Keycloak 20.0.2 does not accept backchannel connection - authentication

I am having some issue with having Keycloak 20.0.2 working for my web application.
I have my keycloak URL accessible at:
https://example.com/white-graduation/keycloak/auth
This is designed for backend application to work with keycloak. It fundamentally usse haproxy as a reverse proxy to connect the https address to my internal keycloak.
So far, all frontend login has been working, without any issue. I can also have access to the keycloak control console UI.
The internal keycloak address is at:
http://loginservice:8080/white-graudation/keycloak/auth
This is designed for backend application to work with keycloak.
However, the backend login is facing a 401 issue.
By experimenting with different curl call in the container that's running the backend, I found that:
curl -I -X GET https://example.com/white-graduation/keycloak/auth/realms/shirasaki-academy/protocol/openid-connect/userinfo -H "Authorization: Bearer Example-Bearer-Token"
This API call gives 200, but
curl -I -X GET https://loginservice:8080/white-graduation/keycloak/auth/realms/shirasaki-academy/protocol/openid-connect/userinfo -H "Authorization: Bearer Example-Bearer-Token"
This gives 401. i.e. back-channel didn't work.
I did an expansion of Example-Bearer-Token, it does show that the iss is indeed only https://example.com/white-graduation/keycloak/auth/realms/shirasaki-academy, because the backend still uses frontend to login. But it should still work.
My Keycloak 20.0.2's setting:
KEYCLOAK_ADMIN=admin
KEYCLOAK_ADMIN_PASSWORD=whatever
KC_HTTP_RELATIVE_PATH=/white-graduation/keycloak/auth
KC_HOSTNAME_ADMIN_URL=https://example.com/white-graduation/keycloak/auth
KC_HOSTNAME_STRICT=false
KC_HTTP_ENABLED=true
KC_HTTP_PORT=8080
KC_HOSTNAME_STRICT_HTTPS=false
KC_PROXY=edge
The Keycloak 20.0.2's Quarkus is run through:
/opt/keycloak/bin/kc.sh start-dev --import-realm --log-level=org.keycloak.events:debug --spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true
Note that I did not set KC_HOSTNAME_STRICT_BACKCHANNEL but this is by default already false, which under such case should allow back-channel connection to work.
Note that this isn't the recommended setting for production environment. But this isn't a production environment after all.

Problem solved by setting:
KC_HOSTNAME_URL=https://example.com/white-graduation/keycloak/auth
which means, KC_HOSTNAME_URL == KC_HOSTNAME_ADMIN_URL
After such, the internal API point starts working.
Not really sure why...but at least this solves my problem.

Related

Always get "redirect_uri_mismatch" under google oauth progress

I am developing a website which need google-login button. But i failed in getting the access_token.
Here is my configuration page and curl result.
why curl doesn't work.
The problem you are having is that you have created web browser credentials and you appear to be testing with curl. Curl by itself would be run in a command prompt or shell script there for it would be installed credentials not web browser credentials.
Go to google developer console and create desktop app type creetinals Then you can follow the calls below in order to authorize to Google and get an access token and a refresh token.
Notice how desktop apps use urn:ietf:wg:oauth:2.0:oob for a redirect uri this means just send it back where it came from.
# Client id from Google Developer console
# Client Secret from Google Developer console
# Scope this is a space separated list of the scopes of access you are requesting.
# Authorization link. Place this in a browser and copy the code that is returned after you accept the scopes.
https://accounts.google.com/o/oauth2/auth?client_id=[Application Client Id]&redirect_uri=urn:ietf:wg:oauth:2.0:oob&scope=[Scopes]&response_type=code
# Exchange Authorization code for an access token and a refresh token.
curl \
--request POST \
--data "code=[Authentcation code from authorization link]&client_id=[Application Client Id]&client_secret=[Application Client Secret]&redirect_uri=urn:ietf:wg:oauth:2.0:oob&grant_type=authorization_code" \
https://accounts.google.com/o/oauth2/token
# Exchange a refresh token for a new access token.
curl \
--request POST \
--data 'client_id=[Application Client Id]&client_secret=[Application Client Secret]&refresh_token=[Refresh token granted by second step]&grant_type=refresh_token' \
https://accounts.google.com/o/oauth2/token
code ripped from GoogleAuthenticationCurl.sh
YOu may also be interested in Which type of credentials should you create? which explains how to decide which type of Google credentials you need to use for the application you are developing.
your web application.
Redirect uri mismatch with a true web application is most often a configuration issue. If you are using a servicer sided programming language you simply need to take the redirect uri that the error message is telling you is wrong and place that in Google Developer console for your web application as a Redirect uri. Google OAuth2: How the fix redirect_uri_mismatch error. Part 2
If on the other hand you have a Client sided web application using javascript it will state that the issue is with the JavaScript origin. It is still a configuration issue. However this time you need to take the URL it is telling you is wrong and place that in the javascript origin field in Google developer console Simple solution for redirect_uri_mismatch error with JavaScript
YOu do not need both Redirect URI and Javascript origin its one or the other.
Fixed it.
The problem is that i have added two version of redirect uri in the google console:
http and https
In the first step, i redirect customer to the oauth page "https://accounts.google.com/o/oauth2/v2/auth" with http version redirect uri.
In the second step i try to got the access token with https version redirect uri, so i got this error.

How can we log into a webserver using username password csrftoken and csrfmiddlewaretoken

I am trying to log into a server using my authentication(username and password) for app development purpose with swift 4. However my server requires csfrtoken and csrfmiddlewaretoken. How can I extract the csrfmiddlewaretoken value and make a Post request to log with all the other authentication?
Keep tadmans comment in mind. If you really want to do it the way as you described it in your question you would need to make a GET request in order to parse the CSRF token of your desired login page. The token should be located inside the login form.
I have added a bash script to extract the token from stackoverflow as a reference:
fkey=`curl https://stackoverflow.com/users/login? | grep -P -o '(?<=value\=\")\w*(?=\")'`
echo $fkey # got the token
# make a post request with the freshly parsed token
curl -L -c cookies -d 'fkey='$fkey'&ssrc=head&email=MY_MAIL_ADDRESS&password=MY_PASSWORD&oauth_version=&oauth_server=&openid_username=&openid_identifier=' https://stackoverflow.com/users/login?ssrc=he$
# finally browse the site with your obtained cookies
curl -b cookies https://stackoverflow.com/users/7727583/yannic-hamann
It is convenient to set up a token-based authentication method via the Django REST framework. But this is only an option in case you are developing your own API.

how do you access a jenkins api which uses Github OAuth using CURL

I have a jenkins server using the Github OAuth plugin and authorized in the "Authorized applications" section of github, it works fine from my browser, i can access to the jenkins server as long as i'm authenticated with github.
Is there a way to access to the jenkins server api using oauth credentials/token from CURL or a ruby client?
I've generated a token in https://github.com/settings/applications -> Personal access tokens -> Generate new token (there is no option to scope it to a third party application)
that token works fine to access github :
curl -H "Authorization: token cfbcff42e6a8a52a1076dd9fcxxxxxxxxxxxxxxx" https://api.github.com/user
however, that token is not valid for jenkins-server:
curl -H "Authorization: token cfbcff42e6a8a52a1076dd9fcxxxxxxxxxxxxxxx" https://jenkins-server/user/restebanez/api/json/\?pretty\=true
It generates this error:
<html><head><meta http-equiv='refresh' content='1;url=/securityRealm/commenceLogin?from=%2Fuser%2Frestebanez%2Fapi%2Fjson%2F%3Fpretty%3Dtrue'/><script>window.location.replace('/securityRealm/commenceLogin?from=%2Fuser%2Frestebanez%2Fapi%2Fjson%2F%3Fpretty%3Dtrue');</script></head><body style='background-color:white; color:white;'>
Authentication required
<!--
You are authenticated as: anonymous
Groups that you are in:
Permission you need to have (but didn't): hudson.model.Hudson.Read
... which is implied by: hudson.security.Permission.GenericRead
... which is implied by: hudson.model.Hudson.Administer
-->
</body></html>
```
the jenkins server has installed GitHub API Plugin 1.58 and Github Authentication plugin 0.19
I'm probably missing some fundamentals of oauth b/c i have googled this for a while and i haven't found anything
I'm not sure if you ever got to the bottom of this, but after trying several routes I finally got a scripted build using Github OAuth on Jenkins. The trick is that the API token is not one for GitHub but rather one from Jenkins.
For my setup I have a machine user on github, I logged in normally via the web with that user, then clicked on the username in the upper right corner. From there I clicked "Configure" on the left-hand menu, and finally "Show API Token" in the main content area.
Once I had that I could run:
curl --user <username>:<api_token> https://jenkins-server/user/<username>/api/json/?pretty=true
More information.
You should just use a Jenkins API token. This is configurable per user. See $JENKINS_URL/me
This will allow your scripted client to access Jenkins regardless of whatever authentication strategy is being used.
You should use "Basic" rather than "token"
For example:
curl -H "Authorization: Basic cfbcff42e6a8a52a1076dd9fcxx"
https://jenkins-server/user/restebanez/api/json
This worked for me (using getting commit statuses as an example):
url=https://api.github.com/repos/myowner/myrepo/commits/f40ddce88593482919761f74910f42f4b84c004b/statuses
curl -X GET -u :${GITHUB_TOKEN} ${url}

WSO2 API Manager not directing to Sandbox based on Sandbox Key

We have a deployed API which is responding correctly; however it has a different URL endpoint configured for Sandbox vs Production.
When I curl a request to the API Manager it is always the Production endpoint which is hit despite which Bearer token I submit. Authentication is working as if I submit an invalid Bearer token I get unauthenticated errors.
Any clues of where the mis-configuration might be?
(version 1.4.0)
When looking at your mentioned issue,I think you have used the 'PRODUCTION' scoped access token to invoke your SANDBOX endpoint.
After you defined two different endpoints as sandbox URL and production URL when creating the API,to invoke them you need to use different access tokens based on its scope [PRODUCTION/SANDBOX].
To invoke SANDBOX endpoint from your API,you need to use SANDBOX access token.
To find these production and sandbox endpoints related keys,you can navigate to APIStore->My Subscriptions page and view the keys under sections of 'production' and 'sandbox' in the particular subscription.And under each 'PRODUCTION/SANDBOX' keys section of subscriptions page,you'll see a separate access token and consumer key/secret.
Try invoking your SANDBOX endpoint of API,with above shown sandbox access token in 'My Subscriptions' page of APIStore or else you can use sandbox based consumer key/secret to generate sandbox scoped user tokens[1] and use those tokens to invoke your API sandbox based endpoint.
A sample cURL request to generate sandbox scoped user token would be as below;
curl -k -d "grant_type=password&username=xxx&password=xxx&scope=SANDBOX" -H "Authorization :Basic base64encoded_SANDBOX_based_consumer key:secret, Content-Type: application/x-www-form-urlencoded" https://ip:8243/token
[1] http://docs.wso2.org/wiki/display/AM140/Token+APIs#TokenAPIs-GeneratingusertokensGenerating

XACML Authentication in Network Proxy Server

I am trying to implement Access Control Policies on Network Proxy Server. Presently, I am at a stage where I have modeled it like this:
The problem I am facing is how to send the resource url, username and password from PEP to PDP. I am presently using WSO2 for implementing PDP policies.
Relating to this I also saw a command on this link, which is as follow:
curl -X POST -H 'Content-type:text/xml' -T soap-xacml-request.xml https://localhost:8443/asm-pdp/pdp --cacert pdp.b64.cer --user pep:password
I also don't know what url should I be giving instead of https://localhost:8443/asm-pdp/pdp (as I am using WSO2).
Can somebody please help me regarding all these issues?
Did you look at the WSO2 documentation and blog? E.g. http://xacmlinfo.com/2012/06/14/pep-client-for-wso2is-pdp/.