Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Redirect URI not using serviceRootUrl #1717

Open
SirBubbls opened this issue Sep 27, 2023 · 3 comments
Open

Redirect URI not using serviceRootUrl #1717

SirBubbls opened this issue Sep 27, 2023 · 3 comments

Comments

@SirBubbls
Copy link

We serve the a frost server instance in Kubernetes under a subpath https://<domain>/path/ the serviceRootUrl appears to be correct.

INFO   d.f.i.ilt.frostserver.settings.Settings - Setting serviceRootUrl has value 'https://<domain>/path/'

The Frost instance is also reachable under this path. Unfortunately integrating Keycloak introduces issues with the redirect_uri. The auth request to Keycloak is http://<daomin>/FROST-Server (https://<domain>/auth/realms/<redacted>/protocol/openid-connect/auth?response_type=code&client_id=<redacted>&redirect_uri=http://<domain>/FROST-Server/<redacted>&login=true&scope=openid). Because we don't serve Frost under this path, the authentication fails. As soon as we serve Frost under http://<domain>/ the login succeeds.
Is there a configuration option for a subpath in the redirect_uri that i am missing or is this a bug?
@hylkevds
Copy link
Member

That redirect_uri is generated by the Keycloak filter, based on the configuration in auth.keycloakConfig[Url/File].
Looking at the KeyCloak docs I suspect you will need to tune the redirect-rewrite-rules parameter.

@SirBubbls
Copy link
Author

Thanks for the quick response. We tried using the redirect-rewrite-rules for rewriting http to https. For some reason this didn't work and we dismissed the idea. I tried it again because of your comment and adding a subpath is indeed possible.

"redirect-rewrite-rules": {
    "^(.*)\/FROST-Server(.*)$": "$1/<subpath>/FROST-Server$2"
  }

The redirect_uri is now correct but we run into an infinite redirect loop as soon as we do the authentication flow from our subpath instead of <domain>/FROST-Server. I did some digging and suspect that the path attribute for the JSESSIONID is not correctly set by the Frost server.

{
	"Response Cookies": {
		"JSESSIONID": {
			"httpOnly": true,
			"path": "/FROST-Server",  // this should be /<subpath>/FROST-Server doesn't it?
			"value": "..."
		},
		"OAuth_Token_Request_State": {
			"httpOnly": true,
			"path": "/",
			"value": "..."
		}
	}
}

@hylkevds
Copy link
Member

hylkevds commented Sep 28, 2023
edited

Hmm, it seems Tomcat uses the path that Tomcat sees for the session cookie, but this doesn't match the path the client sees.
Tomcat does have the option sessionCookiePath to configure this.
We'll have to find a way to make this configurable from the outside...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hylkevds @SirBubbls