Uploaded image for project: 'Red Hat Fuse'
  1. Red Hat Fuse
  2. ENTESB-13144

Wrong SSO redirect in OData

XMLWordPrintable

    • DV Sprint 60

      I have a VDB with the following env vars specified:

        - name: KEYCLOAK_REALM
    value: master
  - name: KEYCLOAK_AUTH_SERVER_URL
    value: https://sso-fuse-dv-test-asmigala.apps.dv-43-b.openshift-aws.rhocf-dev.com/auth
  - name: KEYCLOAK_SSL_REQUIRED
    value: external
  - name: KEYCLOAK_RESOURCE
    value: di
  - name: KEYCLOAK_PUBLIC_CLIENT
    value: 'true'

      and the following dependency:

            dependencies:
          - 'org.teiid:spring-keycloak:1.3.2.fuse-760007-redhat-00001'

      There is RH SSO 7.3 running on the url specified in KEYCLOAK_AUTH_SERVER_URL, installed from the sso73-x509-https template and set up according to the upstream teiid docs. The Valid redirect URIs in keycloak are set correctly.

      First redirect

      When I go to the OData route url https://bqt-mysql-55-sso-fuse-dv-test-asmigala.apps.dv-43-b.openshift-aws.rhocf-dev.com/odata, I get a 302 redirect with

      Location: http://bqt-mysql-55-sso-fuse-d...ft-aws.rhocf-dev.com/sso/login

      This is wrong, because there's nothing listening there on http, the correct redirect to should point to https

      Second redirect

      When I manually modify the sso/login url to point to https, I get another 302 redirect, this time to the SSO server:

      Location: https://sso-fuse-dv-test-asmigala.apps.dv-43-b.openshift-aws.rhocf-dev.com/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=di&redirect_uri=http%3A%2F%2Fbqt-mysql-55-sso-fuse-dv-test-asmigala.apps.dv-43-b.openshift-aws.rhocf-dev.com%2Fsso%2Flogin&state=f28d849c-af2d-4036-8e19-183883d57d27&login=true&scope=openid

      This, however, is also not correct, since now the redirect_uri parameter is pointing to http again. Indeed, after successfull login in SSO, I am redirected back to 

      http://bqt-mysql-55-sso-fuse-dv-test-asmigala.apps.dv-43-b.openshift-aws.rhocf-dev.com/sso/login?state=f28d849c-af2d-4036-8e19-183883d57d27&session_state=cdd0021b-a588-4a28-9daf-8b267d736433&code=bb5fdf9f-fadf-4f6d-b2e1-e6ef435d64fb.cdd0021b-a588-4a28-9daf-8b267d736433.e8bd558d-b081-46ef-b2f9-795c8680cce5

      with nothing listening there

      Third redirect

      So now I modify the redirect_uri parameter of the request to SSO, in an attempt to get a redirect to the correct https endpoint of my OData service.

      This does redirect me to 

      https://bqt-mysql-55-sso-fuse-dv-test-asmigala.apps.dv-43-b.openshift-aws.rhocf-dev.com/sso/login?state=f28d849c-af2d-4036-8e19-183883d57d27&session_state=cdd0021b-a588-4a28-9daf-8b267d736433&code=463df89c-ab39-4656-8acf-827ac495b337.cdd0021b-a588-4a28-9daf-8b267d736433.e8bd558d-b081-46ef-b2f9-795c8680cce5

      which looks like it should be correct, except it creates another redirect, again to 

      http://bqt-mysql-55-sso-fuse-d...ft-aws.rhocf-dev.com/sso/login

      where nothing is listening.

      I'm not 100 % sure this last attempt should work, since I'm reusing the state and session_state parameters from the previous request.

      In all of these attempts, I have both the http and https uris specified as valid in keycloak configuration.

            rhn-engineering-rareddy Ramesh Reddy
            asmigala@redhat.com Andrej Smigala
            Andrej Smigala Andrej Smigala
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 week
                1w