[5.0.2] too many redirects

[nmwael]

When I try to access:
http://localhost:9999/auth
I get thrown towards:
http://localhost:9999/auth/realms/ccadmin/protocol/openid-connect/auth?response_type=code&client_id=ccadmin-backend&scope=openid%20profile&state=YiYSSxZKTuNByiRRb0WF0ExKsAp_fbSWcOQi6bccG3E%3D&redirect_uri=http://localhost:9999/login/oauth2/code/ccadmin&nonce=Dlsma9mE3foZUseTSua3TLe37IirZkO30Rw2X_wk6U4 Which then redirects towards:
http://localhost:9999/oauth2/authorization/ccadmin

So something is off, I have added
web.ignoring().antMatchers("/auth/**","/oauth2/**");
to my WebSecurityConfigurerAdapter as I am running with security on /api/**

I also find it a bit strange that when accessing http://localhost:9999/auth it mixes up my product realm (ccadmin) instead of master...

I had it working with keycloak 11.

[nmwael]

it looks like its any request that gets stuck in the endless redirect loop..

[nmwael]

Ive tried both embedded-keycloak-server-custom and embedded-keycloak-server-plain

which does not go into the loop. But I cant login to them, with password admin/admin it just says
2021-12-23 11:40:13.280 WARN 22228 --- [ XNIO-1 task-1] org.keycloak.events : type=LOGIN_ERROR, realmId=master, clientId=security-admin-console, userId=8845bd57-201b-4152-8cf9-79e60776428a, ipAddress=0:0:0:0:0:0:0:1, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, redirect_uri=http://localhost:8080/auth/admin/master/console/, code_id=d0f3f503-4cba-455a-afb9-53102f91ca68, username=admin, authSessionParentId=d0f3f503-4cba-455a-afb9-53102f91ca68, authSessionTabId=xvP-HGdMKSs

[nmwael]

Could be releated, to the oauth2 spring integration..

specifically redirectUri

Snip of our config

  security:
    oauth2:
      client:
        registration:
          ccadmin:
            client-id: xxx
            client-name: xx
            client-secret: xx
            provider: keycloak
            authorization-grant-type: authorization_code
            scope: openid, profile
#            redirectUri: "{baseUrl}/login/oauth2/code/{registrationId}"
        provider:
          keycloak:
            authorization-uri: ${kc.realm-url}/protocol/openid-connect/auth
            jwk-set-uri: ${kc.realm-url}/protocol/openid-connect/certs
            token-uri: ${kc.realm-url}/protocol/openid-connect/token
            # would be cool if there was a end-session-uri to propagate logouts

            #  User info endpoint not needed since Keycloak uses self-contained value tokens
            #            user-info-uri: ${kc.realm-url}/protocol/openid-connect/userinfo
            user-name-attribute: preferred_username

[nmwael]

Okay it seems to have something with spring security todo which runs autoconfiguration and protects everything.. However when I get to the admin console it just shows up blank,

With this in dev console in chrome or edge :

chrome-error://chromewebdata/:1 
        
       Refused to display 'http://localhost:9999/' in a frame because it set 'X-Frame-Options' to 'deny'

    C:/Users/nmw/.m2/repository/org/springframework/boot/spring-boot-autoconfigure/2.5.4/spring-boot-autoconfigure-2.5.4.jar!/org/springframework/boot/autoconfigure/security/servlet/UserDetailsServiceAutoConfiguration.class:52

    @Bean
    @ConditionalOnMissingBean(
        type = {"org.springframework.security.oauth2.client.registration.ClientRegistrationRepository"}
    )
    @Lazy
    public InMemoryUserDetailsManager inMemoryUserDetailsManager(SecurityProperties properties, ObjectProvider<PasswordEncoder> passwordEncoder) {
        User user = properties.getUser();
        List<String> roles = user.getRoles();
        return new InMemoryUserDetailsManager(new UserDetails[]{org.springframework.security.core.userdetails.User.withUsername(user.getName()).password(this.getOrDeducePassword(user, (PasswordEncoder)passwordEncoder.getIfAvailable())).roles(StringUtils.toStringArray(roles)).build()});
    }

[nmwael]

I've tried this in my security config, but it does not affect the X-FRAME issue:

        http.headers()
                .frameOptions()
                .sameOrigin().and().cors()

[gao624213771]

When I try to access: http://localhost:9999/auth I get thrown towards: http://localhost:9999/auth/realms/ccadmin/protocol/openid-connect/auth?response_type=code&client_id=ccadmin-backend&scope=openid%20profile&state=YiYSSxZKTuNByiRRb0WF0ExKsAp_fbSWcOQi6bccG3E%3D&redirect_uri=http://localhost:9999/login/oauth2/code/ccadmin&nonce=Dlsma9mE3foZUseTSua3TLe37IirZkO30Rw2X_wk6U4 Which then redirects towards: http://localhost:9999/oauth2/authorization/ccadmin

So something is off, I have added web.ignoring().antMatchers("/auth/**","/oauth2/**"); to my WebSecurityConfigurerAdapter as I am running with security on /api/**

I also find it a bit strange that when accessing http://localhost:9999/auth it mixes up my product realm (ccadmin) instead of master...

I had it working with keycloak 11.

Brother, did you succeed in clustering