Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[5.0.2] too many redirects #65

Open
nmwael opened this issue Dec 22, 2021 · 6 comments
Open

[5.0.2] too many redirects #65

nmwael opened this issue Dec 22, 2021 · 6 comments

Comments

@nmwael
Copy link

nmwael commented Dec 22, 2021

When I try to access:
http://localhost:9999/auth
I get thrown towards:
http://localhost:9999/auth/realms/ccadmin/protocol/openid-connect/auth?response_type=code&client_id=ccadmin-backend&scope=openid%20profile&state=YiYSSxZKTuNByiRRb0WF0ExKsAp_fbSWcOQi6bccG3E%3D&redirect_uri=http://localhost:9999/login/oauth2/code/ccadmin&nonce=Dlsma9mE3foZUseTSua3TLe37IirZkO30Rw2X_wk6U4 Which then redirects towards:
http://localhost:9999/oauth2/authorization/ccadmin

So something is off, I have added
web.ignoring().antMatchers("/auth/**","/oauth2/**");
to my WebSecurityConfigurerAdapter as I am running with security on /api/**

I also find it a bit strange that when accessing http://localhost:9999/auth it mixes up my product realm (ccadmin) instead of master...

I had it working with keycloak 11.
@nmwael
Copy link
Author

nmwael commented Dec 23, 2021

it looks like its any request that gets stuck in the endless redirect loop..

@nmwael
Copy link
Author

nmwael commented Dec 23, 2021

Ive tried both embedded-keycloak-server-custom and embedded-keycloak-server-plain

which does not go into the loop. But I cant login to them, with password admin/admin it just says
2021-12-23 11:40:13.280 WARN 22228 --- [ XNIO-1 task-1] org.keycloak.events : type=LOGIN_ERROR, realmId=master, clientId=security-admin-console, userId=8845bd57-201b-4152-8cf9-79e60776428a, ipAddress=0:0:0:0:0:0:0:1, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, redirect_uri=http://localhost:8080/auth/admin/master/console/, code_id=d0f3f503-4cba-455a-afb9-53102f91ca68, username=admin, authSessionParentId=d0f3f503-4cba-455a-afb9-53102f91ca68, authSessionTabId=xvP-HGdMKSs

@nmwael
Copy link
Author

nmwael commented Jan 12, 2022

Could be releated, to the oauth2 spring integration..

specifically redirectUri

Snip of our config

  security:
    oauth2:
      client:
        registration:
          ccadmin:
            client-id: xxx
            client-name: xx
            client-secret: xx
            provider: keycloak
            authorization-grant-type: authorization_code
            scope: openid, profile
#            redirectUri: "{baseUrl}/login/oauth2/code/{registrationId}"
        provider:
          keycloak:
            authorization-uri: ${kc.realm-url}/protocol/openid-connect/auth
            jwk-set-uri: ${kc.realm-url}/protocol/openid-connect/certs
            token-uri: ${kc.realm-url}/protocol/openid-connect/token
            # would be cool if there was a end-session-uri to propagate logouts

            #  User info endpoint not needed since Keycloak uses self-contained value tokens
            #            user-info-uri: ${kc.realm-url}/protocol/openid-connect/userinfo
            user-name-attribute: preferred_username

@nmwael
Copy link
Author

nmwael commented Jan 12, 2022

Okay it seems to have something with spring security todo which runs autoconfiguration and protects everything.. However when I get to the admin console it just shows up blank,

With this in dev console in chrome or edge :

chrome-error://chromewebdata/:1 
        
       Refused to display 'http://localhost:9999/' in a frame because it set 'X-Frame-Options' to 'deny'

    C:/Users/nmw/.m2/repository/org/springframework/boot/spring-boot-autoconfigure/2.5.4/spring-boot-autoconfigure-2.5.4.jar!/org/springframework/boot/autoconfigure/security/servlet/UserDetailsServiceAutoConfiguration.class:52

    @Bean
    @ConditionalOnMissingBean(
        type = {"org.springframework.security.oauth2.client.registration.ClientRegistrationRepository"}
    )
    @Lazy
    public InMemoryUserDetailsManager inMemoryUserDetailsManager(SecurityProperties properties, ObjectProvider<PasswordEncoder> passwordEncoder) {
        User user = properties.getUser();
        List<String> roles = user.getRoles();
        return new InMemoryUserDetailsManager(new UserDetails[]{org.springframework.security.core.userdetails.User.withUsername(user.getName()).password(this.getOrDeducePassword(user, (PasswordEncoder)passwordEncoder.getIfAvailable())).roles(StringUtils.toStringArray(roles)).build()});
    }

@nmwael
Copy link
Author

nmwael commented Jan 12, 2022

I've tried this in my security config, but it does not affect the X-FRAME issue:

        http.headers()
                .frameOptions()
                .sameOrigin().and().cors()

@gao624213771
Copy link

When I try to access: http://localhost:9999/auth I get thrown towards: http://localhost:9999/auth/realms/ccadmin/protocol/openid-connect/auth?response_type=code&client_id=ccadmin-backend&scope=openid%20profile&state=YiYSSxZKTuNByiRRb0WF0ExKsAp_fbSWcOQi6bccG3E%3D&redirect_uri=http://localhost:9999/login/oauth2/code/ccadmin&nonce=Dlsma9mE3foZUseTSua3TLe37IirZkO30Rw2X_wk6U4 Which then redirects towards: http://localhost:9999/oauth2/authorization/ccadmin

So something is off, I have added web.ignoring().antMatchers("/auth/**","/oauth2/**"); to my WebSecurityConfigurerAdapter as I am running with security on /api/**

I also find it a bit strange that when accessing http://localhost:9999/auth it mixes up my product realm (ccadmin) instead of master...

I had it working with keycloak 11.

Brother, did you succeed in clustering

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nmwael @gao624213771