Problems with DUO MFA
olsenlid opened this issue · 2 comments
Hello!
I'm writing this since you are one of the active developers for a keycloak "gateway" to be used with traefik.
Using the plugin has been great so far for me, and I've been able to secure my web apps with a simple "traefik" client in Keycloak.
To further increase the security, I've also tried to implement 2FA/MFA through DUO Security, with a plugin(!) for Keycloak - https://github.com/instipod/DuoUniversalKeycloakAuthenticator
This plugin I have tested against https://www.keycloak.org/app/ - and it is working as intended.
But when I use it with my own production environment, I get a "too many redirects" error in my browser after completing the DUO 2FA process.
Here is my traefiks' dynamic.yml configuration:
http:
routers:
giza:
entryPoints:
- "https"
rule: "Host(`giza.example.org`)"
middlewares:
- default-headers
- https-redirectscheme
- keycloak
tls: {}
service: giza
giza-local:
entryPoints:
- "https"
rule: "Host(`giza.local.example.org`)"
middlewares:
- default-headers
- https-redirectscheme
tls: {}
service: giza
services:
giza:
loadBalancer:
servers:
- url: "https://10.0.10.201:8000"
passHostHeader: true
middlewares:
https-redirectscheme:
redirectScheme:
scheme: https
default-headers:
headers:
frameDeny: true
browserXssFilter: true
contentTypeNosniff: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 15552000
customFrameOptionsValue: SAMEORIGIN
customRequestHeaders:
X-Forwarded-Proto: https
keycloak:
plugin:
keycloakopenid:
ClientID: traefik
ClientSecret: oAe5HFqkadfg9iaLADFKG0CWlABUYtN
KeycloakRealm: traefik
KeycloakURL: https://auth.example.org
After successfully logging in with my keycloak credentials, my authentication flow passes me to the DUO 2FA checks. After completing them, I spot this warning in my keycloak logs:
19 00:59:18,172 WARN [org.keycloak.protocol.oidc.utils.OAuth2CodeParser] (executor-thread-47) Code '76e214cd-cce5-4713-b8b3-be38f45888d6' already used for userSession 'dc09d00c-cd18-4f73-9457-374b2d703ada' and client 'bffb5066-11c4-4771-92e0-49273c50acaa'.
2023-11-19 00:59:18,172 WARN [org.keycloak.events] (executor-thread-47) type=CODE_TO_TOKEN_ERROR, realmId=325600bf-8829-435c-aa68-910fef2bfea3, clientId=traefik, userId=null, ipAddress=172.19.0.1, error=invalid_code, grant_type=authorization_code, code_id=dc09d00c-cd18-4f73-9457-374b2d703ada, client_auth_method=client-secret
2023-11-19 01:06:17,705 WARN [org.keycloak.events] (executor-thread-51) type=CODE_TO_TOKEN_ERROR, realmId=325600bf-8829-435c-aa68-910fef2bfea3, clientId=traefik, userId=null, ipAddress=172.19.0.1, error=invalid_client_credentials, grant_type=authorization_code
In the browser window, all I see is this error: received bad response from Keycloak:
{"error":"invalid_grant","error_description":"Code not valid"}
I think the problem lies in that when I complete the DUO 2FA, it sends me back to the URL that traefik uses for the keycloakopenid middleware:
Or does it try to again exchange an authorized session for a token again?
The funny part is, if I just type the url in my browser, for the web app I'm trying to log into, in this case giza.example.org, I'm authenticated. Its just the part where I get sent back from DUO to keycloak, and from keycloak to my web app that is not working.
Thanks for taking the time to look at this. And thank you for an otherwise great plugin!
Same issue for me...
Hi,
I dont have time to look at this for now, feel free to submit a fix and i'll try to review it and validate quickly.
Gautier