Error parsing OIDC authorization request from query parameters on IDPKit as provider with Keycloak

[sebpalluel]

Hello,

I'm trying to implement your IDPKit as a provider with Keycloak but I stumble onto an issue when clicking on the link to redirect to the OpenID Connect provider. I get this error: 'Error parsing OIDC authorization request from query parameters'

I have followed this guide and tried with both my local instance of idpkit and yours https://idp.walt-test.cloud/api/oidc/.well-known/openid-configuration

I'm using Keycloak 19.0.2 so I'm not sure if the config is exactly the same.

Here is my project:

https://github.com/sebpalluel/web3-monorepo-boilerplate/tree/65-waltid-implement-keycloak-as-federated-identity-provider

To reproduce you can:

1. run the project with pnpm start

2. Go to the sign in page and click on Keycloak

3. Click on Walt id test cloud when you are on the Keycloak view

In order to check the Keycloak config, the admin console is [here](http://localhost:8100/auth/) and the login is [email protected] / password

The Waltid-idpkit provider can then be found here

[waltkb]

@severinstampler

[severinstampler]

Hi @sebpalluel
There is 2 problems we found with this particular version of Keycloak (19.0.2):

1. The admin UI creates a faulty configuration in the keycloak backend, which breaks the setting for client authentication. The issue is discussed in: https://github.com/keycloak/keycloak-ui/issues/3355
   There's a fix for this in version 19.0.3, which is not yet released.
   As a workaround, you can manually fix the configuration, which you exported and reimport it. See below.

2. The "prompt" type is set to "unspecified", and this version of keycloak sends it as parameter prompt=unspecified in the authorization request, which is not accepted by our request parser. The previous version of keycloak would just omit the parameter if set to unspecified.
   To fix it, you need to set the prompt to "None" instead, which you can select from the respective dropdown in the admin UI, or directly in the exported json.

I have fixed your exported realm configuration (the idpkit part), so you can try to update it accordingly, see here:

{
      "alias": "waltid-idpkit-test-cloud",
      "displayName": "Walt id test cloud",
      "internalId": "f0ae0286-6575-4972-a0b2-11efb85e4a51",
      "providerId": "oidc",
      "enabled": true,
      "updateProfileFirstLoginMode": "on",
      "trustEmail": false,
      "storeToken": false,
      "addReadTokenRoleOnCreate": false,
      "authenticateByDefault": false,
      "linkOnly": false,
      "firstBrokerLoginFlowAlias": "first broker login",
      "config": {
        "userInfoUrl": "https://idp.walt-test.cloud/api/oidc/userInfo",
        "validateSignature": "true",
        "hideOnLoginPage": "false",
        "tokenUrl": "https://idp.walt-test.cloud/api/oidc/token",
        "acceptsPromptNoneForwardFromClient": "false",
        "clientId": "0CYUXjimoqywONiXgaF6KAtsQw5kE7XhJ1qghdVdgq4",
        "uiLocales": "false",
        "jwksUrl": "https://idp.walt-test.cloud/api/oidc/jwkSet",
        "clientAuthMethod": "client_secret_basic",
        "backchannelSupported": "false",
        "issuer": "https://idp.walt-test.cloud/api/oidc",
        "useJwksUrl": "true",
        "loginHint": "false",
        "pkceEnabled": "false",
        "authorizationUrl": "https://idp.walt-test.cloud/api/oidc/authorize",
        "disableUserInfo": "false",
        "syncMode": "IMPORT",
        "clientSecret": "K92SRgYOk0k84Mu1gEHtfdK0x8otrYwLXTLCKkb8JZI",
        "allowedClockSkew": "0",
        "prompt": "none",
        "defaultScope": "openid profile"
      }
    }

[sebpalluel]

Thank you very much ! It indeed resolved the issue but now I get an other one coming from https://wallet.walt-test.cloud/: 503 Service Temporarily Unavailable

Here is the request:

curl 'https://wallet.walt-test.cloud/api/wallet/siopv2/initPresentation/?scope=openid&presentation_definition=%7B%22format%22+%3A+null%2C+%22id%22+%3A+%221%22%2C+%22input_descriptors%22+%3A+%5B%7B%22constraints%22+%3A+%7B%22fields%22+%3A+%5B%7B%22filter%22+%3A+%7B%22const%22%3A+%22VerifiableId%22%7D%2C+%22id%22+%3A+%221%22%2C+%22path%22+%3A+%5B%22%24.type%22%5D%2C+%22purpose%22+%3A+null%7D%5D%7D%2C+%22format%22+%3A+null%2C+%22group%22+%3A+%5B%22A%22%5D%2C+%22id%22+%3A+%220%22%2C+%22name%22+%3A+null%2C+%22purpose%22+%3A+null%2C+%22schema%22+%3A+null%7D%5D%2C+%22name%22+%3A+null%2C+%22purpose%22+%3A+null%2C+%22submission_requirements%22+%3A+%5B%7B%22count%22+%3A+null%2C+%22from%22+%3A+%22A%22%2C+%22from_nested%22+%3A+null%2C+%22max%22+%3A+null%2C+%22min%22+%3A+null%2C+%22name%22+%3A+null%2C+%22purpose%22+%3A+null%2C+%22rule%22+%3A+%22all%22%7D%5D%7D&response_type=vp_token&redirect_uri=https%3A%2F%2Fidp.walt-test.cloud%2Fapi%2Fsiop%2Fverify&state=eyJpZHBTZXNzaW9uSWQiIDogIjdmM2ZiZWNiLTYxZGItNDkyOS05YTRiLWMzMTQ2MTEzODk0MCIsICJpZHBUeXBlIiA6ICJPSURDIn0%3D&nonce=5f4fed2c-f650-4273-b59a-9d730f6588ac&client_id=https%3A%2F%2Fidp.walt-test.cloud%2Fapi%2Fsiop%2Fverify&response_mode=form_post' \
  -H 'Upgrade-Insecure-Requests: 1' \
  -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36' \
  -H 'sec-ch-ua: "Chromium";v="106", "Google Chrome";v="106", "Not;A=Brand";v="99"' \
  -H 'sec-ch-ua-mobile: ?0' \
  -H 'sec-ch-ua-platform: "macOS"' \
  --compressed

The query string parameters:

scope: 
openid
presentation_definition: 
{"format" : null, "id" : "1", "input_descriptors" : [{"constraints" : {"fields" : [{"filter" : {"const": "VerifiableId"}, "id" : "1", "path" : ["$.type"], "purpose" : null}]}, "format" : null, "group" : ["A"], "id" : "0", "name" : null, "purpose" : null, "schema" : null}], "name" : null, "purpose" : null, "submission_requirements" : [{"count" : null, "from" : "A", "from_nested" : null, "max" : null, "min" : null, "name" : null, "purpose" : null, "rule" : "all"}]}
response_type: 
vp_token
redirect_uri: 
https://idp.walt-test.cloud/api/siop/verify
state: 
eyJpZHBTZXNzaW9uSWQiIDogIjdmM2ZiZWNiLTYxZGItNDkyOS05YTRiLWMzMTQ2MTEzODk0MCIsICJpZHBUeXBlIiA6ICJPSURDIn0=
nonce: 
5f4fed2c-f650-4273-b59a-9d730f6588ac
client_id: 
https://idp.walt-test.cloud/api/siop/verify
response_mode: 
form_post

My project as been updated with your fix so you should have the same result.

[severinstampler]

there was a bug in the walletkit backend, that caused the service to crash. it's back up and running now.

[sebpalluel]

Thanks ! I can confirm it's now working on my end, up to the point of sharing the Presentation Request (which is empty). But it's the same issue I'm having with the direct implementation of IDPKit as a provider on Next Auth so I will start an other help thread about that for clarity.