Comments (8)
This error is thrown by Keycloak.
Have you changed one of:
- allowed redirect URIs in Keycloak
- clientId in Spring
- something in the client URI (hostname or port of the Spring app with
oauth2Login
)
The last two points lead to a new authorization-code callback that could possibly not be allowed in Keycloak.
But according to the little log you join, it seems that you have an issue with the authorization-code itself.
Please attach more Keycloak logs.
Please also add your security conf (SecurityFilterChain
if you defined one and any other @Bean
injected into it or into spring-addons one).
What is the version of Keycloak you are using?
Can you setup a minimal reproducer? I don't have this kind of error with my OAuth2 clients authenticating users on Keycloak 23.0.1
from spring-addons.
- I didn't change any of the points you've mentioned. I'm only changing spring-addons from 7.2.0 to 7.3.1 and it stops working.
- There's no SecurityFilterChain or any other bean injected into spring-addons.
- Keycloak Version 21.1.0 (Unfortunately I don't have control over that version)
- I'll try to setup a minimal reproducer. But can't do it today anymore. My battery's running out of power, and I've only got solar panels...
- Here more keycloak logs. It doesn't log the success to the console, so I've attached a screenshot:
- more log:
2024-01-10T14:04:21.337-05:00 DEBUG 59833 --- [nio-8080-exec-1] mo.s.security.web.FilterChainProxy : Securing GET /
2024-01-10T14:04:21.340-05:00 DEBUG 59833 --- [nio-8080-exec-1] mo.s.s.w.a.AnonymousAuthenticationFilter : Set SecurityContextHolder to anonymous SecurityContext
2024-01-10T14:04:21.346-05:00 DEBUG 59833 --- [nio-8080-exec-1] mo.s.s.w.s.HttpSessionRequestCache : Saved request http://localhost:8080/?continue to session
2024-01-10T14:04:21.351-05:00 DEBUG 59833 --- [nio-8080-exec-1] ms.w.a.DelegatingAuthenticationEntryPoint : Trying to match using And [Not [RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]], Not [And [Or [Ant [pattern='/login'], Ant [pattern='/favicon.ico']], And [Not [RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]], MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.ContentNegotiationManager@5e221658, matchingMediaTypes=[application/xhtml+xml, image/*, text/html, text/plain], useEquals=false, ignoredMediaTypes=[*/*]]]]], org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer$$Lambda$1986/0x00007f38e0bb4f88@fd98f04]
2024-01-10T14:04:21.352-05:00 DEBUG 59833 --- [nio-8080-exec-1] ms.w.a.DelegatingAuthenticationEntryPoint : Match found! Executing org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint@34188df5
2024-01-10T14:04:21.352-05:00 DEBUG 59833 --- [nio-8080-exec-1] mo.s.s.web.DefaultRedirectStrategy : Redirecting to http://localhost:8080/oauth2/authorization/keycloak-user
2024-01-10T14:04:21.367-05:00 DEBUG 59833 --- [nio-8080-exec-2] mo.s.security.web.FilterChainProxy : Securing GET /oauth2/authorization/keycloak-user
2024-01-10T14:04:23.203-05:00 DEBUG 59833 --- [nio-8080-exec-3] mo.s.security.web.FilterChainProxy : Securing GET /login/oauth2/code/keycloak-user?state=QI86x4nj74M0bgYe_IGhinOiipNDuJTRyO3cfg_MkXQ%3D&session_state=f866f353-749c-4861-8e31-416f18763a1c&code=05eb52a0-9f44-4b09-8699-efba074b9b2b.f866f353-749c-4861-8e31-416f18763a1c.d0d36e71-da18-474d-95d6-a58a3af492fd
2024-01-10T14:04:23.669-05:00 DEBUG 59833 --- [nio-8080-exec-3] m.s.a.DefaultAuthenticationEventPublisher : No event was found for the exception org.springframework.security.oauth2.core.OAuth2AuthenticationException
2024-01-10T14:04:23.685-05:00 DEBUG 59833 --- [nio-8080-exec-4] mo.s.security.web.FilterChainProxy : Securing GET /
2024-01-10T14:04:23.686-05:00 DEBUG 59833 --- [nio-8080-exec-4] mo.s.s.w.a.AnonymousAuthenticationFilter : Set SecurityContextHolder to anonymous SecurityContext
2024-01-10T14:04:23.688-05:00 DEBUG 59833 --- [nio-8080-exec-4] mo.s.s.w.s.HttpSessionRequestCache : Saved request http://localhost:8080/?continue to session
2024-01-10T14:04:23.688-05:00 DEBUG 59833 --- [nio-8080-exec-4] ms.w.a.DelegatingAuthenticationEntryPoint : Trying to match using And [Not [RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]], Not [And [Or [Ant [pattern='/login'], Ant [pattern='/favicon.ico']], And [Not [RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]], MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.ContentNegotiationManager@5e221658, matchingMediaTypes=[application/xhtml+xml, image/*, text/html, text/plain], useEquals=false, ignoredMediaTypes=[*/*]]]]], org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer$$Lambda$1986/0x00007f38e0bb4f88@fd98f04]
2024-01-10T14:04:23.689-05:00 DEBUG 59833 --- [nio-8080-exec-4] ms.w.a.DelegatingAuthenticationEntryPoint : Match found! Executing org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint@34188df5
2024-01-10T14:04:23.689-05:00 DEBUG 59833 --- [nio-8080-exec-4] mo.s.s.web.DefaultRedirectStrategy : Redirecting to http://localhost:8080/oauth2/authorization/keycloak-user
2024-01-10T14:04:23.699-05:00 DEBUG 59833 --- [nio-8080-exec-5] mo.s.security.web.FilterChainProxy : Securing GET /oauth2/authorization/keycloak-user
2024-01-10T14:04:23.958-05:00 DEBUG 59833 --- [nio-8080-exec-6] mo.s.security.web.FilterChainProxy : Securing GET /login/oauth2/code/keycloak-user?state=49MqUTPNet-NDmHXDLH3xeTEXB_74b5yEgkX14NEX1k%3D&session_state=f866f353-749c-4861-8e31-416f18763a1c&code=48a870d8-ed20-4334-b2db-f976a2bc9b55.f866f353-749c-4861-8e31-416f18763a1c.d0d36e71-da18-474d-95d6-a58a3af492fd
2024-01-10T14:04:24.674-05:00 DEBUG 59833 --- [nio-8080-exec-6] m.s.a.DefaultAuthenticationEventPublisher : No event was found for the exception org.springframework.security.oauth2.core.OAuth2AuthenticationException
2024-01-10T14:04:24.687-05:00 DEBUG 59833 --- [nio-8080-exec-7] mo.s.security.web.FilterChainProxy : Securing GET /
2024-01-10T14:04:24.688-05:00 DEBUG 59833 --- [nio-8080-exec-7] mo.s.s.w.a.AnonymousAuthenticationFilter : Set SecurityContextHolder to anonymous SecurityContext
2024-01-10T14:04:24.690-05:00 DEBUG 59833 --- [nio-8080-exec-7] mo.s.s.w.s.HttpSessionRequestCache : Saved request http://localhost:8080/?continue to session
2024-01-10T14:04:24.690-05:00 DEBUG 59833 --- [nio-8080-exec-7] ms.w.a.DelegatingAuthenticationEntryPoint : Trying to match using And [Not [RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]], Not [And [Or [Ant [pattern='/login'], Ant [pattern='/favicon.ico']], And [Not [RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]], MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.ContentNegotiationManager@5e221658, matchingMediaTypes=[application/xhtml+xml, image/*, text/html, text/plain], useEquals=false, ignoredMediaTypes=[*/*]]]]], org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer$$Lambda$1986/0x00007f38e0bb4f88@fd98f04]
2024-01-10T14:04:24.690-05:00 DEBUG 59833 --- [nio-8080-exec-7] ms.w.a.DelegatingAuthenticationEntryPoint : Match found! Executing org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint@34188df5
2024-01-10T14:04:24.690-05:00 DEBUG 59833 --- [nio-8080-exec-7] mo.s.s.web.DefaultRedirectStrategy : Redirecting to http://localhost:8080/oauth2/authorization/keycloak-user
2024-01-10T14:04:24.701-05:00 DEBUG 59833 --- [nio-8080-exec-8] mo.s.security.web.FilterChainProxy : Securing GET /oauth2/authorization/keycloak-user
from spring-addons.
Could you please join the complete URI for the authorization-code flow (with scheme, authority and params). Something like:
- GET https://quiz.c4-soft.com/oauth2/authorization/quiz-bff => 302 with
Location
https://oidc.c4-soft.com/auth/realms/quiz/protocol/openid-connect/auth?response_type=code&client_id=quiz-bff&scope=openid%20profile%20email%20offline_access&state=HdZJNOz_cbm0wI3Q0X_l9SmjTnFgeqgJWNQwmfaRDbQ%3D&redirect_uri=https://quiz.c4-soft.com/login/oauth2/code/quiz-bff&nonce=kgtnPtYXv92-FLNQxHaTKcuR5Dn3m2Yu-O3xEvzOn9g - GET https://oidc.c4-soft.com/auth/realms/quiz/protocol/openid-connect/auth?response_type=code&client_id=quiz-bff&scope=openid%20profile%20email%20offline_access&state=HdZJNOz_cbm0wI3Q0X_l9SmjTnFgeqgJWNQwmfaRDbQ%3D&redirect_uri=https://quiz.c4-soft.com/login/oauth2/code/quiz-bff&nonce=kgtnPtYXv92-FLNQxHaTKcuR5Dn3m2Yu-O3xEvzOn9g => 200 OK
- POST https://oidc.c4-soft.com/auth/realms/quiz/login-actions/authenticate?session_code=uTGLroyTJgPSBDDTD-ALCWZ9cfI0odRjfErtTunXazc&execution=d6378d12-d46e-4de0-9df5-7d9df63c90f2&client_id=quiz-bff&tab_id=-VYdCcQbkLc => 302 with
Location
https://quiz.c4-soft.com/login/oauth2/code/quiz-bff?state=HdZJNOz_cbm0wI3Q0X_l9SmjTnFgeqgJWNQwmfaRDbQ%3D&session_state=507e2f63-9476-40b8-b3aa-9760c82acde4&code=08457d66-58b0-42d7-8b23-17f4db0b8de4.507e2f63-9476-40b8-b3aa-9760c82acde4.44777276-7b4e-4678-b892-6a7631ec69b2 - GET https://quiz.c4-soft.com/login/oauth2/code/quiz-bff?state=HdZJNOz_cbm0wI3Q0X_l9SmjTnFgeqgJWNQwmfaRDbQ%3D&session_state=507e2f63-9476-40b8-b3aa-9760c82acde4&code=08457d66-58b0-42d7-8b23-17f4db0b8de4.507e2f63-9476-40b8-b3aa-9760c82acde4.44777276-7b4e-4678-b892-6a7631ec69b2 =>302 with
Location
https://quiz.c4-soft.com/ui/ - GET https://quiz.c4-soft.com/ui/
from spring-addons.
here we go.
I'll prepare a minimal setup and provide the link here in a moment..
GET http://localhost:8080/ => 302 http://localhost:8080/oauth2/authorization/keycloak-user
GET http://localhost:8080/oauth2/authorization/keycloak-user => 302 Location:
https://auth.intranet.example.com/realms/example.com/protocol/openid-connect/auth?response_type=code&client_id=hotline-thurgau-dev&scope=openid%20profile%20email%20offline_access&state=2GoZQboLNYpOvEuyJE4WUgs8HMhM1ajJmEIZeyHMraY%3D&redirect_uri=http://localhost:8080/login/oauth2/code/keycloak-user&nonce=6dQBt6IKShPGPgBYKJHLk1j3vmBTXoV_732RCFaw5UM
POST https://auth.intranet.example.com/realms/example.com/login-actions/authenticate?session_code=ezx_VSj1RRrmYqnbS6D95XZVO1NxHNxfVhL0D4Q3xeQ&execution=d89c4380-50ef-4a97-a4cc-1a76df1d11a9&client_id=hotline-thurgau-dev&tab_id=WbntdJBVkh0 => 302 http://localhost:8080/login/oauth2/code/keycloak-user?state=2GoZQboLNYpOvEuyJE4WUgs8HMhM1ajJmEIZeyHMraY%3D&session_state=393fd19d-2163-40d6-880f-c9f94b6ca567&code=138186ac-15de-49c1-9977-4f75b493086a.393fd19d-2163-40d6-880f-c9f94b6ca567.d0d36e71-da18-474d-95d6-a58a3af492fd
GET http://localhost:8080/login/oauth2/code/keycloak-user?state=2GoZQboLNYpOvEuyJE4WUgs8HMhM1ajJmEIZeyHMraY%3D&session_state=393fd19d-2163-40d6-880f-c9f94b6ca567&code=138186ac-15de-49c1-9977-4f75b493086a.393fd19d-2163-40d6-880f-c9f94b6ca567.d0d36e71-da18-474d-95d6-a58a3af492fd => 302 http://localhost:8080/
GET http://localhost:8080/ => 302 http://localhost:8080/oauth2/authorization/keycloak-user
GET http://localhost:8080/oauth2/authorization/keycloak-user => 302 https://auth.intranet.example.com/realms/example.com/protocol/openid-connect/auth?response_type=code&client_id=hotline-thurgau-dev&scope=openid%20profile%20email%20offline_access&state=fHDCCU8sji8AHZkkw8HWanZfWVVoxoJA18ImNhwcFa8%3D&redirect_uri=http://localhost:8080/login/oauth2/code/keycloak-user&nonce=8xIWLJckGPv2oEFg8ssoISG3nmexWqCks5bo0_kkLDg
GET https://auth.intranet.example.com/realms/example.com/protocol/openid-connect/auth?response_type=code&client_id=hotline-thurgau-dev&scope=openid%20profile%20email%20offline_access&state=fHDCCU8sji8AHZkkw8HWanZfWVVoxoJA18ImNhwcFa8%3D&redirect_uri=http://localhost:8080/login/oauth2/code/keycloak-user&nonce=8xIWLJckGPv2oEFg8ssoISG3nmexWqCks5bo0_kkLDg => 302 http://localhost:8080/login/oauth2/code/keycloak-user?state=fHDCCU8sji8AHZkkw8HWanZfWVVoxoJA18ImNhwcFa8%3D&session_state=393fd19d-2163-40d6-880f-c9f94b6ca567&code=ddeb1751-5710-455d-b986-cd7811ceeda9.393fd19d-2163-40d6-880f-c9f94b6ca567.d0d36e71-da18-474d-95d6-a58a3af492fd
GET http://localhost:8080/login/oauth2/code/keycloak-user?state=fHDCCU8sji8AHZkkw8HWanZfWVVoxoJA18ImNhwcFa8%3D&session_state=393fd19d-2163-40d6-880f-c9f94b6ca567&code=ddeb1751-5710-455d-b986-cd7811ceeda9.393fd19d-2163-40d6-880f-c9f94b6ca567.d0d36e71-da18-474d-95d6-a58a3af492fd => 302 http://localhost:8080/
etc...
from spring-addons.
here i've added a minimal projekt
https://github.com/yennor/springaddonsmin
from spring-addons.
@yennor thank you for the reproducer, it is of great help for investigations.
What I spotted so far is that inside DefaultAuthorizationCodeTokenResponseClient::getTokenResponse
, when inspecting the body
of the request
, the value of the redirect_uri
has changed from https://localhost:7080/login/oauth2/code/keycloak-user
to https://localhost:7080/oauth2/authorization/keycloak-user
(which is wrong as we gave https://localhost:7080/login/oauth2/code/keycloak-user
to Keycloak as redirect_uri
in the authorization request).
This is a regression I'll fix (haven't found why yet and have limited time today, but will do soon).
from spring-addons.
@yennor I published a 7.3.2
which should fix this issue. Please confirm and close.
This issue was specific to synchronized apps (servlets).
from spring-addons.
works like a charm. thanks a lot :-)
from spring-addons.
Related Issues (20)
- Missing default authentication converter when using `@WithJwt` HOT 1
- Spring Boot [3.2.0] is not compatible with this Spring Cloud release train HOT 3
- (Not a bug, jus a question) How do I add a filter ? HOT 2
- Deprecated WithMockJwtAuth Annotation Concern HOT 12
- Per request post-login and post-logout URIs HOT 1
- `@WithJwt` does not convert claims using `ConfigurableClaimSetAuthoritiesConverter` and path from configuration HOT 5
- NPE when trying to protect client HOT 2
- Exception thrown when `post-logout-redirect-path` configuration property is null HOT 1
- Post-login success & failure URI params and headers on authentication request are ignored in reactive applications HOT 1
- `authorization-request-params` ignored HOT 1
- POST /logout response Forbidden 403 HOT 9
- Support several JWT authentication converters (or converters with a `@Qualifier` which is not `jwtAuthenticationConverter`)
- Doubled path-prefix by `SpringAddonsServerOAuth2AuthorizationRequestResolver` HOT 1
- Allow anonymous CORS preflight requests (`OPTIONS` requests to a path configured with CORS) HOT 1
- Configuration properties to add parameters to token requests HOT 1
- Spring Starter OICD, Resource Server: Option to disable the default behavior for authorized/protected routes HOT 1
- BFF configuration token is not refreshed HOT 3
- Getting response 401 (Unauthorized) for permit-all requests after update HOT 2
- (Not a bug)Why the custom JwtDecoder bean is useless HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from spring-addons.