OIDC scope in 2021.9.6 invalid for keycloak

#1

In 2021.9.5 oidc auth with keycloak worked. (and it does on downgrade)

If i upgrade to the new version i get the following error from my keycloak instance:

ERROR [org.keycloak.services] (default task-40) KC-SERVICES0093: Invalid parameter value for: scope
WARN [org.keycloak.events] (default task-40) type=LOGIN_ERROR, realmId=Intern, clientId=Nginx, userId=null, ipAddress=xxx.xxx.xxx.xxx, error=invalid_request, response_type=code, redirect_uri=https://corteza.xxx.de/auth/external/openid-connect.Nginx/callback, response_mode=query
WARN [org.keycloak.protocol.oidc.utils.OAuth2CodeParser] (default task-40) Invalid format of the code
WARN [org.keycloak.events] (default task-40) type=CODE_TO_TOKEN_ERROR, realmId=Intern, clientId=Nginx, userId=null, ipAddress=xxx.xxx.xxx.xxx, error=invalid_code, grant_type=authorization_code, client_auth_method=client-secret

Corteza:

SSO Error: oauth2: cannot fetch token: 400 Bad Request
Response: {“error”:“invalid_grant”,“error_description”:“Code not valid”}

And the access token normally send to client:

{
“exp”: 1643363649,
“iat”: 1643363349,
“jti”: “xxxxxxxxxxxxxxxxxxxx”,
“iss”: “https://key.jidu.de/auth/realms/Intern”,
“aud”: “account”,
“sub”: “xxxxxxxxxxxxxxxxxxxx”,
“typ”: “Bearer”,
“azp”: “Nginx”,
“session_state”: “xxxxxxxxxxxxxxxxxxxx”,
“acr”: “1”,
“realm_access”: {
“roles”: [
…
]
},
“resource_access”: {
“Nginx”: {
“roles”: [
…
]
},
“account”: {
“roles”: [
…
]
}
},
“scope”: “openid profile email”,
“sid”: “xxxxxxxxxxxxxxxxxxxx”,
“email_verified”: true,
“name”: “xxxxxxxxxxxxxxxxxxxx”,
“preferred_username”: “xxxxxxxxxxxxxxxxxxxx”,
“locale”: “de”,
“given_name”: “xxxxxxxxxxxxxxxxxxxx”,
“family_name”: “xxxxxxxxxxxxxxxxxxxx”,
“email”: “xxxxxxxxxxxxxxxxxxxx”,
}

Seems to me that there is something wrong with the request send to oidc-provider.

Invalid format of the code

#2

Hey @tnissen,
Thank you for reporting the issue, I will look into it.

For better understanding, Could you please provide me OIDC configuration along with auth_client configuration(Used for OIDC) except ID(s) and Secret?

#3

@vicky
I have tackled it down:

/go/src/corteza-server/auth/external/goth.go, line 55 ff

This code is wrong, cause the length of an empty string slice is 1 not 0 (the empty string you asked to slice is the result)

scope := strings.Split(pc.Scope, " ")
if len(scope) == 0 {
scope = append(scope, “email”)
}

So you can either remove the empty string from the array, use an own slice function or reset the value if its an empty string:

scope := strings.Split(pc.Scope, " ")
if len(scope) == 1 && scope[0] == “” {
scope[0] = “email”
}

After changing the code it works again…

1 Like
#4

Hey @tnissen,
This is addressed with 2021.9.7-rc.1.