-
Notifications
You must be signed in to change notification settings - Fork 36
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable PKCE for reactive logout SPA flow test #943
Conversation
run tests |
e41cbbc
to
b416398
Compare
run tests |
Is there a TP for this? |
@rsvoboda that's in description, I know TP review might change a scope of this PR heavily, but I still wanted to run CI :-) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
TP is already merged, so I will put mi thoughts here
quarkus.oidc.authentication.pkce-required
is not set, but Keycloack expects that
This is what I get in the test:
[ERROR] Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 38.071 s <<< FAILURE! - in io.quarkus.ts.security.keycloak.oidcclient.reactive.extended.LogoutSinglePageAppFlowIT
[ERROR] singlePageAppLogoutFlow Time elapsed: 2.068 s <<< ERROR!
com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException: 401 Unauthorized for http://localhost:1101/code-flow?error=invalid_request&error_description=Missing+parameter%3A+code_challenge_method&state=330baf5c-786b-4d3f-9253-f4baa6a40ae8
at com.gargoylesoftware.htmlunit.WebClient.throwFailingHttpStatusCodeExceptionIfNecessary(WebClient.java:765)
at com.gargoylesoftware.htmlunit.WebClient.getPage(WebClient.java:520)
at com.gargoylesoftware.htmlunit.WebClient.getPage(WebClient.java:417)
at com.gargoylesoftware.htmlunit.WebClient.getPage(WebClient.java:555)
at com.gargoylesoftware.htmlunit.WebClient.getPage(WebClient.java:537)
at io.quarkus.ts.security.keycloak.oidcclient.reactive.extended.LogoutSinglePageAppFlowIT.makeHttpPostFormLogin(LogoutSinglePageAppFlowIT.java:76)
at io.quarkus.ts.security.keycloak.oidcclient.reactive.extended.LogoutSinglePageAppFlowIT.singlePageAppLogoutFlow(LogoutSinglePageAppFlowIT.java:50)
Can be the used somehow notified about the need for PKCE / https://quarkus.io/guides/security-openid-connect-web-authentication#proof-of-key-for-code-exchange-pkce ?
I know the response comes from Keycloak which is not aware of the client details / Quarkus. but still would be nice if this could be detected on Quarkus side. WDYT?
Keycloak with "pkce.code.challenge.method" : "plain"
Quarkus impl supports only S256
but what if the provider is configured to plain
?
In the test I get com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException: 401 Unauthorized for http://localhost:1101/code-flow?error=invalid_request&error_description=Invalid+parameter%3A+code+challenge+method+is+not+configured+one&state=7653818c-ce5b-412e-935a-ab6ed4bbd87b
when I change the relevant json file part.
The message is again quite PKCE specific and user may not be necessarily aware of that config being available / enabled. Maybe it's an input towards Keycloak to add PKCE keyword. WDYT?
Is PKCE optional?
When Keycloak is set to support PKCE, it seems all the apps need to be adjusted to use that. Is it correct conclusion?
I think these are damn good questions, but I had a long day, I'll investigate tomorrow and let you know. |
Sure, no worries. We have time to check the stuff with Minor priority, nobody pushes us to that this week. We will handle them in January. |
I think Quarkus OIDC should work for all providers and I don't see something about this in specs, but I'm very far from being expert here. I think we could open Quarkus feature issue and ask Pedro Igor or Sergey if there is some Keycloak endpoint that provides the information. Personally I wouldn't do it as it necessarily requires call to Keycloak to find out, right? However it will make sense to do with Oauth2.1 and code flow that shouldn't work without PKCE. Anyway I found a note in one Quarkus issue that IMHO suggests it can be discovered, please see quarkusio/quarkus#23579 (comment)
Docs mentions just s256 https://quarkus.io/guides/security-openid-connect-web-authentication#proof-of-key-for-code-exchange-pkce and the PR says plain is not important quarkusio/quarkus#23423. I checked opened issues and I don't see any user request. If provider is set to plain, challenge won't ever be successful on provider side.
I agree having PKCE in description would be nice thing, but response exactly comply specs https://www.rfc-editor.org/rfc/rfc7636#section-4.4.1,
IMHO no, citing specs If the server requires Proof Key for Code Exchange (PKCE) by OAuth P.S. I'll add you @rsvoboda as (optional) reviewer as you seem to know a lot about the topic. |
Yes, seems not worth the extra code and call in PKCE case.
+1
+1
Thanks, but not a pro in the area. I was just trying to explore various usa-cases. |
implements quarkus-qe/quarkus-test-plans#117 (cherry picked from commit 5d676c0)
[2.13] Enable PKCE for reactive logout SPA flow test (#943)
Summary
Enables PKCE for logout SPA flow test in
LogoutSinglePageAppFlowIT
andOpenShiftOidcSinglePageAppLogoutFlowIT
. Reasoning explained in depth in https://github.com/quarkus-qe/quarkus-test-plans/blob/main/QUARKUS-2491.md. We know tests verifies PKCE as with changes inkc-logout-realm.json
and without enabling PKCE inapplication.properties
, tests are failing.Please select the relevant options.
run tests
phrase in comment)Checklist: