Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Successful Oauth Login Immediately Redirects #56

Open
nullmonk opened this issue Feb 3, 2024 · 4 comments
Open

Successful Oauth Login Immediately Redirects #56

nullmonk opened this issue Feb 3, 2024 · 4 comments

Comments

@nullmonk
Copy link

nullmonk commented Feb 3, 2024

After successfully getting a login from an OAuth2 authentication server, the security plugin is immediately issuing a redirect back to login. This prevents the user from ever seeing pages despite having a valid AUTHP_SESSION_ID

caddy-1  | {"level":"debug","ts":1706948842.724188,"logger":"security","msg":"decoded claims from OAuth 2.0 authorization server access token","request_id":"cd00a88e-52c4-4cde-80b4-dc27028ffe32","claims":{"email":"[email protected]","exp":1706948902,"iat":1706948842,"iss":"https://keycloak.localhost/realms/master","jti":"3fd3becd-e86d-4f4c-9715-771f7178704e","sub":"5dec20e6-fd69-4e85-bb8a-7d5e84897fc6"}}
caddy-1  | {"level":"info","ts":1706948842.724215,"logger":"security","msg":"Successful login","session_id":"svxpPgaTQRaqpQE4c2qcBU1EXmusMmR2wbIs","request_id":"cd00a88e-52c4-4cde-80b4-dc27028ffe32","auth_method":"oauth2","auth_realm":"keycloak","user":{"email":"[email protected]","exp":1706948902,"iat":1706948842,"iss":"https://keycloak.localhost/realms/master","jti":"3fd3becd-e86d-4f4c-9715-771f7178704e","sub":"5dec20e6-fd69-4e85-bb8a-7d5e84897fc6"}}
caddy-1  | {"level":"debug","ts":1706948842.724238,"logger":"security","msg":"user transformation ended","session_id":"svxpPgaTQRaqpQE4c2qcBU1EXmusMmR2wbIs","request_id":"cd00a88e-52c4-4cde-80b4-dc27028ffe32","user":{"addr":"172.18.0.1","email":"[email protected]","exp":1706952442,"iat":1706948842,"iss":"https://auth.localhost/oauth2/keycloak/","jti":"svxpPgaTQRaqpQE4c2qcBU1EXmusMmR2wbIs","nbf":1706948782000,"origin":"keycloak","realm":"keycloak","roles":["authp/user"],"sub":"5dec20e6-fd69-4e85-bb8a-7d5e84897fc6"}}
caddy-1  | {"level":"info","ts":1706948842.7243025,"logger":"security","msg":"Successful login","session_id":"svxpPgaTQRaqpQE4c2qcBU1EXmusMmR2wbIs","request_id":"cd00a88e-52c4-4cde-80b4-dc27028ffe32","backend":{"name":"keycloak","realm":"keycloak","method":"oauth"},"user":{"addr":"172.18.0.1","email":"[email protected]","exp":1706952442,"iat":1706948842,"iss":"https://auth.localhost/oauth2/keycloak/","jti":"svxpPgaTQRaqpQE4c2qcBU1EXmusMmR2wbIs","nbf":1706948782000,"origin":"keycloak","realm":"keycloak","roles":["authp/user"],"sub":"5dec20e6-fd69-4e85-bb8a-7d5e84897fc6"}}
caddy-1  | {"level":"debug","ts":1706948842.7278128,"logger":"security","msg":"Redirect served","session_id":"xotKDNpvd5QpjsnGgkylffEt3oY3ADNJarnhebO","request_id":"b8be8999-7b36-4436-bc90-d9b5152ca198","redirect_url":"https://auth.localhost/login","status_code":302}

{
	debug
	order authenticate before respond
	order authorize before basicauth
	security {
		oauth identity provider keycloak {
			driver generic
			realm keycloak
			client_id caddy
			client_secret 0ke2N2HmGSyaXCBHQErO1SqKHHY7b6fR
			scopes openid profile email
			metadata_url http://keycloak:8080/realms/master/.well-known/openid-configuration
            delay_start 2
		}

		authentication portal myportal {
			crypto default token lifetime 3600
			crypto key sign-verify secretsecret
			enable identity provider keycloak
			cookie domain localhost
			ui {
				links {
					"My Identity" "/whoami" icon "las la-user"
				}
			}
			transform user {
				match origin keycloak
				action add role authp/user
			}
		}

		authorization policy mypolicy {
			set auth url https://auth.localhost/
			allow roles authp/admin authp/user
			crypto key verify secretsecret
		}
	}
}

keycloak.localhost {
    reverse_proxy http://keycloak:8080
}

auth.localhost {
	authenticate with myportal
}

localhost {
    authorize with mypolicy
    respond "Hello World"
}
version: "3"
services:
  keycloak:
    ports:
      - 8080:8080
    environment:
      - KEYCLOAK_ADMIN=admin
      - KEYCLOAK_ADMIN_PASSWORD=admin
      - PROXY_ADDRESS_FORWARDING=true
      - KC_PROXY=edge
      - KC_HOSTNAME_URL=https://keycloak.localhost/
    image: quay.io/keycloak/keycloak:23.0.6
    command: start-dev
  caddy:
    image: ghcr.io/authp/authp:beta
    ports:
      - 443:443
    volumes:
      - ./caddy/:/etc/caddy/
@greenpau
Copy link
Collaborator

greenpau commented Feb 3, 2024

@micahjmartin , that may happen when you use http.

@greenpau
Copy link
Collaborator

greenpau commented Feb 3, 2024

Also, read up on delayed start in the docs. You may want to add that directive.

@greenpau
Copy link
Collaborator

greenpau commented Feb 3, 2024

If you do use http, please see cookie insecure directive.

@nullmonk
Copy link
Author

nullmonk commented Feb 3, 2024

@micahjmartin , that may happen when you use http.

There shouldnt be any http requests, setting KC_HOSTNAME_URL overrides all the URLs in openid-configuration to be HTTPS, which are then passed to the browser. I can confirm too that the browser is using HTTPS when it is hitting both keycloak and caddy. The only reason metadata_url is hitting the private route is because the certificates are self-signed by caddy and the client used to collect the metadata_url does not trust the caddy certificate.

image

Also, read up on delayed start in the docs. You may want to add that directive.

I have a delay_start 2 in my Caddyfile above, sorry the indentation was messed up

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@greenpau @nullmonk