Uploaded image for project: 'RH-SSO'
  1. RH-SSO
  2. RHSSO-3030

RHSSO 7.6 adapters may not work with RHBK 24 server

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • RH-SSO-7.6.9
    • RH-SSO-7.6.8
    • None
    • None
    • False
    • None
    • False

      Just a heads-up that the RHBK 24 server may not work OOTB with the RH-SSO 7.6 OIDC client adapters.

      Mitigation

      There is the mitigation that people will need to enable the switch "Exclude Issuer From Authentication Response" in the admin console, which should be done for every RHBK client pointed to application secured by RH-SSO 7.6 adapters. It can be done in the admin console when going to the particular client -> tab "Advanced" -> section "OpenID Connect Compatibility Modes" .

      Details

      This is the side-effect of adding the `iss` parameter to OIDC authentication response, which is supported by the OAuth 2.1 specification [1] to avoid mix-up attacks [2]. This is documented in the documentation of Keycloak 23 [3] and it would be documented also in RHBK 24 migration documentation, but it is not explicitly documented that this affects all the RH-SSO 7.6 clients.

      Bug description

      Customers will detect if they have such issue that they would not be able to login to their application due the code-to-token request sent by the adapter would fail. They will see errors in their RH-SSO 7.6 log like:
      ```
      [OAuthRequestAuthenticator] failed to turn code into token
      [OAuthRequestAuthenticator] status from server: 403
      ```
      due the incorrect redirect_uri and in the server.log they would see CODE_TO_TOKEN_ERROR event.

      [1] https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-10#name-authorization-response
      [2] https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-24#section-4.4
      [3] https://www.keycloak.org/docs/latest/upgrading/index.html#added-iss-parameter-to-oauth-2-0openid-connect-authentication-response

              mposolda@redhat.com Marek Posolda
              mposolda@redhat.com Marek Posolda
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: