Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-7954

OIDC Provider doesn't skip token validation if URL is empty

    XMLWordPrintable

    Details

    • Steps to Reproduce:
      Hide
      1. Create a new App at https://apps.dev.microsoft.com/
      2. Add a new App Password
      3. Add Redirect URIs for your Keycloak installation
      4. Add a custom OIDC IdP using the above app's ID and Password (secret) - (configuration via https://login.microsoftonline.com/common/.well-known/openid-configuration)
      5. Notice the Issuer URL is templated with tenantId
      6. Remove the issuer URL
      7. Attempt to authenticate to Keycloak via a Live or Azure AD account

      The error will be:

      2018-07-27T14:10:32.241543+00:00 app[web.1]: 2018-07-27 14:10:32,240 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-111) Failed to make identity provider oauth callback:
       org.keycloak.broker.provider.IdentityBrokerException: Wrong issuer from token. Got: https://login.microsoftonline.com/1822d473-0c5c-4a2e-8d8c-407af2f647bc/v2.0 expected:
      2018-07-27T14:10:32.241555+00:00 app[web.1]: at org.keycloak.broker.oidc.OIDCIdentityProvider.validateToken(OIDCIdentityProvider.java:500)
      2018-07-27T14:10:32.241557+00:00 app[web.1]: at org.keycloak.broker.oidc.OIDCIdentityProvider.validateToken(OIDCIdentityProvider.java:460)
      2018-07-27T14:10:32.241559+00:00 app[web.1]: at org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedIdentity(OIDCIdentityProvider.java:350)                                                       2018-07-27T14:10:32.241562+00:00 app[web.1]: at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:399)
      

      Show
      Create a new App at https://apps.dev.microsoft.com/ Add a new App Password Add Redirect URIs for your Keycloak installation Add a custom OIDC IdP using the above app's ID and Password (secret) - (configuration via https://login.microsoftonline.com/common/.well-known/openid-configuration ) Notice the Issuer URL is templated with tenantId Remove the issuer URL Attempt to authenticate to Keycloak via a Live or Azure AD account The error will be: 2018-07-27T14:10:32.241543+00:00 app[web.1]: 2018-07-27 14:10:32,240 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-111) Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: Wrong issuer from token. Got: https://login.microsoftonline.com/1822d473-0c5c-4a2e-8d8c-407af2f647bc/v2.0 expected: 2018-07-27T14:10:32.241555+00:00 app[web.1]: at org.keycloak.broker.oidc.OIDCIdentityProvider.validateToken(OIDCIdentityProvider.java:500) 2018-07-27T14:10:32.241557+00:00 app[web.1]: at org.keycloak.broker.oidc.OIDCIdentityProvider.validateToken(OIDCIdentityProvider.java:460) 2018-07-27T14:10:32.241559+00:00 app[web.1]: at org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedIdentity(OIDCIdentityProvider.java:350) 2018-07-27T14:10:32.241562+00:00 app[web.1]: at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:399)
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      While attempting to use Keycloak against Azure AD (in a multi-tenant scenario), I have attempted to disable token verification to work around Microsoft's janky issuer gymnastics (issuer is tenant-based, not static).

      It appears that this value is empty string rather than null as is expected at OIDCIdentityProvider.java:490

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                sarumont Richard Kolkovich
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: