            redirect_uri: "https://auth.****.com/oauth/callback"

            features:
              cookie_expiry: false
              userinfo_expiry: true
              session_expiry: true
              session_expiry_refresh_window: 86400
              session_retain_id: true
              refresh_access_token: true
              fetch_userinfo: true
              introspect_access_token: false
              introspect_expiry: 0

              authorization_token: access_token

              filtered_service_headers: [ ]

              logout:
                revoke_tokens_on_logout: ["refresh_token", "access_token", "id_token"]
                end_provider_session:
                  enabled: false
                  post_logout_redirect_uri: "https://auth.****.com/oauth/end-session-redirect"

                backchannel:
                  enabled: false

            assertions:
              exp: true
              nbf: true
              iss: true
              userinfo: [ ]
              id_token: [ ]
              access_token: [ ]

            xhr:
              redirect_http_code: 401
              use_referer_as_redirect_uri: true

            csrf_cookie:
              enabled: true
              domain: "****.com"
              path: /
              httpOnly: true
              secure: true
              sameSite: none

            cookie:
              name: corex-iam-session
              domain: "****.com"
              path: /
              httpOnly: true
              secure: true
              sameSite: none

            custom_error_headers:
              Access-Control-Allow-Origin:
                source: req
                query_opts:
                  single_value: true
                query_engine: jp
                query: "$.headers.origin"

              Access-Control-Allow-Credentials:
                source: static
                query_engine: static
                query: true

              Access-Control-Allow-Headers:
                source: static
                query_engine: static
                query: "location, x-pagination"

              Access-Control-Expose-Headers:
                source: static
                query_engine: static
                query: "location, x-pagination"

            custom_service_headers: { }

My front-end has a Logout button that calls: https://{{ .Values.web.domain }}/api?__eas_oauth_handler__=logout&redirect_uri=https://{{ .Values.web.domain }}, while the call itself works I am not redirected immediately to the Keycloak log in page but I am getting 302 error( I still stay on the front-end) in the console. I have to refresh the front-end page to be redirected to Keycloak...

I am assuming that there should be a await somewhere?

travisghansen commented 1 month ago

Welcome! That’s a pretty great config you have! I love to see folks using the advanced features :)

Is the logout button executing an xhr/ajax request? Or is it sending the browser to the logout URL directly?

dnikoloski commented 1 month ago

Thanks, we are trying to squeeze out the best stuff of it.

We are currently sending the browser to the logout URL directly...

travisghansen commented 1 month ago

Then my guess is you need to url encode the redirect uri. The logs of eas and/or the har from the browser (make sure to cleanse anything sensitive, and you may email it vs attaching on github) would be helpful to see what the browser is doing and what eas is doing.

Alternatively a screenshare/call would be fine as well. Again just email me and we can sort out details if you wish.