Infinite loop redirection with OIDC and MITREid server

[Tam Nguyen Van]

Hello,

I am doing an demo of SSO using OpenID Connect protocol. I use MITREid Connect Server as OP (IdP, OpenID Provider). I use spring boot to implement client, I use spring-security-pac4j and pac4j-oidc. Below is the dependencies I added to pom:

<dependency>
   <groupId>org.pac4j</groupId>
   <artifactId>spring-security-pac4j</artifactId>
   <version>3.0.0</version>
</dependency>

<dependency>
   <groupId>org.pac4j</groupId>
   <artifactId>pac4j-oidc</artifactId>
   <version>2.1.0</version>
</dependency>

 

Below is my configuration for client:

    @Bean
    public Config config() {
        final OidcConfiguration oidcConfiguration = new OidcConfiguration();
        oidcConfiguration.setClientId("client-id-1");
        oidcConfiguration.setSecret("secret-1");
        oidcConfiguration.setScope("openid email profile");
        oidcConfiguration.setResponseType("id_token token");
        oidcConfiguration.setUseNonce(true);
        oidcConfiguration.setDiscoveryURI("https://192.168.7.90:8443/openid-connect-server-webapp/.well-known/openid-configuration");

        final OidcClient oidcClient = new OidcClient(oidcConfiguration);
        oidcClient.setIncludeClientNameInCallbackUrl(false);
        final Clients clients = new Clients("https://192.168.7.40:8443/", oidcClient);
        final Config config = new Config(clients);

        return config;
    }

I got an infinite loop redirection after authenticate and consent. Meaning after authentication and consent on OP, OP redirect me to client but client redirect me to OP again instead of going to protected page. It makes a loop of redirection. Anyone can tell me what I did wrong in my demo?

Any help is appreciated. Thanks.

[Jérôme LELEU]

Hi,

The callback URL you use: final Clients clients = new Clients("https://192.168.7.40:8443/", oidcClient); should certainly be: final Clients clients = new Clients("https://192.168.7.40:8443/callback", oidcClient);

Thanks.

Best regards,

Jérôme

--
You received this message because you are subscribed to the Google Groups "Pac4j users mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Tam Nguyen Van]

Why it should certainly be callback? I tried but still encountered the same problem. 

To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.

[Tam Nguyen Van]

// This is my Security Config

@EnableWebSecurity
public class SecurityConfig {

    @Configuration
    @Order(2)
    public static class OidcWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {

        @Autowired
        private Config config;

        protected void configure(final HttpSecurity http) throws Exception {

            final SecurityFilter filter = new SecurityFilter(config, "OidcClient");
            final CallbackFilter callbackFilter = new CallbackFilter(config);
            callbackFilter.setMultiProfile(true);

            http
                    .antMatcher("/**")
                    .addFilterBefore(filter, BasicAuthenticationFilter.class)
                    .addFilterBefore(callbackFilter, BasicAuthenticationFilter.class)
                    .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.ALWAYS);
        }
    }
}

[Jérôme LELEU]

Hi,

Indeed, there is an issue in your configuration: the security filter is triggered BEFORE the callback filter, so you can never finish the login process as the security always kicks in before.

Switch the two filters in order: first, the callbackFilter then the filter.

Thanks.

Best regards,

Jérôme

--

You received this message because you are subscribed to the Google Groups "Pac4j users mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users+unsubscribe@googlegroups.com.

[Tam Nguyen Van]

Thanks a lot, Sir!