OIDC authentication/authorization

Added by Peter Tagwercher 4 months ago

Hi everyone,

hopefully this is a simple question.

I am trying to create a single sign on based on your oidc example.

One of the required "parameters" is the redirect endpoint. Since wt is a single page application an uri like* won't work, neither does

So now which parameter would I use to redirect to my application?

Best Regards,

Replies (5)

RE: OIDC authentication/authorization - Added by Peter Tagwercher 3 months ago

Hi everyone,

forget what I was asking for. I had some trouble setting up Keycloak (that I am using for testing purposes), but now, as I fixed that, my OIDC setup works fine.

Best Regards,

RE: OIDC authentication/authorization - Added by Peter Tagwercher 3 months ago

It's me again. Working fine was way too much for now.

Saying it works was saying that the OidcClient both receives authenticated() and authorized().

In your announcement on [[https://www.webtoolkit.eu/wt/news/2017/06/20/announcing_openid_connect_support_in_wt]] you state the only those values have to be changed:

but I assume that those values here would have to be changed too (to match the values above):
@Session tokenSession(dbPath);
Wt::Auth::OAuthTokenEndpoint tokenEndpoint{tokenSession.users(), deployUrl};
server.addResource(&tokenEndpoint, "/oauth2/token");

Session userInfoSession(dbPath);
Wt::Auth::OidcUserInfoEndpoint userInfoEndpoint{userInfoSession.users()};
server.addResource(&userInfoEndpoint, "/oidc/userinfo");

I would think that both those values would have to be set to id-provider values. Is that correct?

The next point seems to be my Keycloak setup. I have set up a client (wich itself has a secret). I am using this in the callback setup.

It seems to work (at least the OAuth 2.0 Authorization Response) since I receive an Authorization token.

I am using the Authorization Flow, access type confidential, and as the Valid redirect URI, and no Authentication Flow Overrides.

But what I do not get is:
a) into the callback (I have seen it randomly but not reproduceible)
b) therefore OAuthAuthorizationEndpoint is called randomly, and if it happens, I get a "The request was invalid."
c) no information is written into the database
d) I never run into OAuthWidget::createLoggedInView() so that I receive "logged in as ...".

The "login" does not seem to be complete as there is no ID token, no refresh token ...?

However, I still have some output from the webserver like: [/ ucsHoGdUsIfP8AlY] [info] "Auth.OidcService: user info: {with the complete user info from Keycloak}

Something seems to be missing, please help :)

Regards, Peter

RE: OIDC authentication/authorization - Added by Wim Dumon 3 months ago

Hey Peter,

From what I understand, you seem to be mixing up the OIDC client and provider.

Please also check the examples example/feature/oauth and example/feature/oidc.

You probably only want to use the oauth example. Please note that also the implementation of the Google idenity client can be considered as an example (src/Wt/Auth/GoogleService.C)

Best regards,

RE: OIDC authentication/authorization - Added by Peter Tagwercher 3 months ago

Hi Wim,

I don't think I am mixing things up.

What we need is either OpenID Connect (OIDC) or SAML. As there is no SAML implementation I tried to use the OIDC example (example/feature/oidc) and adapted that to connect to use Keycloak.

I will have a look at the Google idenity client, if there is any implementation that exchanges the authorization code for an access token and a refresh token then this might be the solution - otherwise probably not.

Best regards,

RE: OIDC authentication/authorization - Added by Peter Tagwercher 3 months ago

Hi again,

I am still struggling with a successful "handshake", so maybe I am mixing things up.

The setup:
- Keycloak running on

redirectendpoint /oauth2/callback
ClientId and ClientSecret are set to a valid Keycloak Client.
authendpoint /auth/realms/dev/protocol/openid-connect/auth
tokenendpoint /auth/realms/dev/protocol/openid-connect/token
userinfo /auth/realms/dev/protocol/openid-connect/userinfo

Let's see what I do:
  • opening the browser at (where the Wt OIDC is running)
  • this opens OidcClient, therefore presenting the logo, clicking on it calls startAuthenticate
  • which itself opens the Keycloak login as a popup, I am entering my user credentials, then clicking Log In.
  • I receive both signals, authorized() and authenticated(), therefore I do have a (temporary) access token.
  • Therefore, Keycloak, after a successfull login redirects to /oauth2/callback
  • End.

What I am missing in this handshake is that OAuthorizationEndpoint is never called (so I never have access to an id token or refresh token).

So the question now is, what is this url for and "who" would call that:
server.addEntryPoint(Wt::EntryPointType::Application, callback, "/oauth2");

As this URI is never hit, OAuthorizationEndpoint is never processed.

Something small seems to be wrong, maybe your example assumes that authendpoint (from service setup) and the "/oauth2" should match (as both have "/oauth2"), but when working with Keycloak this /oauth2 is never hit.

Best regards,