0

I'm trying to implement Flask-OIDC and Keycloak in a Flask app run inside a Gitpod workspace.

I'm running the application and the Keycloak server like this:

./keycloak-11.0.3/bin/standalone.sh -b 0.0.0.0 -bmanagement 0.0.0.0 &
flask run --host=0.0.0.0 &

Based on this post

I'm able to redirect to the Keycloak login page for regular users from within the Flask application, but when I login with an existing user I get the following:

oauth2client.client.FlowExchangeError: Invalid response: 301

My client_secrets.json currently looks something like this:

{
  "web": {
    "auth_uri": "http://keycloak-hostname-gitpod/auth/realms/realm/protocol/openid-connect/auth",
    "issuer": "http://keycloak-hostname-gitpod/auth/realms/realm",
    "userinfo_uri": "http://keycloak-hostname-gitpod/auth/realms/realm/protocol/openid-connect/userinfo",
    "client_id": "client",
    "client_secret": "client_secret",
    "redirect_uris": ["http://flask-app-hostname-gitpod/oidc_callback"],
    "token_uri": "http://keycloak-hostname-gitpod/auth/realms/realm/protocol/openid-connect/token",
    "token_introspection_uri": "http://keycloak-hostname-gitpod/auth/realms/realm/openid-connect/token/introspect"
  }
}

Relevant client configuration inside keycloak:

Root URL:            http://flask-app-hostname-gitpod/*
Valid Redirect URIs: http://flask-app-hostname-gitpod/*
Admin URL:           http://flask-app-hostname-gitpod/*
Web Origins:         http://flask-app-hostname-gitpod

I use http in all of these urls instead of https, because when I use https Keycloak says the redirect_uri is invalid. This seems to be the actual problem here since the gitpod urls use https, but I'm not sure how to handle this. I've tried some solutions like described here, but couldn't get them to work.

Relevant part routing:

@app.route("/")
def hello_world():
    if oidc.user_loggedin:
        return (
            'Hello, %s, <a href="/private">See private</a> '
            '<a href="/logout">Log out</a>'
        ) % oidc.user_getfield("preferred_username")
    else:
        return 'Welcome anonymous, <a href="/private">Log in</a>'


@app.route("/private")
@oidc.require_login
def test():
    return "test"

Parts of standalone.xml that might be relevant:

<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true" read-timeout="30000" proxy-address-forwarding="true" />
<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true" read-timeout="30000" />

Update

After following changing the http urls to https as Jan Garaj suggested and setting the OVERWRITE_REDIRECT_URI I don't get the invalid response: 301 error anymore:

OVERWRITE_REDIRECT_URI = "https://flask-app-hostname-gitpod/oidc_callback"

Now I'm able to go to the keycloak login form, but on logging in I now get:

oauth2client.client.FlowExchangeError: Invalid response: 401.

These are the requests made:

https://keycloak-hostname-gitpod/auth/realms/realm/login-actions/authenticate?session_code=session_code&execution=execution&client_id=client&tab_id=tab_id
https://flask-app-hostname-gitpod/oidc_callback?state=state&session_state=session_state&code=code

Requests inside the network inspector: requests network

5eb
  • 14,798
  • 5
  • 21
  • 65
  • Add/edit client configuration of valid redirect URI and add also https app url there to resolve `redirect_uri is invalid` problem. BTW: OIDC protocol requires https in real prod setup. You should to provide also more details. Apparently some endpoint returns 301, but it's not clear which endpoint has that problem. – Jan Garaj Apr 05 '21 at 10:44
  • @JanGaraj Thank you for your help. I've set everything to https now. When I did this the redirect_uri was still http and failed, but I was able to fix that by setting the `OVERWRITE_REDIRECT_URI` as suggested in [this answer](https://stackoverflow.com/a/48864406/9098350). I've updated my question with some more detail. The redirect seems to work now, but the authentication seems to be failing. – 5eb Apr 06 '21 at 08:25
  • 1
    Double check token url config and keycloak logs. App has a problem to exchange code for token - app may have a problem to reach token endpoint. – Jan Garaj Apr 06 '21 at 08:45
  • @JanGaraj Thank you so much for the insight, your comment helped me figure out what was happening. – 5eb Apr 07 '21 at 07:32

1 Answers1

1

After much trial end error I've finally figured out what the problem was.

The redirect problem in the original question was solved by setting OVERWRITE_REDIRECT_URI:

OVERWRITE_REDIRECT_URI = "https://flask-app-hostname-gitpod/oidc_callback"

The oidc_callback request was still not working however, I was getting this:

oauth2client.client.FlowExchangeError: Invalid response: 401.

Jan Garaj's comment made me realise the problem was that the token endpoint request was not working.

I had checked the token endpoint uri multiple times and copied the value from:

https://flask-app-hostname-gitpod/auth/realms/demo/.well-known/openid-configuration

but it still didn't work.

The reason it didn't work was actually unrelated to my Keycloak configuration, but the way my keycloak server was running inside Gitpod.

Gitpod set the port that the keycloak server was running on to private. Because the keycloak server was running on a private port, the request to the follwing url failed:

https://keycloak-hostname-gitpod/auth/realms/demo/protocol/openid-connect/token

After making the port public it worked.

ports

if you already know that you want a particular port exposed, you can configure it in .gitpod.yml:

ports:
  - port: 5000
    onOpen: open-preview
  - port: 8080

https://www.gitpod.io/docs/config-ports

5eb
  • 14,798
  • 5
  • 21
  • 65