generator-jhipster icon indicating copy to clipboard operation
generator-jhipster copied to clipboard

Published 20 hours ago verified publisher icon jhipster

Content Security Policy issue with Oauth2 Keycloak for Anonymous users

Open blivonnen opened this issue 2 years ago • 3 comments

Overview of the issue

When a user is not logged in the following message appears:

Refused to connect to 'http://localhost:9080/realms/jhipster/protocol/openid-connect/auth?response…0/login/oauth2/code/oidc&nonce=QYUQTN10TFddVkukq1KEFczMdyWSFLDun7iGMAerFas' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.

Motivation for or Use Case

I assume this call shouldn't fail or shouldn't be done

Reproduce the error

Fresh generation: Gateway, oauth2 Keycloak, react Services launched in Docker: docker-compose -f src/main/docker/services.yml up -d

Jhipster v8.0.0 tested on Safari, Chrome, Postman (MacOS)

JHipster configuration
JDL definitions 
     application {
  config {
    applicationType gateway
    authenticationType oauth2
    baseName tmp
    buildTool maven
    cacheProvider no
    clientFramework react
    clientTheme cosmo
    clientThemeVariant light
    creationTimestamp 1700402191659
    databaseType mongodb
    devDatabaseType mongodb
    enableHibernateCache false
    enableSwaggerCodegen false
    enableTranslation true
    jhipsterVersion "8.0.0"
    jwtSecretKey "XXX"
    languages [fr, en]
    messageBroker false
    microfrontend false
    microfrontends []
    nativeLanguage fr
    packageName com.example.tmp
    prodDatabaseType mongodb
    reactive true
    searchEngine false
    serverPort 8080
    serviceDiscoveryType consul
    skipUserManagement true
    testFrameworks []
    websocket false
    withAdminUi false
  }
}

blivonnen avatar Nov 19 '23 14:11 blivonnen

I am having the same issue, but on spring session timeout. Can we modify keycloak's security defenses to allow this?

divukman avatar Mar 19 '24 11:03 divukman

@divukman You should be able to modify your local Keycloak instance to test a solution. If you figure out what works, please let us know how you fixed it.

mraible avatar Mar 19 '24 13:03 mraible

Locally I am unable to get the CSP error, not sure why. But, I am getting different behavior. After spring session timeout, if any request is made from the app, it goes to login oidc page, which returns 302 to keycloak login. Since its ajax request, keycloak just says CORS error and we are stuck on the UI until we refresh whole web page (which shows keycloak login). Is this something that is expected or some misconfiguration on my part? (I thought there would be axios interceptor for 302's or something).

divukman avatar Mar 20 '24 11:03 divukman