spring-cloud-dataflow icon indicating copy to clipboard operation
spring-cloud-dataflow copied to clipboard

Published 20 hours ago verified publisher icon spring-cloud

Keycloak SSO integration logout issue

Open shehanab opened this issue 3 years ago • 6 comments

I have integrated Keycloak for authentication and authorization. I manage to login into the system successfully every time I try to login to the app using http://localhost:9393/dashboard. Upon logout, it takes me to the default login page with the button to login as follows...

image

The problem is upon clicking login button on the page that comes as a logout successful response, it loads http://localhost:9393/login page which leads me to my SSO client selection page as follows...

image

Once I select the client it takes me to the root (http://localhost:9393/). upon successful login. Which just loads a json object with URLs instead of taking me to the dashboard.

image

After this, I have to load the dashboard path (any valid path http://localhost:9393/dashboard/ etc.) manually to load the app.

If you try login into the root URL http://localhost:9393/ for the first time as well you will face the same issue.

I'm customizing the 2.7.1 tag for the local setup.

My Keycloak configs are as follows...

  cloud:
    dataflow:
      security:
        authorization:
          enabled: true
          provider-role-mappings:
            keycloak:
              map-oauth-scopes: true
              role-mappings:
                ROLE_VIEW: dataflow.view
                ROLE_CREATE: dataflow.create
                ROLE_MANAGE: dataflow.manage
                ROLE_DEPLOY: dataflow.deploy
                ROLE_DESTROY: dataflow.destroy
                ROLE_MODIFY: dataflow.modify
                ROLE_SCHEDULE: dataflow.schedule
  security:
    oauth2:
      client:
        registration:
          keycloak:
            redirect-uri: '{baseUrl}/login/oauth2/code/{registrationId}'
            authorization-grant-type: authorization_code
            client-id: COMPANY_CLIENT
            client-name: COMPANY_CLIENT
            client-secret: a0f442f5-8c58-4220-9b48-4174476ba57a
            scope:
              - openid
              - dataflow.view
              - dataflow.deploy
              - dataflow.destroy
              - dataflow.manage
              - dataflow.modify
              - dataflow.schedule
              - dataflow.create
        provider:
          keycloak:
            jwk-set-uri: https://ulogin.company.services/auth/realms/XConnect/protocol/openid-connect/certs
            token-uri: https://ulogin.company.services/auth/realms/XConnect/protocol/openid-connect/token
            user-info-uri: https://ulogin.company.services/auth/realms/XConnect/protocol/openid-connect/userinfo
            user-name-attribute: preferred_username
            user-info-authentication-method: validate_access_token
            authorization-uri: https://ulogin.company.services/auth/realms/XConnect/protocol/openid-connect/auth
      resourceserver:
        opaquetoken:
          introspection-uri: https://ulogin.company.services/auth/realms/XConnect/protocol/openid-connect/token/introspect
          client-id: COMPANY_CLIENT
          client-secret: a0f442f5-8c58-4220-9b48-4174476ba57a
      authorization:
        check-token-access: isAuthenticated()

Appreciate it if anyone could give some clues to resolve this. @jvalkeal @sabbyanandan

shehanab avatar Apr 07 '21 06:04 shehanab

Quick update. Thanks to @nicholasmhughes, they recently published an elaborate blog on this subject -> https://eitr.tech/blog/2021/04/12/keycloak-oauth-for-spring-cloud-dataflow.html -- perhaps review the steps and retry on your enviornemnt.

sabbyanandan avatar May 03 '21 18:05 sabbyanandan

@thekindler, since you pinged on the same topic in Gitter, perhaps you could try it, as well.

sabbyanandan avatar May 03 '21 18:05 sabbyanandan

Unfortunately, I haven't found a way around this either. I tried using rewrite-target on ingress, but it effectively broke navigation to some other pages. Out of curiosity, does anyone know why the default page is a JSON response of links?

nicholasmhughes avatar May 03 '21 19:05 nicholasmhughes

Hi @shehanab

Check https://github.com/jvalkeal/randomstuff/tree/master/dataflow-keycloak very carefully and it works ...

Double check to json definition, skipper side and scdf side ... i dont know why, but if yaml gets some tree-tag configurations not valid ... no issue is warning ... check example json about scopes definitions.

I dont know what kc versions is .. another warn, lastest kc changed configurations windows and "areas" , but the config process is the same ...

Boot scdf and skipper at debug level ... check and check json definition and follow previous link ... check for right json definition, errors are hidden

Good luck

eskuai avatar May 21 '21 22:05 eskuai

I have the same problem but with ADFS - after logout from SCDF, it takes me to Log In screen but after click on this it re-authentication me without ask to username/password.

szopal avatar Mar 24 '22 10:03 szopal

@shehanab Were you able to solve either of these issues? I too face both the JSON object on redirect back to "http://localhost:9393/" as well as logout not doing a federated logout to Keycloak.

This is using Keycloak version 23 and SCDF version 2.11.2. Same thing happens on even older SCDF JARs.

BradNut avatar Mar 21 '24 22:03 BradNut