Keycloak token exchange fails with "invalid_token" error - oauth

I have two Keycloak instances running locally. They are connected via OIDC. Everything works so far - I can login via any of Keycloak instances.
Now I am trying to setup token exchage and it fails with "invalid_token" error. I want to do "external to internal" token exchange. There are following Keycloak logs showing that Keycloak sending HTTP GET request with the token I provided to another Keycloak instance to get user info:
08:14:36,523 DEBUG http-outgoing-19 >> "GET /auth/realms/master/protocol/openid-connect/userinfo HTTP/1.1[\r][\n]"
08:14:36,523 DEBUG http-outgoing-19 >> "Authorization: Bearer eyJhbGciOiJSU...[\r][\n]"
and the response is 401:
08:14:36,530 DEBUG http-outgoing-19 << "HTTP/1.1 401 Unauthorized[\r][\n]"
08:14:36,530 DEBUG http-outgoing-19 << "X-XSS-Protection: 1; mode=block[\r][\n]"
08:14:36,530 DEBUG http-outgoing-19 << "X-Frame-Options: SAMEORIGIN[\r][\n]"
08:14:36,530 DEBUG http-outgoing-19 << "Referrer-Policy: no-referrer[\r][\n]"
08:14:36,530 DEBUG http-outgoing-19 << "Date: Tue, 24 Nov 2020 08:14:36 GMT[\r][\n]"
08:14:36,530 DEBUG http-outgoing-19 << "Connection: keep-alive[\r][\n]"
08:14:36,530 DEBUG http-outgoing-19 << "WWW-Authenticate: Bearer realm="master", error="invalid_token", error_description="Token verification failed"[\r][\n]"
The weird part is this: when I am sending the same response with curl using the same token that does not work in Keycloak - it works:
curl -X GET 'http://localhost:8050/auth/realms/master/protocol/openid-connect/userinfo' \
-H 'Authorization: Bearer eyJhbGciOiJSUzI1N...'
{"name":"r o","sub":"fff41a6f-6910-4419-8d46-7630b57ed420","email_verified":true,"preferred_username":"ttt","given_name":"r","family_name":"o"}
All permissions for token exchange set up (otherwise it does not send the request at all and it fails with another error).
What am I missing here? Any help is highly appreciated.

I figured it out. It worked using curl, because I was using localhost, and it did not work in Keycloak, because Keycloak used local IP address (192.168.X.X). The core reason is in the token that has to be exchanged. Field iss must match the IP/Host that is sending the request. In other words, in the token that I used to test token exchange, iss was equal http://localhost..., and I also used localhost in curl request. After using token that's been issued from 192.168.XX, token exchange started to work.
Actually, from a security perspective it totally makes sense. Only issuer of the token should be able to use it to get user info.

Related

Docker Registry v2 authentication using OAuth2 does not return refresh token when `access_type=offline`

By following command snippet in https://docs.docker.com/registry/spec/auth/oauth/ as below and set access_type=offline, refresh_token is not present in returned response.
curl -iX POST https://auth.docker.io/token
-H "Content-Type: application/x-www-form-urlencoded"
-d "grant_type=password&username=${user}&password=${password}&service=hub.docker.io&client_id=dockerengine&access_type=offline"
Command succeeds with response below:
HTTP/1.1 200 OK
content-type: application/json
date: Tue, 04 Jan 2022 03:08:37 GMT
transfer-encoding: chunked
strict-transport-security: max-age=31536000
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlDK1RDQ0FwK2dBd0lCQWdJQkFEQUtCZ2dxaGtqT1BRUURBakJHTVVRd1FnWURWUVFERXp0U1RVbEdPbEZNUmpRNlEwZFFNenBSTWtWYU9sRklSRUk2VkVkRlZUcFZTRlZNT2taTVZqUTZSMGRXV2pwQk5WUkhPbFJMTkZNNlVVeElTVEFlRncweU1UQXhNalV5TXpFMU1EQmFGdzB5TWpBeE1qVXlNekUxTURCYU1FWXhSREJDQmdOVkJBTVRPMVZQU1ZJNlJFMUpWVHBZVlZKUk9rdFdRVXc2U2twTFZ6cExORkpGT2tWT1RFczZRMWRGVERwRVNrOUlPbEpYTjFjNlRrUktWRHBWV0U1WU1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBbnZBeVpFK09sZHgrY3hRS0RBWUtmTHJJYk5rK2hnaEg3Ti9mTFpMVDhEYXVPMXRoTWdoamxjcGhFVkNuYTFlMEZpOHVsUlZ4WG1HdWpZVDNXbnFsZ2ZpM2ZYTUQvQlBRTmlkWHZkeWprbDFZS3dPTkl3TkFWMnRXbExxaXFsdGhSWkFnTFdvWWZZMXZQMHFKTFZBbWt5bUkrOXRBcEMxNldNZ1ZFcHJGdE1rNnV0NDlMcDlUR1J0aDJQbHVWc3RSQ1hVUGp4bjI0d3NnYlUwVStjWTJSNEpyZmVJdzN0T1ZKbXNESkNaYW5SNmVheFYyVFZFUkxoZnNGVTlsSHAzcldCZ1RuNVRCSHlMRDNRdGVFLzJ3L3MvcUxZcmdIK1hCMmZBazJPd1NIRG5YWDg4WWVJd0EyVGJJMDdYNS8xQnVsaUwrUDduOWVBT1RmbDkxVlZwNER3SURBUUFCbzRHeU1JR3ZNQTRHQTFVZER3RUIvd1FFQXdJSGdEQVBCZ05WSFNVRUNEQUdCZ1JWSFNVQU1FUUdBMVVkRGdROUJEdFZUMGxTT2tSTlNWVTZXRlZTVVRwTFZrRk1Pa3BLUzFjNlN6UlNSVHBGVGt4TE9rTlhSVXc2UkVwUFNEcFNWemRYT2s1RVNsUTZWVmhPV0RCR0JnTlZIU01FUHpBOWdEdFNUVWxHT2xGTVJqUTZRMGRRTXpwUk1rVmFPbEZJUkVJNlZFZEZWVHBWU0ZWTU9rWk1WalE2UjBkV1dqcEJOVlJIT2xSTE5GTTZVVXhJU1RBS0JnZ3Foa2pPUFFRREFnTklBREJGQWlFQTBkN3l1azQrWElabmtQb3RJVkdCeHBRSndpMzQwdExSb3R3Qzl4NkJpdWNDSUhFSmIyWGg0QzhtYVZic1Exd3ZUSCthRGV0VXhBS21lYkdXa3F6Z1J1Z1QiXX0.eyJhY2Nlc3MiOltdLCJhdWQiOiJodWIuZG9ja2VyLmlvIiwiZXhwIjoxNjQxMjY2MDE3LCJpYXQiOjE2NDEyNjU3MTcsImlzcyI6ImF1dGguZG9ja2VyLmlvIiwianRpIjoiV1dUV090ZVhnVWUwM0tWNWUwbEgiLCJuYmYiOjE2NDEyNjU0MTcsInN1YiI6ImM3YWJkMmU3LTJmNDgtNGFmNS1hOTExLTk5ZGM2MWQ2MmQ4OSJ9.D6YL422MrrS6bPv6A_BqEZa-6DhOWlkOvI2y2kq1uaIubSG09G7zodw97EE2RH2_1Wl94l0nVmN4nxSWHQvXT-e7v69XzLuO1gRxlFMZzmupn4JMRQ42UlFPM3VIKWeV3Opx4zLbtLvY1y9fR_ZSa3jcbP3HLKhBWH4dqYyp_oaFd3nVEgngEksyivqZHYu0JYID-EGw-2mZFFlLT030U3DcsFqcTsZWa1jfeDZIsxjdhEkqsxKbfqOpSY6-6p4b6Y0-1FDw1EiX2q4Y6PzbMfNJg9v_lQAftSUuCzMqrhVtrvPn07Su0nN_BpAJ5fDum5jHS1gDmmX7pnGnB0gd0g",
"scope": "",
"expires_in": 300,
"issued_at": "2022-01-04T03:08:37.398945485Z"
}
Document explicitly said :
refresh_token
(Optional) Token which can be used to get additional access tokens for the same subject with different scopes. This token should be kept secure by the client and only sent to the authorization server which issues bearer tokens. This field will only be set when access_type=offline is provided in the request.
The same effect is observed when I tested deployment of a private docker registry:2.7 along with a docker_auth (https://github.com/cesanta/docker_auth, version 1.9) authentication server.
From Docker registry OAuth specification, it seems the feature is already in place but if it does not work on Docker auth server and the other project follows this specification, I can't help to wonder if this is a feature in future or just I missed somethings in my configuration.

Can't get Travis API token using Github token

According to Travis API documentation, for getting Travis API token I need send POST HTTP request on special address:
POST /auth/github HTTP/1.1
User-Agent: MyClient/1.0.0
Accept: application/vnd.travis-ci.2+json
Host: api.travis-ci.org
Content-Type: application/json
Content-Length: 37
{"github_token":"YOUR GITHUB TOKEN"}
But when I do this I receive 403 error with Unexpected 'y' message.
Any ideas what I'm doing wrong? Or there is something specific with Travis API?
I made it work like this:
http post https://api.travis-ci.org/auth/github Content-Type:application/json User-Agent:TravisMyClient/1.0.0 Accept:application/vnd.travis-ci.2+json github_token=<enter_your_github_token>
im using HTTPie instead of curl.

Can't get header request Rails 5 API on production stage (AWS elasticbeanstalk)

I have rails 5 API. Tested on my local it running perfect. But after deploy to elastic beanstalk I have problem, I can't getting Authentication token which I put it on header, and this is how I set token when call API and get/ read on my app :
Set when call api :
curl -H "Content-Type: application/json" -X POST http://example.com/users -H "Authorization: eyJ0eXAiOiJKV1QiLCJhbGc"
And Read/ get :
auth_header = request.headers['Authorization'] and token = auth_header.split(' ').last
Any ideas what's going on?
I resolved by using dash("-") instead of underscore("_") in the
header.
example:
authentication-token
instead of
authentication_token
It will work 100%

WebSphere Docker OAuth

I need to implement OAuth against an IBM WebSphere server. For that purpose I built a docker environment https://github.com/hhoechtl/websphere-oauth according to http://www.ibm.com/developerworks/websphere/techjournal/1305_odonnell2/1305_odonnell2.html
But if I try to get a token
curl -X POST -H "Accept-Charset: UTF-8" -H "Content-Type: application/x-www-form-urlencoded" -d 'grant_type=password&client_id=LibertyRocks&client_secret=AndMakesConfigurationEasy&username=admin&password=admin' "https://192.168.99.100:9443/oauth2/endpoint/DemoProvider/token"
I get the error
{
"error_description": "CWWKS1406E: The token request had an invalid client credential. The request URI was /oauth2/endpoint/DemoProvider/token.",
"error": "invalid_client"
}
But according to my server.xml that should be correct. What am I missing?
Would you be able to turn on and provide the server trace for that invocation? The message indicates that either credentials weren't found in the request, or credentials were found but were invalid for that client. It would be useful to know which is the case here.
You can enable trace by adding this snippet to your server.xml:
<logging traceSpecification="*=info=enabled:com.ibm.ws.security.*=all=enabled:com.ibm.oauth.*=all=enabled" />
The next day it just worked, no idea why.

401 unauthorized streaming spring xd

I'm trying to follow this tutorial https://github.com/spring-projects/spring-xd-samples/tree/master/analytics-dashboard
I did the configuration on modules.yml
twitter:
consumerKey: {your-consumer-key}
consumerSecret: {your-consumer-secret}
accessToken: {your-access-token}
accessTokenSecret: {your-access-token-secret}
with my own keys and then when i run
stream create tweets --definition "twitterstream | log" --deploy
this error appear
2016-05-24T12:48:07-0500 1.3.1.RELEASE ERROR twitterSource-1-1 twitter.TwitterStreamChannelAdapter - Twitter authentication failed: 401 Authorization Required
401 error means "Authentication credentials were missing or incorrect". Make sure the credentials is correct. see https://dev.twitter.com/overview/api/response-codes

Resources