Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-2242

OidcRequestAuthenticator.rewrittenRedirectUri retains url query when there's no rewrite rule, but removes it when there's a rewrite rule

XMLWordPrintable

    • Hide

      1. Set up an OpenID-enabled authentication server with a client.
      2. Set up a servlet protected by Elytron with OIDC auth-method. Something like:

          <security-constraint>
        <web-resource-collection>
            <web-resource-name>Debug Endpoint</web-resource-name>
            <url-pattern>/debug</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>debug</role-name>
        </auth-constraint>
    </security-constraint>
    
    <security-role>
        <role-name>debug</role-name>
    </security-role>
    
    <login-config>
        <auth-method>OIDC</auth-method>
    </login-config>
    
    <servlet>
        <servlet-name>DebugServlet</servlet-name>
        <servlet-class>com.example.service.DebugServlet</servlet-class>
    </servlet>
    <servlet-mapping>
        <servlet-name>DebugServlet</servlet-name>
        <url-pattern>/debug</url-pattern>
    </servlet-mapping>

      3. Configure OIDC with `WEB-INF/oidc.json`, such as:

       

      {
    "provider-url": "https://my.keycloak.server.url:443/sso/oauth2",
    "ssl-required": "none",
    "client-id": "client-449550",
    "public-client": true,
    "credentials": {
        "secret": "my-client-secret"
    },
    "enable-basic-auth": true,
    "redirect-rewrite-rules": {
        "will-not-match": "my-replacement-str"
    }
}

      4. Visit the `debug` endpoint specified in step 2. It should redirect the user to the authentication server, where they log in, which would then redirect them back to `debug` along with a code, iss[uer], state, and client_id in the url's query.

      5. Elytron will attempt to verify the code with the authentication server and get a token. If `redirect-rewrite-rules` in oidc.json is specified and not empty, the redirect_url specified as the `debug` endpoint with no query string. If `redirect-rewrite-rules` is removed from oidc.json or left empty, the redirect_url given to the auth server will include the iss[uer] and client_id query parameters still in place.

      Show
      1. Set up an OpenID-enabled authentication server with a client. 2. Set up a servlet protected by Elytron with OIDC auth-method. Something like: <security-constraint> <web-resource-collection> <web-resource-name>Debug Endpoint</web-resource-name> <url-pattern>/debug</url-pattern> </web-resource-collection> <auth-constraint> <role-name>debug</role-name> </auth-constraint> </security-constraint> <security-role> <role-name>debug</role-name> </security-role> <login-config> <auth-method>OIDC</auth-method> </login-config> <servlet> <servlet-name>DebugServlet</servlet-name> <servlet-class>com.example.service.DebugServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>DebugServlet</servlet-name> <url-pattern>/debug</url-pattern> </servlet-mapping> 3. Configure OIDC with `WEB-INF/oidc.json`, such as:   { "provider-url": "https://my.keycloak.server.url:443/sso/oauth2", "ssl-required": "none", "client-id": "client-449550", "public-client": true, "credentials": { "secret": "my-client-secret" }, "enable-basic-auth": true, "redirect-rewrite-rules": { "will-not-match": "my-replacement-str" } } 4. Visit the `debug` endpoint specified in step 2. It should redirect the user to the authentication server, where they log in, which would then redirect them back to `debug` along with a code, iss [uer] , state, and client_id in the url's query. 5. Elytron will attempt to verify the code with the authentication server and get a token. If `redirect-rewrite-rules` in oidc.json is specified and not empty, the redirect_url specified as the `debug` endpoint with no query string. If `redirect-rewrite-rules` is removed from oidc.json or left empty, the redirect_url given to the auth server will include the iss [uer] and client_id query parameters still in place.

      `OidcRequestAuthenticator.resolveCode(String code)` handles getting a token from the code it receives after the user authenticates. Part of that is rewriting the url to remove OAuth parameters for code, state, and session_state, and running a rewrite rule to possibly adjust the redirect_url.

      If you enter a rewrite rule that never matches, the behavior is not the same as having no rewrite rules.

      For example, the url that the browser goes to after authenticating might be:

      http://localhost:8080/debug?code=Qs7fBTc1J63o3KBR_SYLRjBqP48&iss=https%3A%2F%2Fmy.keycloak.server.url%3A443%2Fsso%2Foauth2&state=0fe4f722-74e2-4b17-a705-6cbdbfa7bd30&client_id=myclient-449550

      With no rewrite rule, the stripped url that results is:

      http://localhost:8080/debug?iss=https%3A%2F%2Fmy.keycloak.server.url%3A443%2Fsso%2Foauth2&client_id=myclient-449550

      But if I add a rewrite rule like `"will-not-match": "foobar"` that doesn't even match anything, the stripped url is:

      http://localhost:8080/debug

      The stripped url is then used as the redirect_url to convert the code into a token. A redirect_url with unexpected query parameters will not match the pre-approved redirect urls in the auth server's client configuration, causing an error instead of successfully obtaining a valid token.

      The stripped url should be the same if the rewrite rule makes no changes vs if there is no rewrite rule at all. `OidcRequestAuthenticator.rewrittenRedirectUri` simply returns its input if there's no rewrite rule, so any query parameters left after stripping [code, state, session_state] are retained. But if there's a rewrite rule, the url is rebuilt and the query is omitted from the rebuilt url.

              hali19790320 Tóth László (Inactive)
              mouseasw@gmail.com Martin Carney (Inactive)
              Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: