由于重定向URI无效,Key斗篷令牌请求被拒绝

Keycloak Token request rejected because of invalid redirect URI

本文关键字:令牌 请求 拒绝 Key 重定向 URI 无效      更新时间:2023-09-26

在升级到Key斗篷1.9.1版本后,我们在获得基于代码的令牌时,开始收到来自keycloak.js的拒绝。

如果我们输入基本url(http://example.com)然后应用程序运行良好,登录成功,并检索令牌。

很遗憾,当进入此子页面时(https://example.com/?redirect_fragment=/asset-library/cad-view/-它是从javascript发送的,并编码了redirect_fragment,但在密钥斗篷日志中,它是可见的,解码了这个片段)我们在成功登录并获得代码后获取令牌时收到错误400。准确的反应是:

{
  "error_description": "Incorrect redirect_uri",
  "error":"invalid_grant”
}

为什么?在密钥斗篷中的有效重定向uri中,我们有(以防万一):

- https://example.com*
- https://example.com/*
- https://example.com/?redirect_fragment=/asset-library/card-view/
- https://example.com/?redirect_fragment=%2Fasset-library%2Fcard-view%2F
- http://example.com*
- http://example.com/*
- http://example.com/?redirect_fragment=/asset-library/card-view/
- http://example.com/?redirect_fragment=%2Fasset-library%2Fcard-view%2F

以下是重定向URI成功登录的日志http://example.com:

11:38:47,934 DEBUG [org.jboss.jca.core.connectionmanager.pool.validator.ConnectionValidator] (ConnectionValidator) Notifying pools, interval: 30000
11:38:47,935 DEBUG [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (ConnectionValidator) Checking for connection within frequency
11:38:47,936 DEBUG [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (ConnectionValidator) Returning for connection within frequency
11:38:47,937 DEBUG [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (ConnectionValidator) Checking for connection within frequency
11:38:47,938 DEBUG [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (ConnectionValidator) Returning for connection within frequency
11:38:47,938 DEBUG [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (ConnectionValidator) Checking for connection within frequency
11:38:49,335 DEBUG [org.springframework.boot.context.web.OrderedRequestContextFilter] (default task-14) Bound request context to thread: HttpServletRequestImpl [ GET /auth/realms/xxxxxx/protocol/openid-connect/auth ]
11:38:49,336 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-14) RESTEASY002315: PathInfo: /realms/xxxxxx/protocol/openid-connect/auth
11:38:49,348 DEBUG [org.keycloak.services] (default task-14) AUTHENTICATE
11:38:49,357 DEBUG [org.keycloak.services] (default task-14) AUTHENTICATE ONLY
11:38:49,358 DEBUG [org.keycloak.services] (default task-14) processFlow
11:38:49,358 DEBUG [org.keycloak.services] (default task-14) check execution: auth-cookie requirement: ALTERNATIVE
11:38:49,358 DEBUG [org.keycloak.services] (default task-14) authenticator: auth-cookie
11:38:49,359 DEBUG [org.keycloak.services] (default task-14) invoke authenticator.authenticate
11:38:49,360 DEBUG [org.keycloak.services] (default task-14) token active - active: true, issued-at: 1,461,152,319, not-before: 0
11:38:49,361 DEBUG [org.keycloak.services] (default task-14) authenticator SUCCESS: auth-cookie
11:38:49,361 DEBUG [org.keycloak.services] (default task-14) check execution: auth-spnego requirement: DISABLED
11:38:49,361 DEBUG [org.keycloak.services] (default task-14) execution is processed
11:38:49,362 DEBUG [org.keycloak.services] (default task-14) check execution: null requirement: ALTERNATIVE
11:38:49,362 DEBUG [org.keycloak.services] (default task-14) Skip alternative execution
11:38:49,362 DEBUG [org.keycloak.services] (default task-14) Using full scope for client
11:38:49,363 DEBUG [org.keycloak.events] (default task-14) type=LOGIN, realmId=xxxxxx, clientId=api, userId=64e2ec92-a6ee-4705-a8b3-adebe9c3c816, ipAddress=172.17.0.1, auth_method=openid-connect, auth_type=code, response_type=code, redirect_uri=https://example.com/, consent=no_consent_required, code_id=1e564327-4775-4cbc-8e15-c3b553bc7585, response_mode=fragment, username=xxxxxx
11:38:49,384 DEBUG [org.keycloak.services] (default task-14) Create login cookie - name: KEYCLOAK_IDENTITY, path: /auth/realms/xxxxxx, max-age: -1
11:38:49,385 DEBUG [org.keycloak.services] (default task-14) redirectAccessCode: state: 0ecc910f-b0d2-4b9f-80ae-105c2dc28644
11:38:49,387 DEBUG [org.springframework.boot.context.web.OrderedRequestContextFilter] (default task-14) Cleared thread-bound request context: HttpServletRequestImpl [ GET /auth/realms/xxxxxx/protocol/openid-connect/auth ]
11:38:50,139 DEBUG [org.springframework.boot.context.web.OrderedRequestContextFilter] (default task-6) Bound request context to thread: HttpServletRequestImpl [ POST /auth/realms/xxxxxx/protocol/openid-connect/token ]
11:38:50,140 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-6) RESTEASY002315: PathInfo: /realms/xxxxxx/protocol/openid-connect/token
11:38:50,147 DEBUG [org.keycloak.services] (default task-6) AUTHENTICATE CLIENT
11:38:50,148 DEBUG [org.keycloak.services] (default task-6) client authenticator: client-secret
11:38:50,148 DEBUG [org.keycloak.services] (default task-6) client authenticator SUCCESS: client-secret
11:38:50,149 DEBUG [org.keycloak.services] (default task-6) Client api authenticated by client-secret
11:38:50,178 DEBUG [org.keycloak.events] (default task-6) type=CODE_TO_TOKEN, realmId=xxxxxx, clientId=api, userId=64e2ec92-a6ee-4705-a8b3-adebe9c3c816, ipAddress=172.17.0.1, token_id=dd46b7cd-6233-4881-8fe1-96e4ed087b37, grant_type=authorization_code, refresh_token_type=Refresh, refresh_token_id=0751e640-397d-45d7-a799-485a0573f20a, code_id=1e564327-4775-4cbc-8e15-c3b553bc7585, client_auth_method=client-secret
11:38:50,182 DEBUG [org.springframework.boot.context.web.OrderedRequestContextFilter] (default task-6) Cleared thread-bound request context: HttpServletRequestImpl [ POST /auth/realms/xxxxxx/protocol/openid-connect/token ]
11:38:50,353 DEBUG [org.springframework.boot.context.web.OrderedRequestContextFilter] (default task-10) Bound request context to thread: HttpServletRequestImpl [ GET /auth/realms/xxxxxx/protocol/openid-connect/userinfo ]
11:38:50,354 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-10) RESTEASY002315: PathInfo: /realms/xxxxxx/protocol/openid-connect/userinfo
11:38:50,356 DEBUG [org.keycloak.events] (default task-10) type=USER_INFO_REQUEST, realmId=xxxxxx, clientId=api, userId=64e2ec92-a6ee-4705-a8b3-adebe9c3c816, ipAddress=172.17.0.1, auth_method=validate_access_token, username=xxxxxx
11:38:50,358 DEBUG [org.springframework.boot.context.web.OrderedRequestContextFilter] (default task-10) Cleared thread-bound request context: HttpServletRequestImpl [ GET /auth/realms/xxxxxx/protocol/openid-connect/userinfo ]

以下是重定向URI登录失败的日志https://example.com/?redirect_fragment=/asset-库/卡视图/:

11:37:15,360 DEBUG [org.springframework.boot.context.web.OrderedRequestContextFilter] (default task-7) Bound request context to thread: HttpServletRequestImpl [ GET /auth/realms/xxxxxx/protocol/openid-connect/auth ]
11:37:15,361 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-7) RESTEASY002315: PathInfo: /realms/xxxxxx/protocol/openid-connect/auth
11:37:15,366 DEBUG [org.keycloak.services] (default task-7) AUTHENTICATE
11:37:15,367 DEBUG [org.keycloak.services] (default task-7) AUTHENTICATE ONLY
11:37:15,367 DEBUG [org.keycloak.services] (default task-7) processFlow
11:37:15,368 DEBUG [org.keycloak.services] (default task-7) check execution: auth-cookie requirement: ALTERNATIVE
11:37:15,368 DEBUG [org.keycloak.services] (default task-7) authenticator: auth-cookie
11:37:15,369 DEBUG [org.keycloak.services] (default task-7) invoke authenticator.authenticate
11:37:15,371 DEBUG [org.keycloak.services] (default task-7) token active - active: true, issued-at: 1,461,152,203, not-before: 0
11:37:15,373 DEBUG [org.keycloak.services] (default task-7) authenticator SUCCESS: auth-cookie
11:37:15,374 DEBUG [org.keycloak.services] (default task-7) check execution: auth-spnego requirement: DISABLED
11:37:15,374 DEBUG [org.keycloak.services] (default task-7) execution is processed
11:37:15,375 DEBUG [org.keycloak.services] (default task-7) check execution: null requirement: ALTERNATIVE
11:37:15,375 DEBUG [org.keycloak.services] (default task-7) Skip alternative execution
11:37:15,376 DEBUG [org.keycloak.services] (default task-7) Using full scope for client
11:37:15,377 DEBUG [org.keycloak.events] (default task-7) type=LOGIN, realmId=xxxxxx, clientId=api, userId=64e2ec92-a6ee-4705-a8b3-adebe9c3c816, ipAddress=172.17.0.1, auth_method=openid-connect, auth_type=code, response_type=code, redirect_uri=https://example.com/?redirect_fragment=/asset-library/card-view/, consent=no_consent_required, code_id=a47d3089-699e-4bc5-811c-e4a45655994a, response_mode=fragment, username=xxxxxx
11:37:15,397 DEBUG [org.keycloak.services] (default task-7) Create login cookie - name: KEYCLOAK_IDENTITY, path: /auth/realms/xxxxxx, max-age: -1
11:37:15,398 DEBUG [org.keycloak.services] (default task-7) redirectAccessCode: state: 0e2f72bc-14a4-46f8-8169-c55c85a50830
11:37:15,398 DEBUG [org.springframework.boot.context.web.OrderedRequestContextFilter] (default task-7) Cleared thread-bound request context: HttpServletRequestImpl [ GET /auth/realms/xxxxxx/protocol/openid-connect/auth ]
11:37:16,148 DEBUG [org.springframework.boot.context.web.OrderedRequestContextFilter] (default task-13) Bound request context to thread: HttpServletRequestImpl [ POST /auth/realms/xxxxxx/protocol/openid-connect/token ]
11:37:16,148 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-13) RESTEASY002315: PathInfo: /realms/xxxxxx/protocol/openid-connect/token
11:37:16,150 DEBUG [org.keycloak.services] (default task-13) AUTHENTICATE CLIENT
11:37:16,150 DEBUG [org.keycloak.services] (default task-13) client authenticator: client-secret
11:37:16,151 DEBUG [org.keycloak.services] (default task-13) client authenticator SUCCESS: client-secret
11:37:16,151 DEBUG [org.keycloak.services] (default task-13) Client api authenticated by client-secret
11:37:16,151 WARN  [org.keycloak.events] (default task-13) type=CODE_TO_TOKEN_ERROR, realmId=xxxxxx, clientId=api, userId=64e2ec92-a6ee-4705-a8b3-adebe9c3c816, ipAddress=172.17.0.1, error=invalid_code, grant_type=authorization_code, code_id=a47d3089-699e-4bc5-811c-e4a45655994a, client_auth_method=client-secret
11:37:16,153 DEBUG [org.springframework.boot.context.web.OrderedRequestContextFilter] (default task-13) Cleared thread-bound request context: HttpServletRequestImpl [ POST /auth/realms/xxxxxx/protocol/openid-connect/token ]
11:37:17,928 DEBUG [org.jboss.jca.core.connectionmanager.pool.validator.ConnectionValidator] (ConnectionValidator) Notifying pools, interval: 30000
11:37:17,928 DEBUG [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (ConnectionValidator) Checking for connection within frequency

似乎您正在尝试httpshttp URL方案。有效重定向URI设置是一种正则表达式模式,重定向URI将根据该模式进行验证。

无论如何,出于安全考虑,您应该将整个页面保留在安全的HTTP上。因此,像https://example.com/*这样的重定向模式应该起作用。

目前的问题还没有解决。即使字段具有*,也会发生

然后,为了进行测试,请尝试在客户端请求中对URL进行编码

默认情况下,Key斗篷对重定向URI使用完全匹配。当redirect_uri参数包含该片段时,Keycloft似乎没有将其与允许的重定向URI正确匹配
这种行为可能是由于来自客户端请求的重定向URI是经过URL解码的,而在Keycloft设置中定义的重定向URI则是经过URL编码的。

虽然已经设置了对Keycloft设置中的URL进行编码,但您可能还需要对来自客户端请求的重定向URI进行编码。

尝试其中一种:

  • 编码的完整URL:
let redirectUri = 'https://example.com/?redirect_fragment=/asset-library/card-view/';
let encodedRedirectUri = encodeURIComponent(redirectUri);

encodeURIComponent是一个内置的JavaScript函数,用于对特殊字符进行编码。运行此代码后,encodedRedirectUri将包含编码的URL
然后,您将在客户端对Keycloft的请求中使用encodedRedirectUri

  • 或者仅仅是编码的redirect_fragment参数的值:
let baseUri = 'https://example.com/?redirect_fragment=';
let fragment = '/asset-library/card-view/';
let encodedFragment = encodeURIComponent(fragment);
let redirectUri = baseUri + encodedFragment;

在这里,redirectUri现在将包含基本URL和编码片段,然后您可以在客户端请求中使用这些片段。

真正的问题是keycapture有21个主要版本,每个版本的工作方式不同。然而,文档并没有承认这一点,并且对设置与keycloft的集成没有任何帮助。

我遇到了和这个问题完全相同的问题,最终通过观看youtube上的教程(链接如下)解决了这个问题。

所以,是的,这是这个问题的解决方案,也许不是最好的,但效果很好。在另一个版本的钥匙斗篷中可能会有所不同,但从21.1.1版本开始,效果很好。就我个人而言,我再也不会使用密钥斗篷了,我遵循了文档,花了几个小时试图让它发挥作用,只是为了把我从官方文档中获得的所有知识都抛在脑后,并遵循教程。例如,文档说重定向uri是令牌请求所必需的,但最后我不需要它。无论如何,我希望这能帮助到任何需要帮助的人。

youtube视频

相关文章: