invalid_grant: Incorrect redirect_uri

[christianTragesser]

I've been researching the App Identity and Access Adapter for the frontend OIDC client needs of a custom REST service running within Istio. I've read through a blog post(https://istio.io/blog/2019/app-identity-and-access-adapter/) and the README file however, I've not been successful in my attempts to implement the adapter in my POC environment using Keycloak as the OIDC Provider.

When the adapter is not running I'm able to access my REST service with no problem. Once my OidcConfig and app Policy are applied, I'm correctly redirected for authN credentials however after login and redirection the browser shows the error:

UNAUTHENTICATED:handler-appidentityandaccessadapter.handler.istio-system:invalid_grant: Incorrect redirect_uri

Logs from the dpl-appidentityandaccessadapter pod show:

{"level":"info","ts":"2020-02-26T15:18:59.055Z","caller":"policy/policy.go:69","msg":"Type: oidc","source":"appidentityandaccessadapter-adapter"}
{"level":"info","ts":"2020-02-26T15:18:59.055Z","caller":"adapter/adapter.go:71","msg":"Executing OIDC policies","source":"appidentityandaccessadapter-adapter"}
{"level":"info","ts":"2020-02-26T15:18:59.103Z","caller":"authserver/authserver.go:162","msg":"Failed to retrieve tokens","source":"appidentityandaccessadapter-adapter","error":"invalid_grant: Incorrect redirect_uri"}
{"level":"info","ts":"2020-02-26T15:18:59.103Z","caller":"web/web.go:294","msg":"OIDC callback: Could not retrieve tokens","source":"appidentityandaccessadapter-adapter","error":"invalid_grant: Incorrect redirect_uri","client_name":"poc-namespace/poc-oidc-provider-config"}
{"level":"info","ts":"2020-02-26T15:18:59.254Z","caller":"policy/policy.go:69","msg":"Type: oidc","source":"appidentityandaccessadapter-adapter"}
{"level":"info","ts":"2020-02-26T15:18:59.254Z","caller":"adapter/adapter.go:71","msg":"Executing OIDC policies","source":"appidentityandaccessadapter-adapter"}
{"level":"info","ts":"2020-02-26T15:18:59.406Z","caller":"policy/policy.go:69","msg":"Type: oidc","source":"appidentityandaccessadapter-adapter"}
{"level":"info","ts":"2020-02-26T15:18:59.406Z","caller":"adapter/adapter.go:71","msg":"Executing OIDC policies","source":"appidentityandaccessadapter-adapter"}
{"level":"info","ts":"2020-02-26T15:18:59.415Z","caller":"authserver/authserver.go:162","msg":"Failed to retrieve tokens","source":"appidentityandaccessadapter-adapter","error":"unknown_error"}
{"level":"info","ts":"2020-02-26T15:18:59.415Z","caller":"web/web.go:294","msg":"OIDC callback: Could not retrieve tokens","source":"appidentityandaccessadapter-adapter","error":"unknown_error","client_name":"poc-namespace/poc-oidc-provider-config"}

I've applied the following OidcConfig and Policy declarations:

---
apiVersion: "security.cloud.ibm.com/v1"
kind: OidcConfig
metadata:
    name: poc-oidc-provider-config
spec:
    authMethod: client_secret_basic
    discoveryUrl: 'https://auth.<domain>/auth/realms/<realm>/.well-known/openid-configuration'
    clientId: 'poc-app'
    clientSecret: '<client secret>'
---
apiVersion: "security.cloud.ibm.com/v1"
kind: Policy
metadata:
  name: poc-policy
spec:
  targets:
    - serviceName: poc-app
      paths:
      - method: ALL
        policies:
          - policyType: oidc
            config: poc-oidc-provider-config
            rules:
              - claim: scope
                match: ALL
                source: access_token
                values:
                  - openid
                  - profile
                  - email

I've exhausted google searches and tweaked redirect_url settings on the Keycloak side - but I cannot seem to find further information how to resolve this error.

[k3a]

This error comes from your OIDC provider and it probably means that it doesn't allow the redirect_uri which this adapter specified as a query parameter when asking for a token. You can use browser DevTooks, Network tab to see all requests (you can enable Persist logs to keep logs between redirects) and inspect the redirect_uri. In the original adapter code, it was simply original request URI + /oidc/callback. If you have multiple URIs, you need to configure Keycloak for every oidc/callback URL for every URI you wish to protect. Or use my pull request which fixes that. :P

[christianTragesser]

In Keycloak, for my client I have set valid redirect uri to https://<app fqdn>/* and in my other trials this has more or less enabled any callback uri the OIDC client intends to use. @k3a I'm taking a look at your PR ATM. Do you happen to have a publicly available docker image? I'm currently installing the adapter via Helm chart, if you have an available docker image it would be super simple for me to verify your fork is the solution to my issues.

[k3a]

The error comes from IODC provider (Keycloak). I was even able to find the relevant line in the source code.

Are you sure Keycloak understands * in the redirect URI? For example Dex provider doesn't offer such functionality and requires fixed URL and it seems Google Single Sign-On also requires a list of fixed callback URLs.

I have my latest test image - it is made of all PRs I have submitted here so far - kexik/app-identity-and-access-adapter:96ce1af . This is the currently-latest tag and it matches the commit in my internal k3a branch. I will keep these images in docker hub but please consider them "testing". There shouldn't be anything inherently wrong but it needs review of someone else and merge.

In short, this image implements these configurable functions:

• callback configuration in OidcConfig, see the Callback section of the updated README. You should set it to absolute URI like /oidc/callback or full URL https://myprotectedweb.com/oidc/callback and then make sure this URI/URL is routed to a service protected with that OidcConfig. The URI does not have to be handled by a service (obviously) but adapter needs to know which OidcConfig to use for that callback.
• scopes configuration in OidcConfig if you need to request custom scopes from OIDC provider, readme in my development branch here. It's just scopes key in OidcConfig with array of strings containing scope names.

Let me know how it works for you or if you need further assistance.

[christianTragesser]

To the best of my knowledge the wildcard (*) path for redirect uri in Keycloak is valid. It has caused no issue when implementing an OIDC client directly within the Flask code. I did try to explicitly set the valid redirect uri to /oidc/callback but saw the same invalid_grant: Incorrect redirect_uri error as previously mentioned.

When using the kexik/app-identity-and-access-adapter:96ce1af image(thanks for this @k3a) I'm now seeing a different error, {"level":"info","ts":"2020-03-01T15:46:41.291Z","caller":"web/web.go:307","msg":"OIDC callback: Access token failed validation","source":"appidentityandaccessadapter-adapter","error":"invalid_token: token validation error - expected claim aud to match one of: [poc]","client_name":"poc-namespace/poc-oidc-provider-config"}.

I think this is progress? :)

Wondering if anyone has had success with this adapter and a Keycloak provider? I'd assume since the adapter and Keycloak are now 'in the same family' this could be a popular OIDC provider/client pairing in the future.

[k3a]

This looks like the problem mentioned in #43 - createDefaultRules. There probably shouldn't be any default rules like this. You may try to define a custom policy as I wrote in the following comment on that issue.

[uhinze]

I was trying to integrate this adapter with Keycloak as well. Got stuck on the same things (redirect_uri and aud). The aud problem is solvable from the Keycloak side through the mechanisms described here: https://www.keycloak.org/docs/4.8/server_admin/#_audience. I chose to go the "hardcoded audience" way which worked fine.
I was not able to solve the redirect_uri issue however. I did troubleshoot this a bit more though and what I found is that the issue is not during the initial client redirect to Keycloak --> so the wildcard as allowed URLs is fine - rather it is when this adapter tries to get an access token from the auth code. There is an SO post with a similar issue: https://stackoverflow.com/questions/45860313/keycloak-code-to-token-error-after-user-is-authenticated
Seems that Keycloak is checking whether the redirect_uri parameter in the in the POST /token is equal to the one sent in GET /authorize, and throws this error message if that's not the case.
@k3a is that a constraint that is currently implemented in this adapter?