Invalid redirect uri

[Prashanth Bachu]

Hello Team,

I am running cbioportal using docker deployment and authenticating its users with keycloak. I was able to successfully run the cbioportal with keycloak authentication when I was not configured SSL. Now I am configured them to use secure port 443 (cbioportal) and 444 (keycloak) and the portal is not running and it gives error invalid redirect uri. I have tried all possible ways but it did not workout.  Please find the details below and help to resolve the issue.


Keycloak Logs:
21:10:35,467 WARN  [org.apache.jcp.xml.dsig.internal.dom.DOMReference] (default task-1) The input bytes to the digest operation are null. This may be due to a problem with the Reference URI or its Transforms.
21:10:35,663 WARN  [org.keycloak.events] (default task-1) type=LOGIN_ERROR, realmId=cbioportal, clientId=null, userId=null, ipAddress=172.19.20.55, error=invalid_redirect_uri
root@cras-dev:/home/cbio/cbioportal-staging#

Docker-compose.yml:
version: '3'

networks:
  default:
    external: true
    name: cbio-net


services:

  # Keycloak and PostgreSQL start

  postgres-latest:
    image: postgres:latest
    container_name: postgres_latest
    restart: unless-stopped
    volumes:
      - ./keycloak_postgres_data:/var/lib/postgresql/data
    environment:
      POSTGRES_DB: keycloak
      POSTGRES_USER: ${KEYCLOAK_DB_USER}
      POSTGRES_PASSWORD: ${KEYCLOAK_DB_PASSWORD} # same as keycloak:environment:db_password
      PGUSER: keycloak
    ports:
      - "5432:5432"
    healthcheck:
      test: ["CMD-SHELL", "pg_isready"]
      interval: 10s
      timeout: 5s
      retries: 5
  keycloak-latest:
    image: keycloak:latest
    container_name: keycloak_latest
    volumes:
     - ./keycloak/kcr_theme/:/opt/jboss/keycloak/themes/kcr_theme/:rw
     - ./keycloak-duo-spi.jar:/opt/jboss/keycloak/standalone/deployments/keycloak-duo-spi.jar
    restart: unless-stopped
    depends_on:
      postgres-latest:
        condition: service_healthy
    ports:
      - "8180:8080" #set up fpr testing
        #   command: ["-Dkeycloak.profile.feature.upload_scripts=enabled"]
    environment:
      DB_VENDOR: POSTGRES
      DB_ADDR: postgres-latest
      DB_DATABASE: keycloak
      DB_USER: ${KEYCLOAK_DB_USER}
      DB_SCHEMA: public
      DB_PASSWORD: ${KEYCLOAK_DB_PASSWORD}
      #KEYCLOAK_USER: ${KEYCLOAK_USER}
      #KEYCLOAK_PASSWORD: ${KEYCLOAK_PASSWORD}
      PROXY_ADDRESS_FORWARDING: "true"
      REDIRECT_SOCKET: "proxy-https"


   # Keycloak and PostgreSQL end


  apache:
          #image: httpd:2.4.47
    image: httpd:latest1
    container_name: cbio-apache
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443" # cBioPortal
      - "444:444" # Keycloak
    volumes:
      - ./apache/httpd.conf:/usr/local/apache2/conf/httpd.conf:rw
      - /etc/ssl/certs/kcr_wildcard.kcr.uky.edu_internal.cer:/usr/local/apache2/conf/server.crt:rw
      - /etc/ssl/private/kcr_wildcard.kcr.uky.edu_internal.key:/usr/local/apache2/conf/server.key:rw
      - ./apache/extra/httpd-vhosts.conf:/usr/local/apache2/conf/extra/httpd-vhosts.conf:rw
      - ./apache/extra/httpd-ssl.conf:/usr/local/apache2/conf/extra/httpd-ssl.conf:rw

  cbioportal-latest:
    restart: unless-stopped
    image: cbioportal/cbioportal:latest
    container_name: cbioportal_container_latest
    environment:
      SHOW_DEBUG_INFO: "true"
      PORTAL_HOME: "/cbioportal-webapp"
      #entrypoint: "/bin/sh"
      # ports:
      # - "8080:8080"
    volumes:
     - ./study:/study/
     - ./config/application.properties:/cbioportal-webapp/application.properties:ro
     - ./saml/client-tailored-saml-idp-metadata.xml:/cbioportal-webapp/client-tailored-saml-idp-metadata.xml:ro
     - ./saml/local.crt:/cbioportal-webapp/local.crt:ro
     - ./saml/local.key:/cbioportal-webapp/local.key:ro
       #- ./config/samlKeystore.jks:/cbioportal-webapp/samlKeystore.jks:ro

    depends_on:
     - cbioportal-database-latest
     - cbioportal-session-latest
    # TODO: servlet-api should be excluded from deps in mvn, the removal below is just a quick fix
    # This might be helpful: https://stackoverflow.com/questions/36233626

    # command: /bin/sh -c "rm -rf /cbioportal-webapp/lib/servlet-api-2.5.jar && java -Xms2g -Xmx4g -cp '/cbioportal-webapp:/cbioportal-webapp/lib/*' org.cbioportal.PortalApplication --spring.config.location=cbioportal-webapp/application.properties --authenticate=saml --session.service.url=http://cbioportal-session-latest:5001/api/sessions/my_portal/"

    command: /bin/sh -c "rm -rf /cbioportal-webapp/lib/servlet-api-2.5.jar && java -Xms2g -Xmx4g -cp '/cbioportal-webapp:/cbioportal-webapp/lib/*' org.cbioportal.PortalApplication --spring.config.location=cbioportal-webapp/application.properties --authenticate=saml --session.service.url=http://cbioportal-session-latest:5001/api/sessions/my_portal/"

  cbioportal-database-latest:
    restart: unless-stopped
    image: mysql:latest
    container_name: cbioportal_database_container_latest
    environment:
      MYSQL_DATABASE: cbioportal
      MYSQL_USER: ${DB_MYSQL_USERNAME}
      MYSQL_PASSWORD: ${DB_MYSQL_USERNAME}
      MYSQL_ROOT_PASSWORD: ${DB_MYSQL_USERNAME}
    volumes:
     - ./data/cgds.sql:/docker-entrypoint-initdb.d/cgds.sql:ro
     - ./data/seed.sql.gz:/docker-entrypoint-initdb.d/seed.sql.gz:ro
     - ./cbioportal_mysql_data:/var/lib/mysql
    command: --local-infile=1
  cbioportal-session-latest:
    restart: unless-stopped
    image: cbioportal/session-service:latest
     # ${DOCKER_IMAGE_SESSION_SERVICE}
    container_name: cbioportal_session_container_latest
    environment:
      SERVER_PORT: 5001
      JAVA_OPTS: -Dspring.data.mongodb.uri=mongodb://cbioportal-session-database-latest:27017/session-service
    depends_on:
      - cbioportal-session-database-latest
  cbioportal-session-database-latest:
    restart: unless-stopped
    image: mongo:latest
    container_name: cbioportal_session_database_latest
    environment:
      MONGO_INITDB_DATABASE: session_service
    volumes:
      - ./cbioportal_mongo_data:/data/db


volumes:
  cbioportal_mysql_data:
  cbioportal_mongo_data:
  keycloak_postgres_data:

Keycloak client configuration:

Regards,

Prashanth.

[Ruslan Forostianov]

Hi Prashanth,

Thank you for your email. Do you know the actual invalid url application asks to redirect? It can give you a clue about which part of the configuration to change.

To find out the redirect url you might want to use the network tab of the browser or the saml-tracer.

Regards,

Ruslan

--
You received this message because you are subscribed to the Google Groups "cBioPortal for Cancer Genomics Discussion Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cbioportal+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/cbioportal/57908b23-e0be-444b-8bda-806aadd88344n%40googlegroups.com.

[Prashanth Bachu]

Hi Ruslan,

Thanks for your response. I am not aware about invalid url that you are telling about. But my url in which my cbioportal running is https://cras-dev.krc.uky.edu:443 and keycloak is running at https://cras-dev.kcr.uky:444 . I tried to find the network tabs and below is what I can see.

SAML Configuration:

authenticate=saml
spring.security.saml2.relyingparty.registration.cbio-saml-idp.assertingparty.metadata-uri=classpath:/client-tailored-saml-idp-metadata.xml
spring.security.saml2.relyingparty.registration.cbio-saml-idp.entity-id=cbioportal
spring.security.saml2.relyingparty.registration.cbio-saml-idp.signing.credentials[0].certificate-location=classpath:/local.crt
spring.security.saml2.relyingparty.registration.cbio-saml-idp.signing.credentials[0].private-key-location=classpath:/local.key
spring.security.saml2.relyingparty.registration.cbio-saml-idp.singlelogout.binding=POST
saml.idp.metadata.attribute.email=email
spring.security.oauth2.allowed-clock-skew=
security.cors.allowed-origins=*
logging.level.org.springframework.security.saml2=DEBUG
saml.custom.userservice.class=org.cbioportal.security.spring.authentication.keycloak.SAMLUserDetailsServiceImpl
saml.logout.url=/
always_show_study_group=PUBLIC
filter_groups_by_appname=false
# Can disable authorization
security.method_authorization_enabled=true


Please find the above details and try to provide solution to this issue.

Thanks a lot,

Prashanth Bachu

[Ruslan Forostianov]

Hi Prashanth,

Check the payload of the post call. It should contain actual redirect URI in RelayState property.

Compare it with Valid Redirect URIs.

I hope it helps.

Regards,

Ruslan

[Prashanth Bachu]

Hi Ruslan,

Thanks for your solution. I was able to resolve the issue by adding   server.forward-headers-strategy=NATIVE   line in application.properties. Here is the link to detailed explanation which might be useful for someone  Embedded Web Servers :: Spring Boot

Now I can successfully authenticate and login to cbioportal application. I was doing all kinds of testing and noticed when I do logout and login again I am getting Error 400: Invalid request. Please see the below snapshot and help me to resolve the issue.

Regards,

Prashanth Bachu