failing on redirect to original url
hokiegeek2 opened this issue · 2 comments
First off, this project is great, really appreciate @Gwojda starting this project up and the collective efforts as well as insights of @Gwojda @fmowersddx @MarkKlerkx and others who've contributed PRs and/or submitted issues.
The keycloak authentication step is working really well. What I am encountering is the following, where a bad certificate error is thrown when I attempt to integrate keycloakopenid with the traefik whoami example app where traefik is the ingress controller for my kubernetes cluster.
I can see in the source code the step where keycloakopenid confirms there's no bearer token for the client...
...so execution drops down to the else block and a call is made out to keycloak via redirectToKeycloak
Logging shows the request to keycloak succeeds.
Upon return from keycloak the subsequent call to the originating url, /whoami, throws the 500 error:
Looking at the source code, the redirect request gets past the state check, again indicating the keycloak authentication step proceeds as expected:
I am thinking the error is thrown here
Since the authentication w/ keycloak succeeded, there should be an auth token appended to the response. Curl logging shows the name of the field containing the return bearer token is KEYCLOAK_IDENTITY:
I configured keycloakopenid accordingly:
If I am interpreting the docs correctly, it seems that the bearer token would have been pulled from the KEYCLOAK_IDENTITY cookie and put into the Authorization Bearer cookie:
But it's not, as evidenced by this if statement and follow-on logging:
So I am wondering how to configure this correctly and again, if I am interpreting the docs correctly regarding the TokenCookieName parameter.
The other question is whether anyone has used keycloakopenid in a Kubernetes cluster where TLS terminates at the Traefik ingress controller. The initial token REST call to keycloak succeeds but the token introspection step fails with a cert error. I may have to do some header manipulation unless someone else has another solution.
Any insights are uber appreciated--thanks!
--John
Ah, I see, there's are two separate cookies (or one cookie and one header if UseAuthHeader=true). I set UseAuthHeader to false and I still don't see the Cookie header:
just to sum up, the two issues I'm working to resolve are
- how to get Authorization Bearer header or cookie set in keycloakopenid
- get second redirect to work when TLS is terminated in a Traefik ingress environment. The cert error is in second call to Keycloak in redirect back to the original URL