Problem decoding UTF-8 URI components
pereng opened this issue · 3 comments
Hi.
We are currently trying to migrate all our CAS enabled applications to Keycloak using keycloak-protocol-cas provider. Among those applications we have an instance of MediaWiki. Beeing a Swedish organisation many user created pages contains non-ASCII characters in their title, thus also in the URL. I.e. https://wiki.[org].se/wiki/Övervakning. If this is the first page a user accesses, they will be required to authenicate themselves and gets redirected to Keycloak: https://keycloak.[org].se/realms/[realm]/protocol/cas/login?service=https%3a%2f%2fwiki.[org].se%2fwiki%2f%C3%96vervakning
The wiki handles authentication in Apache HTTPD using mod_auth_cas (snippet with relevant VHost configuration):
CASLoginURL https://keycloak.[org].se/realms/[realm]/protocol/cas/login
CASValidateSAML On
CASValidateURL https://keycloak.[org].se/realms/[realm]/protocol/cas/samlValidate
<Location />
AuthType CAS
AuthName "CAS"
CASScope /
Require valid-user
</Location>
After successful authentication user is redirected back to the wiki-application where the CAS-ticket failes to validate. The following validation request gives HTTP Status 400 - Bad Request: https://keycloak.[org].se/realms/[realm]/protocol/cas/samlValidate?TARGET=https%3a%2f%2fwiki.[org].se%2fwiki%2f\xc3\x96vervakning.
Keycloak logs: [org.keycloak.protocol.cas.endpoints.SamlValidateEndpoint] (executor-thread-93) Invalid SAML1.1 token Code not valid
Other requests to the same endpoint, without UTF-8 encoded characters, validates just fine.
My guess is that TARGET request parameter gets decoded wrong.
The validation URL is clearly invalid. Instead of:
https://keycloak.[org].se/realms/[realm]/protocol/cas/samlValidate?TARGET=https%3a%2f%2fwiki.[org].se%2fwiki%2f\xc3\x96vervakning
it should read:
https://keycloak.[org].se/realms/[realm]/protocol/cas/samlValidate?TARGET=https%3a%2f%2fwiki.[org].se%2fwiki%2f%c3%96vervakning
Note the different encoding: \xXX (invalid) vs %XX (valid). Isn't this invalid parameter generated by mod_auth_cas?
Yes. The request is indeed generated by mod_auth_cas, v. 1.0.10 to be exact. We are migrating from Jasig CAS, aka Apereo CAS, and have had no previous problems such as these... I don't know how to configure mod_auth_cas to use %xx instead of \xXX encoding. I don't even think it is possible.
mod_cas_auth sends the following request line:
0000 47 45 54 20 2f 72 65 61 6c 6d 73 2f 6d 61 73 74 GET /realms/mast
0010 65 72 2f 70 72 6f 74 6f 63 6f 6c 2f 63 61 73 2f er/protocol/cas/
0020 73 65 72 76 69 63 65 56 61 6c 69 64 61 74 65 3f serviceValidate?
0030 73 65 72 76 69 63 65 3d 68 74 74 70 25 33 61 25 service=http%3a%
0040 32 66 25 32 66 31 37 32 2e 31 37 2e 30 2e 33 25 2f%2f172.17.0.3%
0050 32 66 c3 96 76 65 72 76 61 6b 6e 69 6e 67 2e 68 2f..vervakning.h
0060 74 6d 6c 26 74 69 63 6b 65 74 3d 53 54 2d 62 65 tml&ticket=ST-be
0070 31 31 39 61 39 65 2d 65 66 36 30 2d 34 35 66 37 119a9e-ef60-45f7
0080 2d 61 33 33 38 2d 66 30 35 37 35 38 35 66 32 61 -a338-f057585f2a
0090 39 64 2e 35 32 65 66 65 35 37 37 2d 36 39 64 61 9d.52efe577-69da
00a0 2d 34 36 39 33 2d 38 39 36 37 2d 38 66 38 61 34 -4693-8967-8f8a4
00b0 31 36 32 66 64 38 30 2e 65 65 63 64 37 39 65 30 162fd80.eecd79e0
00c0 2d 38 66 65 38 2d 34 33 63 39 2d 62 37 30 62 2d -8fe8-43c9-b70b-
00d0 65 65 32 31 39 62 64 34 32 39 65 62 20 48 54 54 ee219bd429eb HTT
00e0 50 2f 31 2e 31 0d 0a P/1.1..
with bytes 0xC3 0x96 in the URL. This is an invalid request that is (correctly) rejected with "400 Bad Request". Please contact authors of mod_cas_auth - it needs to be fixed there.