OAuth2, Keycloak & Vartx integration. Too many redirects
1,241 views
Skip to first unread message
Igor Azarny
Apr 11, 2018, 4:39:37 PM4/11/18
to vert.x
HI All .
I have several Vaadin web apps, which successfully integrated with Keycloak OAuth2 provider.
But when I try secure /protected/page OAuth2 handler browser report too many redirects error after providing login and password on keyloak page. It happens because Authorization header not set, checks located here AuthorizationAuthHandler#parseAuthorization.
Is this a bug in OAuth2AuthHandlerImpl or I miss something?
Vertx version 3.5.1, keycloak 3.4
HttpServer server = vertx.createHttpServer();
Router mainRouter = Router.router(vertx);
mainRouter.route().handler(CookieHandler.create());
SessionStore store = ClusteredSessionStore.create(vertx);
SessionHandler sessionHandler = SessionHandler.create(store);
mainRouter.route().handler(sessionHandler);
JsonObject keycloakJson = new JsonObject()
.put("realm", "plumbum")
.put("realm-public-key", "MIIBIjANBgkqhkiG9w0B....skipped")
.put("auth-server-url", "http://localhost:8080/auth")
.put("ssl-required", "external")
.put("resource", "oxy-platform")
.put("credentials",
new JsonObject().put("secret", "8a0b19ee-86c2-4fcc-a912-df09523da19f"));
OAuth2Auth oAuth2 = KeycloakAuth.create(vertx, OAuth2FlowType.AUTH_CODE, keycloakJson);
OAuth2AuthHandler oAuth2AuthHandler = OAuth2AuthHandler.create( oAuth2,"http://localhost:28080");
oAuth2AuthHandler.setupCallback(mainRouter.get("/whatever"));
oAuth2AuthHandler.addAuthority("user:email");
mainRouter.route().handler(UserSessionHandler.create(oAuth2));
mainRouter.route("/protected/page").handler(oAuth2AuthHandler);
mainRouter.route("/protected/page").handler(rc -> {
rc.response().end("Oops ... You never see me. Even with right credentials ");
});
mainRouter.route("/*").handler(StaticHandler.create());
server.requestHandler( mainRouter::accept ).listen(port, host);
Cheers, Igor
Paulo Lopes
Apr 12, 2018, 3:59:38 AM4/12/18
to vert.x
It looks that your keycloak config might be wrong, instead of sending the response code to your callback url "/whatever" it is sending to the "/protected" url so you enter an infinite loop. can you show the configuration you used in keycloak?
Igor Azarny
Apr 12, 2018, 3:22:05 PM4/12/18
to vert.x
Yes, sure.
The redirect sequence is following:
The redirect sequence is following:
- get /protected handled by OAuth2AuthHandler
- not authenticated user redirected to KC with callback url /whatever, user input login and password, press enter (so session is created in KC)
- OAuth2AuthHandlerImpl precess call back and send 302 at line 209 to /protected resource , this step is correct.
- /protected check first by OAuth2AuthHandlerImpl#parseCredentials and token at line 109 is null, so request redirected to KC
- KC, redirect to /whatever , bacause user already authenticated. Jump to step 3
happens from /whatever callback handler to
Paulo Lopes
Apr 13, 2018, 6:02:39 AM4/13/18
to vert.x
Hi Igor,
Your code and configuration do not make sense with what you're describing, a get to "/protected" should return a 404 as your code protects: "/protected/page", your redirect to "/whatever" does not make sense as you configured it to redirect to "/*" (note that this is not a wildcard)...
Can you provide a full reproducer? I think either your code or your keycloak config are wrong but I can't say anything about it as both the code and config (you shared) do not let me get the same results you're experiencing.
Your code and configuration do not make sense with what you're describing, a get to "/protected" should return a 404 as your code protects: "/protected/page", your redirect to "/whatever" does not make sense as you configured it to redirect to "/*" (note that this is not a wildcard)...
Can you provide a full reproducer? I think either your code or your keycloak config are wrong but I can't say anything about it as both the code and config (you shared) do not let me get the same results you're experiencing.
Paulo Lopes
Apr 13, 2018, 3:19:53 PM4/13/18
to vert.x
Hi,
I just spinned your code but since i couldn't import your config i just created a new client (see screenshots) and I can't reproduce, the apps works as expected...
Juan Otero
May 22, 2018, 5:28:01 PM5/22/18
to vert.x
Hi,i am having the same problem and I don't know if cuz i'm using kotlin
this is my oauth vertx setup:
var authProvider = KeycloakAuth.create(vertx,OAuth2FlowType.AUTH_CODE, JsonObject("{\n" +
" \"realm\": \"cps\",\n" +
" \"auth-server-url\": \"http://localhost:6080/auth\",\n" +
" \"ssl-required\": \"external\",\n" +
" \"resource\": \"cps-test\",\n" +
" \"credentials\": {\n" +
" \"secret\": \"b0f2c59e-b9d2-4cbc-805a-fefb9e44a690\"\n" +
" },\n" +
" \"use-resource-role-mappings\": true,\n" +
" \"confidential-port\": 0\n" +
"}"))
var oauth2 = OAuth2AuthHandler.create(authProvider, "http://localhost:8083")
oauth2.addAuthority("user")
oauth2.setupCallback(router.get("/callback"))
router.route("/secure/*").handler(oauth2)
and I'm getting these WARN messages
may 22, 2018 4:21:33 PM io.vertx.ext.auth.oauth2.impl.OAuth2TokenImpl
ADVERTENCIA: Cannot decode token:
java.lang.RuntimeException: Not enough or too many segments
ADVERTENCIA: Cannot decode token:
java.lang.RuntimeException: Not enough or too many segments
this is my keycloak client setup
Message has been deleted
Message has been deleted
Juan Otero
May 23, 2018, 4:59:20 PM5/23/18
to vert.x
Hi i figured out that
router.route().handler(SessionHandler.create(LocalSessionStore.create(vertx)))
is the reason of too many redirects, now i'm facing the problem with url with parameters:
WARN: Non path segment is not considered: ?criteria=46936
Reply all
Reply to author
Forward
0 new messages