Using oidc error-path doesn't keep the original path params used for session handling #28246
Comments
|
/cc @pedroigor, @sberyozkin |
|
Thank you @sberyozkin for a very quick response, looking forward to the next release. However, this problem getting me think about microservice support with oidc and Quarkus. Our application needs to be distributed over different pods in a kubernetes cluster. Do we need to keep the state parameter in the above example in a common database somehow? How is it suppose to work when the redirect after an finished authentication ends up in another instance of our application in a different pod? Or is the Quarkus OIDC totally stateless in the implementation? Thanks in advance |
|
@KristoferPettersson Np, the state is kept in the cookie, so there would be np with accessing it from various pods, |
Describe the bug
I have an rest resource protected with OIDC, and wants to implement a customized web page when the authentication could not be performed.
I am trying to accomplish this with the setting:
quarkus.oidc.authentication.error-path=/error
If I surf to my application with the following url: http://localhost/application?ref=xxxxx
Quarkus will redirect the browser with a 302 response and the location url as something like this:
http://thirdPartyAuth/uas?state=yyyyy&redirect_uri=http://localhost/application
If the user perform a successful authentication and gets redirected back to the application I will land on this page:
http://localhost:8080/application?ref=xxxxx
i.e I have access to the original ref parameter and I can correlate this in my bigger session and a can mark this task as completed.
However when something gets wrong. For example when a user is canceling the authentication on the third party auth server the user is redirected to the error page with this uri:
http://localhost/application/error?state=yyyyy
The redirect on error is working and the user is presented with a correct error web page. The problem is that I am missing the ref=xxxxx parameter. I have only access to the parameter state=yyyyy whis is made up in the Quarkus extension.
If this is an expected behaviour is it possible for me to set the state=yyyyy parameter from the application myself or if it is possible to fetch this parameter when the authentication process is starting so that I now whet user is landing on the error page?
Expected behavior
Using the property:
quarkus.oidc.authentication.error-path=/error
Quarkus should keep the original path parameters so that the user land on the page:
http://localhost:8080/application/error?ref=xxxxx
when an error occurs during the authentication process.
Actual behavior
Using the property:
quarkus.oidc.authentication.error-path=/error
The user land on the page:
http://localhost:8080/application/error?state=yyyyy
I can't figure out how to map the state paramater to my original ref parameter?
How to Reproduce?
No response
Output of
uname -aorverQuarkus 2.12.1.Final
Output of
java -versionNo response
GraalVM version (if different from Java)
No response
Quarkus version or git rev
No response
Build tool (ie. output of
mvnw --versionorgradlew --version)No response
Additional information
No response
The text was updated successfully, but these errors were encountered: