Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenIDConnectClientException #102

Open
jamesacris opened this issue Jun 19, 2023 · 5 comments
Open

OpenIDConnectClientException #102

jamesacris opened this issue Jun 19, 2023 · 5 comments

Comments

@jamesacris
Copy link

Hi all,

Getting an error with the OIDC plugin when I use it with keycloak. I have everything configured as the docs suggest, and I can see that the jwt contains all the correct information, including the role misp-access.

Here's the error:

Error: [JakubOnderka\OpenIDConnectClientException] Code verifier from session is empty
Request URL: /users/login?state=MsH45VzRfjND2KsXGrN7QQ&session_state=b80f2bca-3fe6-47c6-9335-3b89de0d8226&code=ecc741e8-7ed2-4edb-8fea-1dacc6a01d9b.b80f2bca-3fe6-47c6-9335-3b89de0d8226.c4d5b0c4-c00a-4cfe-9477-f2ff2469fed9
Stack Trace:
#0 /var/www/MISP/app/Vendor/jakub-onderka/openid-connect-php/src/OpenIDConnectClient.php(466): JakubOnderka\OpenIDConnectClient->requestTokens()
#1 /var/www/MISP/app/Plugin/OidcAuth/Lib/Oidc.php(22): JakubOnderka\OpenIDConnectClient->authenticate()
#2 /var/www/MISP/app/Plugin/OidcAuth/Controller/Component/Auth/OidcAuthenticate.php(33): Oidc->authenticate()
#3 /var/www/MISP/app/Vendor/cakephp/cakephp/lib/Cake/Controller/Component/AuthComponent.php(772): OidcAuthenticate->authenticate()
#4 /var/www/MISP/app/Vendor/cakephp/cakephp/lib/Cake/Controller/Component/AuthComponent.php(612): AuthComponent->identify()
#5 /var/www/MISP/app/Controller/UsersController.php(1211): AuthComponent->login()
#6 [internal function]: UsersController->login()
#7 /var/www/MISP/app/Vendor/cakephp/cakephp/lib/Cake/Controller/Controller.php(499): ReflectionMethod->invokeArgs()
#8 /var/www/MISP/app/Vendor/cakephp/cakephp/lib/Cake/Routing/Dispatcher.php(193): Controller->invokeAction()
#9 /var/www/MISP/app/Vendor/cakephp/cakephp/lib/Cake/Routing/Dispatcher.php(167): Dispatcher->_invoke()
#10 /var/www/MISP/app/webroot/index.php(99): Dispatcher->dispatch()
#11 {main}

I'm not an expert in OIDC, but I found a good explainer of the PKCE flow here: https://frameworks.readthedocs.io/en/latest/spring-boot/spring-boot2/keycloakOAuth2PKCE.html - this suggests that the code verifier the plugin cannot find should be created by the client at the start of the flow. I'm not sure how it could go missing. Perhaps I'm just missing a setting in keycloak, does anyone know what might be the cause?
@mdavis332
Copy link

hi @jamesacris, did you ever figure this one out? I'm seeing the same thing when trying to use Okta as the provider. I see in the code where the plugin sets the code verifier in the session key, and again where it fails to retrieve that same code verifier a few steps later.

My session cookie is getting saved in the browser, and the session ID does correspond to a session saved in redis (which is what I'm using for a session store). However, the contents of the redis key tied to the session id don't show a code verifier in there. It makes me wonder if the code verifier isn't actually getting written to the session or if it's generating a new session by the time it goes to retrieve the code verifier...

@mdavis332
Copy link

mdavis332 commented Nov 15, 2023
edited
Loading

or if it's generating a new session by the time it goes to retrieve the code verifier...

Just verified this is exactly what's happening for me. I added some debug statements to print the session_id just before it saves the code verifier into the session, and again right before it's retrieved (L856 and L969 of app/Vendor/jakub-onderka/openid-connect-php/src/OpenIDConnectClient.php).

It's writing the code verifier into a totally different session than the one it attempts to retrieve it from: hence why it's missing.

I have no idea why it's getting different session keys though.

@mdavis332
Copy link

This very specific issue of newly generated cookies was due to the session.cookie_samesite being set to Strict by default. It effectively seems that if you're using OIDC, you have to set that attribute to Lax. In my opinion, the container startup should handle that for you, but I've written that logic into some terraform that I'm using. Hope that helps @jamesacris

@jamesacris
Copy link
Author

Hi @mdavis332, thanks for looking into this. What you describe sounds like exactly the issue I was having, good to know it's due to the code verifier being written into a different session to the initial one.

Glad you managed to fix it, I believe I tried changing the session.cookie_samesite option as part of trying to fix this, but that easily could have been when I was trying to use a different OIDC provider. Perhaps this will work for Keycloak too, I will test if I get the time. For my MISP, I ended up using a new deployment developed by JISC that has a really nice docker integration and was much easier to integrate with OIDC providers.

@mdavis332
Copy link

Hi @jamesacris, glad to hear you got something working. And thanks for pointing out the JISC deployment -- I didn't know that team was working on one. Good people there, tell Joe P. I said "hi" :)

If this is no longer an issue for you, I'll leave it to you to close at your pleasure.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mdavis332 @jamesacris