OpenIDConnectClientException
jamesacris opened this issue · 5 comments
Hi all,
Getting an error with the OIDC plugin when I use it with keycloak. I have everything configured as the docs suggest, and I can see that the jwt contains all the correct information, including the role misp-access.
Here's the error:
Error: [JakubOnderka\OpenIDConnectClientException] Code verifier from session is empty
Request URL: /users/login?state=MsH45VzRfjND2KsXGrN7QQ&session_state=b80f2bca-3fe6-47c6-9335-3b89de0d8226&code=ecc741e8-7ed2-4edb-8fea-1dacc6a01d9b.b80f2bca-3fe6-47c6-9335-3b89de0d8226.c4d5b0c4-c00a-4cfe-9477-f2ff2469fed9
Stack Trace:
#0 /var/www/MISP/app/Vendor/jakub-onderka/openid-connect-php/src/OpenIDConnectClient.php(466): JakubOnderka\OpenIDConnectClient->requestTokens()
#1 /var/www/MISP/app/Plugin/OidcAuth/Lib/Oidc.php(22): JakubOnderka\OpenIDConnectClient->authenticate()
#2 /var/www/MISP/app/Plugin/OidcAuth/Controller/Component/Auth/OidcAuthenticate.php(33): Oidc->authenticate()
#3 /var/www/MISP/app/Vendor/cakephp/cakephp/lib/Cake/Controller/Component/AuthComponent.php(772): OidcAuthenticate->authenticate()
#4 /var/www/MISP/app/Vendor/cakephp/cakephp/lib/Cake/Controller/Component/AuthComponent.php(612): AuthComponent->identify()
#5 /var/www/MISP/app/Controller/UsersController.php(1211): AuthComponent->login()
#6 [internal function]: UsersController->login()
#7 /var/www/MISP/app/Vendor/cakephp/cakephp/lib/Cake/Controller/Controller.php(499): ReflectionMethod->invokeArgs()
#8 /var/www/MISP/app/Vendor/cakephp/cakephp/lib/Cake/Routing/Dispatcher.php(193): Controller->invokeAction()
#9 /var/www/MISP/app/Vendor/cakephp/cakephp/lib/Cake/Routing/Dispatcher.php(167): Dispatcher->_invoke()
#10 /var/www/MISP/app/webroot/index.php(99): Dispatcher->dispatch()
#11 {main}
I'm not an expert in OIDC, but I found a good explainer of the PKCE flow here: https://frameworks.readthedocs.io/en/latest/spring-boot/spring-boot2/keycloakOAuth2PKCE.html - this suggests that the code verifier the plugin cannot find should be created by the client at the start of the flow. I'm not sure how it could go missing. Perhaps I'm just missing a setting in keycloak, does anyone know what might be the cause?
hi @jamesacris, did you ever figure this one out? I'm seeing the same thing when trying to use Okta as the provider. I see in the code where the plugin sets the code verifier in the session key, and again where it fails to retrieve that same code verifier a few steps later.
My session cookie is getting saved in the browser, and the session ID does correspond to a session saved in redis (which is what I'm using for a session store). However, the contents of the redis key tied to the session id don't show a code verifier in there. It makes me wonder if the code verifier isn't actually getting written to the session or if it's generating a new session by the time it goes to retrieve the code verifier...
or if it's generating a new session by the time it goes to retrieve the code verifier...
Just verified this is exactly what's happening for me. I added some debug statements to print the session_id just before it saves the code verifier into the session, and again right before it's retrieved (L856 and L969 of app/Vendor/jakub-onderka/openid-connect-php/src/OpenIDConnectClient.php).
It's writing the code verifier into a totally different session than the one it attempts to retrieve it from: hence why it's missing.
I have no idea why it's getting different session keys though.
This very specific issue of newly generated cookies was due to the session.cookie_samesite being set to Strict by default. It effectively seems that if you're using OIDC, you have to set that attribute to Lax. In my opinion, the container startup should handle that for you, but I've written that logic into some terraform that I'm using. Hope that helps @jamesacris
Hi @mdavis332, thanks for looking into this. What you describe sounds like exactly the issue I was having, good to know it's due to the code verifier being written into a different session to the initial one.
Glad you managed to fix it, I believe I tried changing the session.cookie_samesite option as part of trying to fix this, but that easily could have been when I was trying to use a different OIDC provider. Perhaps this will work for Keycloak too, I will test if I get the time. For my MISP, I ended up using a new deployment developed by JISC that has a really nice docker integration and was much easier to integrate with OIDC providers.
Hi @jamesacris, glad to hear you got something working. And thanks for pointing out the JISC deployment -- I didn't know that team was working on one. Good people there, tell Joe P. I said "hi" :)
If this is no longer an issue for you, I'll leave it to you to close at your pleasure.