Redirect with URL OIDC parameters from Keycloak gives Bad Request

5.2k views Asked by At

My current setup is the following:

  • Windows Server running an Active Directory.
  • Keycloak server runningon a WildFly.
  • Java test application with restricted access deployed on the WildFly.

The authorization flow is that a user from the AD requests access to the application, the user is granted a Kerberos ticket, and trying the get access to the same application with that specific ticket.

All the configuration with Kerberos, Keycloak and AD is done, and the agreements between the server and the client are running smoothly, but the last "GET" request, where the user has been granted access, it means making a request for the Keycloak redirect URL containing the OpenID-Connect parameters (state= and code=), returns a "bad request".

I am fairly new to the concept of using Keycloak as a SSO provider, so this could be something very trivial I missed.

[EDIT] If I fire a request for the restriced page in Fiddler, it gives me a "No State Cookie", BUT when I use any kind of browser, it says "Forbidden", and my log says that ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-9) failed verification of token: Invalid token issuer. Expected http://KEYCLOAK:9090/auth/realms/kerberos-realms/" but expected "http://keycloak:8080/auth/realms/kerberos-realm"

1

There are 1 answers

0
MBX On BEST ANSWER

I actually did find a solution for it:

  • I tried to change the Fiddler client with a browser, and I got the problem where it told me that the issuer of the token wasn't as the expected one, and I found that in my standalone.xml, the authentication endpoint was spelled with upper case, and it expected one in lower. As for the "No state cookie", I guess that the browser handles a request of that kind, a bit different than Fiddler does.