OIDC authentication/authorization

Added by Peter Tagwercher about 1 month ago

Hi everyone,

hopefully this is a simple question.

I am trying to create a single sign on based on your oidc example.

One of the required "parameters" is the redirect endpoint. Since wt is a single page application an uri like http://127.0.0.1:8080/* won't work, neither does http://127.0.0.1:8080/.

So now which parameter would I use to redirect to my application?

Best Regards,
Peter


Replies (5)

RE: OIDC authentication/authorization - Added by Peter Tagwercher 29 days ago

Hi everyone,

forget what I was asking for. I had some trouble setting up Keycloak (that I am using for testing purposes), but now, as I fixed that, my OIDC setup works fine.

Best Regards,
Peter

RE: OIDC authentication/authorization - Added by Peter Tagwercher 27 days ago

It's me again. Working fine was way too much for now.

Saying it works was saying that the OidcClient both receives authenticated() and authorized().

In your announcement on [[https://www.webtoolkit.eu/wt/news/2017/06/20/announcing_openid_connect_support_in_wt]] you state the only those values have to be changed:
setAuthEndpoint("https://id-provider/oauth2/authorize");
setTokenEndpoint("https://id-provider/oauth2/token");
setUserInfoEndpoint("https://id-provider/oidc/userinfo");

but I assume that those values here would have to be changed too (to match the values above):
@Session tokenSession(dbPath);
Wt::Auth::OAuthTokenEndpoint tokenEndpoint{tokenSession.users(), deployUrl};
server.addResource(&tokenEndpoint, "/oauth2/token");

Session userInfoSession(dbPath);
Wt::Auth::OidcUserInfoEndpoint userInfoEndpoint{userInfoSession.users()};
server.addResource(&userInfoEndpoint, "/oidc/userinfo");
@

I would think that both those values would have to be set to id-provider values. Is that correct?

The next point seems to be my Keycloak setup. I have set up a client (wich itself has a secret). I am using this in the callback setup.

It seems to work (at least the OAuth 2.0 Authorization Response) since I receive an Authorization token.

I am using the Authorization Flow, access type confidential, and http://127.0.0.1:8082/oauth2/callback as the Valid redirect URI, and no Authentication Flow Overrides.

But what I do not get is:
a) into the callback (I have seen it randomly but not reproduceible)
b) therefore OAuthAuthorizationEndpoint is called randomly, and if it happens, I get a "The request was invalid."
c) no information is written into the database
d) I never run into OAuthWidget::createLoggedInView() so that I receive "logged in as ...".

The "login" does not seem to be complete as there is no ID token, no refresh token ...?

However, I still have some output from the webserver like: [/ ucsHoGdUsIfP8AlY] [info] "Auth.OidcService: user info: {with the complete user info from Keycloak}

Something seems to be missing, please help :)

Regards, Peter

RE: OIDC authentication/authorization - Added by Wim Dumon 27 days ago

Hey Peter,

From what I understand, you seem to be mixing up the OIDC client and provider.

Please also check the examples example/feature/oauth and example/feature/oidc.

You probably only want to use the oauth example. Please note that also the implementation of the Google idenity client can be considered as an example (src/Wt/Auth/GoogleService.C)

Best regards,
Wim.

RE: OIDC authentication/authorization - Added by Peter Tagwercher 26 days ago

Hi Wim,

I don't think I am mixing things up.

What we need is either OpenID Connect (OIDC) or SAML. As there is no SAML implementation I tried to use the OIDC example (example/feature/oidc) and adapted that to connect to use Keycloak.

I will have a look at the Google idenity client, if there is any implementation that exchanges the authorization code for an access token and a refresh token then this might be the solution - otherwise probably not.

Best regards,
Peter

RE: OIDC authentication/authorization - Added by Peter Tagwercher 23 days ago

Hi again,

I am still struggling with a successful "handshake", so maybe I am mixing things up.

The setup:
- Keycloak running on http://127.0.0.1:8080

OidcService-setup:
redirectendpoint /oauth2/callback
ClientId and ClientSecret are set to a valid Keycloak Client.
authendpoint /auth/realms/dev/protocol/openid-connect/auth
tokenendpoint /auth/realms/dev/protocol/openid-connect/token
userinfo /auth/realms/dev/protocol/openid-connect/userinfo

Let's see what I do:
  • opening the browser at http://127.0.0.1:8082 (where the Wt OIDC is running)
  • this opens OidcClient, therefore presenting the logo, clicking on it calls startAuthenticate
  • which itself opens the Keycloak login as a popup, I am entering my user credentials, then clicking Log In.
  • I receive both signals, authorized() and authenticated(), therefore I do have a (temporary) access token.
  • Therefore, Keycloak, after a successfull login redirects to /oauth2/callback
  • End.

What I am missing in this handshake is that OAuthorizationEndpoint is never called (so I never have access to an id token or refresh token).

So the question now is, what is this url for and "who" would call that:
server.addEntryPoint(Wt::EntryPointType::Application, callback, "/oauth2");

As this URI is never hit, OAuthorizationEndpoint is never processed.

Something small seems to be wrong, maybe your example assumes that authendpoint (from service setup) and the "/oauth2" should match (as both have "/oauth2"), but when working with Keycloak this /oauth2 is never hit.

Best regards,
Peter

(1-5/5)