KeyCloak 在身份验证代码流错误后重定向回身份提供者
Posted
技术标签:
【中文标题】KeyCloak 在身份验证代码流错误后重定向回身份提供者【英文标题】:KeyCloak redirecting back to Identity Provider after Authentication Code Flow error 【发布时间】:2020-12-28 01:31:12 【问题描述】:我使用 KeyCloak 作为我的应用程序的 OAuth2 身份验证节点。 但真正的身份验证和授权发生在自定义(默认)身份提供者中。
客户端应用程序(通过用户)接收到授权码(用于获取令牌),成功流程。
但是,每当我的 IdP(身份提供者)返回错误时,KeyCloak 都会重试将用户重定向回 IdP 循环的过程,而不是将此错误传递回客户端应用程序。
是否有配置或参数来纠正这个问题?
身份提供者配置
重定向:
-
客户端应用程序将用户重定向到 KeyCloak:https://keycloak/auth/realms/app/protocol/openid-connect/auth?client_id=1&response_type=code&redirect_uri=http://localhost:8100
内部 keycloak 重定向...
KeyCloak 将用户重定向到我的 IdP:https://myidp/auth?scope=openid&state=SsjEd0IPdoG4EMPXwIPOtcTbxvrvZo3x9V2u6y3d3QE.J_i69mzjjS8.1&response_type=code&client_id=keycloak-client-id&redirect_uri=http%3A%2F%2FkeyCloth %2Fbroker%2Fmy-idp%2Fendpoint&uuid=123&nonce=5pe9y4dIpmPHghQbsZrhAA
My IdP 将用户重定向到 KeyCloak,但出现错误:https://keycloak/auth/realms/app/broker/my-idp/endpoint?error_description=expired%20uuid&state=SsjEd0IPdoG4EMPXwIPOtcTbxvrvZo3x9V2u6y3d3QE.J_i69mzjjS8.1&error=invalid_request
KeyCloak 再次将用户重定向到 My IdP (¬¬):https://myidp/auth?scope=openid&state=WINKLu_z9MDPwShk_mJE9ri7dxMgHN9xNoiTDskku90.J_i69mzjjS8.1&response_type=code&client_id=keycloak-client-id&redirect_uri=http%3A%2F%2F 2Fauth%2Frealms%2Fapp%2Fbroker%2Fmy-idp%2Fendpoint&uuid=123&nonce=0IcmhzImj9HpAudIk799hg
来自 KeyCloak 的跟踪
15:03:31,045 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) new JtaTransactionWrapper
15:03:31,045 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) was existing? false
15:03:31,045 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper commit
15:03:31,045 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper end
15:03:31,045 DEBUG [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-2) Executed scheduled task AbstractLastSessionRefreshStoreFactory$$Lambda$1466/0x00000008414e4440
15:03:36,045 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) new JtaTransactionWrapper
15:03:36,049 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) was existing? false
15:03:36,052 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper commit
15:03:36,052 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper end
15:03:36,052 DEBUG [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-2) Executed scheduled task AbstractLastSessionRefreshStoreFactory$$Lambda$1466/0x00000008414e4440
15:03:41,045 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) new JtaTransactionWrapper
15:03:41,045 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) was existing? false
15:03:41,045 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper commit
15:03:41,046 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper end
15:03:41,046 DEBUG [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-2) Executed scheduled task AbstractLastSessionRefreshStoreFactory$$Lambda$1466/0x00000008414e4440
15:03:42,366 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) new JtaTransactionWrapper
15:03:42,366 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) was existing? false
15:03:42,367 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) realm by name cache hit: app
15:03:42,367 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) by id cache hit: app
15:03:42,367 TRACE [org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint] (default task-115) Processing @GET request
15:03:42,367 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by name cache hit: 1
15:03:42,367 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,367 DEBUG [org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint] (default task-115) PKCE non-supporting Client
15:03:42,367 DEBUG [org.keycloak.services.util.CookieHelper] (default task-115) 1 cookie found in the requests header
15:03:42,367 DEBUG [org.keycloak.services.util.CookieHelper] (default task-115) 1 cookie found in the cookies field
15:03:42,367 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-115) Found AUTH_SESSION_ID cookie with value 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6.keycloak-0
15:03:42,367 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,367 DEBUG [org.keycloak.protocol.AuthorizationEndpointBase] (default task-115) Sent request to authz endpoint. Root authentication session with ID '7db70911-e7ce-41f9-9c43-f01ca4d3d9e6' exists. Client is '1' . Created new authentication session with tab ID: ekb7z3lW0c8
15:03:42,367 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,367 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,367 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,367 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,367 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,367 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,367 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,367 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,367 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,367 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,367 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,368 TRACE [org.keycloak.keys.DefaultKeyManager] (default task-115) Active key found: realm=app kid=8f2e9d61-d473-46b3-9b8f-fe95161b4eae algorithm=HS256 use=SIG
15:03:42,368 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-115) AUTHENTICATE
15:03:42,368 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-115) AUTHENTICATE ONLY
15:03:42,368 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,368 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,368 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-115) processFlow: browser
15:03:42,368 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-115) check execution: 'auth-cookie', requirement: 'ALTERNATIVE'
15:03:42,368 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-115) authenticator: auth-cookie
15:03:42,368 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-115) Going through the flow 'browser' for adding executions
15:03:42,368 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-115) Selections when trying execution 'auth-cookie' : [ authSelection - auth-cookie, authSelection - identity-provider-redirector]
15:03:42,368 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-115) invoke authenticator.authenticate: auth-cookie
15:03:42,368 DEBUG [org.keycloak.services.util.CookieHelper] (default task-115) Couldnt find cookie 0, trying 1
15:03:42,368 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-115) Could not find cookie: KEYCLOAK_IDENTITY
15:03:42,368 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-115) authenticator ATTEMPTED: auth-cookie
15:03:42,368 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,368 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-115) check execution: 'identity-provider-redirector', requirement: 'ALTERNATIVE'
15:03:42,368 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-115) authenticator: identity-provider-redirector
15:03:42,368 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-115) Going through the flow 'browser' for adding executions
15:03:42,368 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-115) Selections when trying execution 'identity-provider-redirector' : [ authSelection - identity-provider-redirector]
15:03:42,368 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-115) invoke authenticator.authenticate: identity-provider-redirector
15:03:42,368 TRACE [org.keycloak.authentication.authenticators.browser.IdentityProviderAuthenticator] (default task-115) Redirecting: default provider set to my-idp
15:03:42,368 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,368 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,368 DEBUG [org.keycloak.authentication.authenticators.browser.IdentityProviderAuthenticator] (default task-115) Redirecting to my-idp
15:03:42,368 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,368 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,368 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) JtaTransactionWrapper commit
15:03:42,368 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) JtaTransactionWrapper end
15:03:42,436 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) new JtaTransactionWrapper
15:03:42,436 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) was existing? false
15:03:42,436 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) realm by name cache hit: app
15:03:42,436 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) by id cache hit: app
15:03:42,437 DEBUG [org.keycloak.services.resources.IdentityBrokerService] (default task-115) Sending authentication request to identity provider [my-idp].
15:03:42,437 DEBUG [org.keycloak.services.resources.SessionCodeChecks] (default task-115) Will use client '1' in back-to-application link
15:03:42,437 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by name cache hit: 1
15:03:42,437 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,437 DEBUG [org.keycloak.services.util.CookieHelper] (default task-115) 1 cookie found in the requests header
15:03:42,437 DEBUG [org.keycloak.services.util.CookieHelper] (default task-115) 1 cookie found in the cookies field
15:03:42,437 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-115) Found AUTH_SESSION_ID cookie with value 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6.keycloak-0
15:03:42,437 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,437 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,437 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,437 DEBUG [org.keycloak.services.resources.IdentityBrokerService] (default task-115) Authorization code is valid.
15:03:42,437 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,437 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,440 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,440 DEBUG [org.keycloak.services.resources.IdentityBrokerService] (default task-115) Identity provider [org.keycloak.broker.oidc.OIDCIdentityProvider@530bbebe] is going to send a request [org.jboss.resteasy.specimpl.BuiltResponse@12aba942].
15:03:42,440 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) JtaTransactionWrapper commit
15:03:42,440 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) JtaTransactionWrapper end
15:03:42,741 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) new JtaTransactionWrapper
15:03:42,741 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) was existing? false
15:03:42,741 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) realm by name cache hit: app
15:03:42,741 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) by id cache hit: app
15:03:42,742 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-115) invalid_request for broker login oidc
15:03:42,742 DEBUG [org.keycloak.services.resources.SessionCodeChecks] (default task-115) Will use client '1' in back-to-application link
15:03:42,742 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by name cache hit: 1
15:03:42,742 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,742 DEBUG [org.keycloak.services.util.CookieHelper] (default task-115) 1 cookie found in the requests header
15:03:42,742 DEBUG [org.keycloak.services.util.CookieHelper] (default task-115) 1 cookie found in the cookies field
15:03:42,742 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-115) Found AUTH_SESSION_ID cookie with value 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6.keycloak-0
15:03:42,742 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,742 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,742 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,742 DEBUG [org.keycloak.services.resources.IdentityBrokerService] (default task-115) Authorization code is valid.
15:03:42,742 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,742 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-115) AUTHENTICATE
15:03:42,742 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-115) AUTHENTICATE ONLY
15:03:42,742 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,742 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,742 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-115) processFlow: browser
15:03:42,742 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-115) check execution: 'auth-cookie', requirement: 'ALTERNATIVE'
15:03:42,742 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-115) execution 'auth-cookie' is processed
15:03:42,742 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-115) check execution: 'identity-provider-redirector', requirement: 'ALTERNATIVE'
15:03:42,742 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-115) authenticator: identity-provider-redirector
15:03:42,742 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-115) Going through the flow 'browser' for adding executions
15:03:42,742 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-115) Selections when trying execution 'identity-provider-redirector' : [ authSelection - identity-provider-redirector]
15:03:42,742 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-115) invoke authenticator.authenticate: identity-provider-redirector
15:03:42,742 TRACE [org.keycloak.authentication.authenticators.browser.IdentityProviderAuthenticator] (default task-115) Redirecting: default provider set to my-idp
15:03:42,742 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,742 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,742 DEBUG [org.keycloak.authentication.authenticators.browser.IdentityProviderAuthenticator] (default task-115) Redirecting to my-idp
15:03:42,742 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,742 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,743 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) JtaTransactionWrapper commit
15:03:42,743 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) JtaTransactionWrapper end
15:03:42,802 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) new JtaTransactionWrapper
15:03:42,802 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) was existing? false
15:03:42,802 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) realm by name cache hit: app
15:03:42,802 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) by id cache hit: app
15:03:42,802 DEBUG [org.keycloak.services.resources.IdentityBrokerService] (default task-115) Sending authentication request to identity provider [my-idp].
15:03:42,802 DEBUG [org.keycloak.services.resources.SessionCodeChecks] (default task-115) Will use client '1' in back-to-application link
15:03:42,802 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by name cache hit: 1
15:03:42,802 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,802 DEBUG [org.keycloak.services.util.CookieHelper] (default task-115) 1 cookie found in the requests header
15:03:42,802 DEBUG [org.keycloak.services.util.CookieHelper] (default task-115) 1 cookie found in the cookies field
15:03:42,802 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-115) Found AUTH_SESSION_ID cookie with value 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6.keycloak-0
15:03:42,802 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,802 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,802 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,802 DEBUG [org.keycloak.services.resources.IdentityBrokerService] (default task-115) Authorization code is valid.
15:03:42,803 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,803 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-115) client by id cache hit: 1
15:03:42,803 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-115) Adding cache operation: REPLACE on 7db70911-e7ce-41f9-9c43-f01ca4d3d9e6
15:03:42,803 DEBUG [org.keycloak.services.resources.IdentityBrokerService] (default task-115) Identity provider [org.keycloak.broker.oidc.OIDCIdentityProvider@68b04511] is going to send a request [org.jboss.resteasy.specimpl.BuiltResponse@1f1ebc48].
15:03:42,803 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) JtaTransactionWrapper commit
15:03:42,803 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-115) JtaTransactionWrapper end
【问题讨论】:
在 keycloak 11.0.2 上面临同样的问题。听起来浏览器流程中有问题,应该中止 【参考方案1】:我确定了我的问题的原因,不幸的是它看起来与你的不同。 您应该发布您配置的流程(浏览器流程、首次登录流程)。
在我的例子中,id 提供者返回了一个access_denied
错误,该错误的解释与其他错误不同:keycloak 尝试显示登录表单,您可以在其中选择提供者;但在我的浏览器流程中,这被禁用了,我强制重定向到 id 提供者。
为了避免循环,似乎我必须禁用“身份提供程序重定向器”或对其进行配置,以便用户可以选择哪一个。
这段代码处理 oauth 响应中的错误参数: https://github.com/keycloak/keycloak/blob/66dfa32cd569a7416de21b4dc04db212e8fccce5/services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java#L461
问题在redhat jira上报告:https://issues.redhat.com/browse/KEYCLOAK-13274
【讨论】:
以上是关于KeyCloak 在身份验证代码流错误后重定向回身份提供者的主要内容,如果未能解决你的问题,请参考以下文章