Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

added code_challenge for PKCE #56

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

added code_challenge for PKCE #56

wants to merge 3 commits into from

Conversation

xgp
Copy link
Member

@xgp xgp commented Oct 19, 2023

solves #8

@xgp xgp mentioned this pull request Dec 19, 2023
Open
@xgp
Copy link
Member Author

xgp commented Jan 30, 2024 via email

@Gryff
Copy link

Gryff commented Oct 21, 2024

Hey @xgp I would love this to be merged, is it something that's on the team's radar?

@xgp
Copy link
Member Author

xgp commented Oct 21, 2024

@Gryff It hasn't been merged because of insufficient testing, and because those that have tested have reported it doesn't work #8

If you have time to do some testing on this branch, that would be helpful.

Gryff
Gryff reviewed Oct 23, 2024
View reviewed changes
src/main/java/io/phasetwo/keycloak/magic/MagicLink.java
@@ -143,6 +163,7 @@ public static MagicLinkActionToken createActionToken(
String scope,
String nonce,
String state,
String codeChallenge,
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@xgp I've noticed the codeChallenge parameter is not passed in to the MagicLinkActionToken constructor. If I pass it in and run it against my setup I get a different PKCE failure, Code mismatch instead of challenge not present.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. Feel free to take up this PR.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#91

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @Gryff. This now has your changes merged and the recent changes to main. Trying to get a few more testers with different oidc libs before I merge it.

@vilmosnagy
Copy link

Is it possible that this branch does not works for me? I open the following URL to test: https://www.keycloak.org/app/#url=https://localhost:8443&realm=magiclinktest&client=test

And I have the following client config:

{
  "clientId": "test",
  "name": "",
  "description": "",
  "rootUrl": "https://www.keycloak.org/app/",
  "adminUrl": "https://www.keycloak.org/app/",
  "baseUrl": "https://www.keycloak.org/app/",
  "surrogateAuthRequired": false,
  "enabled": true,
  "alwaysDisplayInConsole": false,
  "clientAuthenticatorType": "client-secret",
  "redirectUris": [
    "*"
  ],
  "webOrigins": [
    "*"
  ],
  "notBefore": 0,
  "bearerOnly": false,
  "consentRequired": false,
  "standardFlowEnabled": true,
  "implicitFlowEnabled": false,
  "directAccessGrantsEnabled": true,
  "serviceAccountsEnabled": false,
  "publicClient": true,
  "frontchannelLogout": true,
  "protocol": "openid-connect",
  "attributes": {
    "realm_client": "false",
    "oidc.ciba.grant.enabled": "false",
    "backchannel.logout.session.required": "true",
    "post.logout.redirect.uris": "*",
    "display.on.consent.screen": "false",
    "oauth2.device.authorization.grant.enabled": "false",
    "backchannel.logout.revoke.offline.tokens": "false"
  },
  "authenticationFlowBindingOverrides": {},
  "fullScopeAllowed": true,
  "nodeReRegistrationTimeout": -1,
  "defaultClientScopes": [
    "web-origins",
    "acr",
    "profile",
    "roles",
    "basic",
    "email"
  ],
  "optionalClientScopes": [
    "address",
    "phone",
    "offline_access",
    "organization",
    "microprofile-jwt"
  ],
  "access": {
    "view": true,
    "configure": true,
    "manage": true
  }
}

And after clicking on the link from the e-mail, I'm redirected to this URL:

"https://www.keycloak.org/app/?state=3855809a-9a3f-413f-9d53-8a790fa86d68&session_state=c70b36f5-1126-4c73-8f5b-dc8ae7c07fb4&iss=https%3A%2F%2Flocalhost%3A8443%2Frealms%2Fmagiclinktest&code=5bdbd963-6ef1-4c94-933d-4bec5daaf55a.c70b36f5-1126-4c73-8f5b-dc8ae7c07fb4.1f79fd54-3d3f-426c-8f2f-b85ed1acfc71&state=6db517b9-3818-48fb-ae87-edd3e305b691&session_state=4a535fe1-4ede-49bf-b7b6-bfa9768badf4&iss=https%3A%2F%2Flocalhost%3A8443%2Frealms%2Fmagiclinktest&code=b508f177-fbe9-46cf-b33b-92a2fcb4da73.4a535fe1-4ede-49bf-b7b6-bfa9768badf4.1f79fd54-3d3f-426c-8f2f-b85ed1acfc71&state=429550ce-e441-4a57-9f28-e4beeb2e2647&session_state=f6513241-3b52-4573-a279-4330158d830d&iss=https%3A%2F%2Flocalhost%3A8443%2Frealms%2Fmagiclinktest&code=f98a2b04-6177-43db-98d7-2011a8c667c5.f6513241-3b52-4573-a279-4330158d830d.1f79fd54-3d3f-426c-8f2f-b85ed1acfc71&state=d416b089-442e-4610-a0af-f04f47d8ffdd&session_state=157f3b59-09f6-4e55-b197-10cd9088d5b8&iss=https%3A%2F%2Flocalhost%3A8443%2Frealms%2Fmagiclinktest&code=b0e20709-8574-4520-b0b0-d4bd6edab0cb.157f3b59-09f6-4e55-b197-10cd9088d5b8.1f79fd54-3d3f-426c-8f2f-b85ed1acfc71#url=https://localhost:8443&realm=magiclinktest&client=test"

And the state, session_state, iss, code query params are missing, so I'm not signed in in the kc test page.

@Gryff
Copy link

Gryff commented Nov 4, 2024
edited
Loading

@vilmosnagy The query params aren't missing, but seem to be added to the URL over and over:

https://www.keycloak.org/app/?
  state=3855809a-9a3f-413f-9d53-8a790fa86d68
  &session_state=c70b36f5-1126-4c73-8f5b-dc8ae7c07fb4
  &iss=https%3A%2F%2Flocalhost%3A8443%2Frealms%2Fmagiclinktest
  &code=5bdbd963-6ef1-4c94-933d-4bec5daaf55a.c70b36f5-1126-4c73-8f5b-dc8ae7c07fb4.1f79fd54-3d3f-426c-8f2f-b85ed1acfc71
  &state=6db517b9-3818-48fb-ae87-edd3e305b691
  &session_state=4a535fe1-4ede-49bf-b7b6-bfa9768badf4
  &iss=https%3A%2F%2Flocalhost%3A8443%2Frealms%2Fmagiclinktest
  &code=b508f177-fbe9-46cf-b33b-92a2fcb4da73.4a535fe1-4ede-49bf-b7b6-bfa9768badf4.1f79fd54-3d3f-426c-8f2f-b85ed1acfc71
  &state=429550ce-e441-4a57-9f28-e4beeb2e2647
  &session_state=f6513241-3b52-4573-a279-4330158d830d
  &iss=https%3A%2F%2Flocalhost%3A8443%2Frealms%2Fmagiclinktest
  &code=f98a2b04-6177-43db-98d7-2011a8c667c5.f6513241-3b52-4573-a279-4330158d830d.1f79fd54-3d3f-426c-8f2f-b85ed1acfc71&state=d416b089-442e-4610-a0af-f04f47d8ffdd
  &session_state=157f3b59-09f6-4e55-b197-10cd9088d5b8
  &iss=https%3A%2F%2Flocalhost%3A8443%2Frealms%2Fmagiclinktest
  &code=b0e20709-8574-4520-b0b0-d4bd6edab0cb.157f3b59-09f6-4e55-b197-10cd9088d5b8.1f79fd54-3d3f-426c-8f2f-b85ed1acfc71
  #url=https://localhost:8443&realm=magiclinktest
  &client=test

This has happened to me when I've set keycloak up incorrectly, though I don't know which part of keycloak is responsible.

I have just tried a keycloak setup with the keycloak test site, with this magic link PR and I get this URL, which seems correct:

https://www.keycloak.org/app/
  ?state=b7a1eca9-d8de-4081-bb8c-c41993c15ce0
  &session_state=5662e72c-71aa-41e0-a33b-ad64d8f6564a
  &iss=http%3A%2F%2Fsso.localhost%2Frealms%2Fmyrealm
  &code=6337d886-d5b9-45e6-b13d-0e3a31c31469.5662e72c-71aa-41e0-a33b-ad64d8f6564a.f96c59be-3263-47d8-8776-3f847c8982d4
  #url=http://sso.localhost&realm=myrealm&client=myclient

Looks like you haven't added https://www.keycloak.org/* as one of the valid redirect URIs

@vilmosnagy
Copy link

vilmosnagy commented Nov 5, 2024
edited
Loading

@Gryff hm, you seems to be right about it adding multiple times; The only valid redirect URI I've added in the client config was * - let me check in the next days.

I think you cannot misconfigure it (how did you?), otherwise keycloak would have complained of the wrong redirect URI at the very beginning of the login process.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Gryff Gryff Gryff left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@xgp @Gryff @vilmosnagy