Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-2242

OidcRequestAuthenticator.rewrittenRedirectUri retains url query when there's no rewrite rule, but removes it when there's a rewrite rule

    XMLWordPrintable

Details

    • Hide

      1. Set up an OpenID-enabled authentication server with a client.
      2. Set up a servlet protected by Elytron with OIDC auth-method. Something like:

          <security-constraint>
        <web-resource-collection>
            <web-resource-name>Debug Endpoint</web-resource-name>
            <url-pattern>/debug</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>debug</role-name>
        </auth-constraint>
    </security-constraint>
    
    <security-role>
        <role-name>debug</role-name>
    </security-role>
    
    <login-config>
        <auth-method>OIDC</auth-method>
    </login-config>
    
    <servlet>
        <servlet-name>DebugServlet</servlet-name>
        <servlet-class>com.example.service.DebugServlet</servlet-class>
    </servlet>
    <servlet-mapping>
        <servlet-name>DebugServlet</servlet-name>
        <url-pattern>/debug</url-pattern>
    </servlet-mapping>

      3. Configure OIDC with `WEB-INF/oidc.json`, such as:

       

      {
    "provider-url": "https://my.keycloak.server.url:443/sso/oauth2",
    "ssl-required": "none",
    "client-id": "client-449550",
    "public-client": true,
    "credentials": {
        "secret": "my-client-secret"
    },
    "enable-basic-auth": true,
    "redirect-rewrite-rules": {
        "will-not-match": "my-replacement-str"
    }
}

      4. Visit the `debug` endpoint specified in step 2. It should redirect the user to the authentication server, where they log in, which would then redirect them back to `debug` along with a code, iss[uer], state, and client_id in the url's query.

      5. Elytron will attempt to verify the code with the authentication server and get a token. If `redirect-rewrite-rules` in oidc.json is specified and not empty, the redirect_url specified as the `debug` endpoint with no query string. If `redirect-rewrite-rules` is removed from oidc.json or left empty, the redirect_url given to the auth server will include the iss[uer] and client_id query parameters still in place.

      Show
      1. Set up an OpenID-enabled authentication server with a client. 2. Set up a servlet protected by Elytron with OIDC auth-method. Something like: <security-constraint> <web-resource-collection> <web-resource-name>Debug Endpoint</web-resource-name> <url-pattern>/debug</url-pattern> </web-resource-collection> <auth-constraint> <role-name>debug</role-name> </auth-constraint> </security-constraint> <security-role> <role-name>debug</role-name> </security-role> <login-config> <auth-method>OIDC</auth-method> </login-config> <servlet> <servlet-name>DebugServlet</servlet-name> <servlet-class>com.example.service.DebugServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>DebugServlet</servlet-name> <url-pattern>/debug</url-pattern> </servlet-mapping> 3. Configure OIDC with `WEB-INF/oidc.json`, such as:   { "provider-url": "https://my.keycloak.server.url:443/sso/oauth2", "ssl-required": "none", "client-id": "client-449550", "public-client": true, "credentials": { "secret": "my-client-secret" }, "enable-basic-auth": true, "redirect-rewrite-rules": { "will-not-match": "my-replacement-str" } } 4. Visit the `debug` endpoint specified in step 2. It should redirect the user to the authentication server, where they log in, which would then redirect them back to `debug` along with a code, iss [uer] , state, and client_id in the url's query. 5. Elytron will attempt to verify the code with the authentication server and get a token. If `redirect-rewrite-rules` in oidc.json is specified and not empty, the redirect_url specified as the `debug` endpoint with no query string. If `redirect-rewrite-rules` is removed from oidc.json or left empty, the redirect_url given to the auth server will include the iss [uer] and client_id query parameters still in place.

    Description

      `OidcRequestAuthenticator.resolveCode(String code)` handles getting a token from the code it receives after the user authenticates. Part of that is rewriting the url to remove OAuth parameters for code, state, and session_state, and running a rewrite rule to possibly adjust the redirect_url.

      If you enter a rewrite rule that never matches, the behavior is not the same as having no rewrite rules.

      For example, the url that the browser goes to after authenticating might be:

      http://localhost:8080/debug?code=Qs7fBTc1J63o3KBR_SYLRjBqP48&iss=https%3A%2F%2Fmy.keycloak.server.url%3A443%2Fsso%2Foauth2&state=0fe4f722-74e2-4b17-a705-6cbdbfa7bd30&client_id=myclient-449550

      With no rewrite rule, the stripped url that results is:

      http://localhost:8080/debug?iss=https%3A%2F%2Fmy.keycloak.server.url%3A443%2Fsso%2Foauth2&client_id=myclient-449550

      But if I add a rewrite rule like `"will-not-match": "foobar"` that doesn't even match anything, the stripped url is:

      http://localhost:8080/debug

      The stripped url is then used as the redirect_url to convert the code into a token. A redirect_url with unexpected query parameters will not match the pre-approved redirect urls in the auth server's client configuration, causing an error instead of successfully obtaining a valid token.

      The stripped url should be the same if the rewrite rule makes no changes vs if there is no rewrite rule at all. `OidcRequestAuthenticator.rewrittenRedirectUri` simply returns its input if there's no rewrite rule, so any query parameters left after stripping [code, state, session_state] are retained. But if there's a rewrite rule, the url is rebuilt and the query is omitted from the rebuilt url.

      Attachments

        Issue Links

          causes

          Bug - A problem that impairs or prevents the functions of the product. ELY-2340 lost viewparams in redirect_uri

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Pull Request Sent
          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-22953 (7.4.z) ELY-2242 - OidcRequestAuthenticator.rewrittenRedirectUri retains url query when there's no rewrite rule, but removes it when there's a rewrite rule

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified

          Activity

            People

              hali19790320 Tóth László (Inactive)
              mouseasw@gmail.com Martin Carney (Inactive)
              Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated: