Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Strip 'iss' query param from the redirect URL for Keycloak auth flow #3859

Merged
merged 2 commits into from
Aug 6, 2024
Merged

Strip 'iss' query param from the redirect URL for Keycloak auth flow #3859

merged 2 commits into from
Aug 6, 2024

Conversation

mayorova
Copy link
Contributor

@mayorova mayorova commented Jul 31, 2024
edited
Loading

What this PR does / why we need it:

Since version 23 Keycloak (RHBK) adds a iss query parameter to the authentication response, see https://www.keycloak.org/docs/latest/upgrading/index.html#migrating-to-23-0-0

The result of this is that 3scale client included this iss value to the redirect_uri when fetching the access token, which in its turn caused an error:

{"error":"invalid_grant","error_description":"Incorrect redirect_uri"}

This PR only removes the iss from the redirect URI when forming the access token request. Ideally, we would need to also verify the value of the iss parameter to make sure it is exactly the same as the Realm URL specified in the SSO configuration. See 2.4. Validating the Issuer Identifier in RFC 9207.

Which issue(s) this PR fixes

https://issues.redhat.com/browse/THREESCALE-11200

Verification steps

Set up a client for dev portal authentication in RHBK v24 and configure dev portal SSO.
Test the integration and verify it's successful even when the compatibility mode "Exclude Issuer From Authentication Response" is OFF.

Special notes for your reviewer:

jlledom
jlledom approved these changes Aug 1, 2024
View reviewed changes
Copy link
Contributor

@jlledom jlledom left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The code looks correct and the tests pass.

I tried to launch a Keycloack 24 instance from openshift but it failed. I assume you tried it and it works.

@mayorova mayorova merged commit 20d0279 into master Aug 6, 2024
17 of 21 checks passed
@mayorova mayorova deleted the rhbk-strip-iss-from-auth-response branch August 6, 2024 09:26
jlledom pushed a commit that referenced this pull request Aug 28, 2024
@mayorova @jlledom
Strip 'iss' query param from the redirect URL for Keycloak auth flow (#…
5749f2d 
…3859)

(cherry picked from commit a27c8f0)
(cherry picked from commit 68cf3a3)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jlledom jlledom jlledom approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mayorova @jlledom