Open ID Manifests with authorization_response_iss_parameter_supported=true 500's on authorization flows with iss missing from the response

[yacman]

Utilizing keycloak version 23.0.4 which contains a realm with multiple clients where one or more contain authorization_response_iss_parameter_supported=true, this value will always be true for the /.well-known/openid-configuration.

keycloak/keycloak#25419

Given this, when the node-openid-client is hydrated by this endpoint, the following validation takes place and throws:

    if ('iss' in params) {
      assertIssuerConfiguration(this.issuer, 'issuer');
      if (params.iss !== this.issuer.issuer) {
        throw new RPError({
          printf: ['iss mismatch, expected %s, got: %s', this.issuer.issuer, params.iss],
          params,
        });
      }
    } else if (
      this.issuer.authorization_response_iss_parameter_supported &&
      !('id_token' in params) &&
      !('response' in parameters)
    ) {
      throw new RPError({
        message: 'iss missing from the response',
        params,
      });
    }

https://github.com/panva/node-openid-client/blob/main/lib/client.js#L437

Fri, 26 Jan 2024 19:53:59 GMT express:router trim prefix (/oidc) from url /oidc
Fri, 26 Jan 2024 19:53:59 GMT express:router <anonymous> /oidc : /oidc
Fri, 26 Jan 2024 19:53:59 GMT express:router handleErrors  : /oidc
An error occurred during the request RPError: iss missing from the response
    at Client.callback (/usr/src/app/node_modules/openid-client/lib/client.js:419:13)
    at oidcAuthenticate (/usr/src/app/index.js:211:37)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at async postOidc (/usr/src/app/index.js:146:23) {
  params: {
    code: '<some code here>'
  }
} POST /oidc
2024-01-26T19:53:59.695Z POST /oidc 500

Reviewing the auth flow for Skooner it is declaring specific keys to proxy when submitting /oidc requests where the issuer is also required.

https://github.com/skooner-k8s/skooner/blob/master/client/src/services/api.ts#L122
https://github.com/skooner-k8s/skooner/blob/master/server/index.js#L145

These endpoints should, when supplied, also proxy the iss parameter. When the iss parameter is provided and valid, the 500 is corrected.

[stefankubis]

Same issue here - any fixes?

[mhkarimi1383]

Facing the same problem with Keycloak + K8s 1.28
I have not found any workaround to this

[alexmarkowitsch]

same problem here, is there any solution to this?

[mhkarimi1383]

same problem here, is there any solution to this?

I have just switched to Headlamp :)

[bmgeek]

I tried to switch to Headlamp, but my developers said - It’s a nuisance

I have the same problem, need help.

[mhkarimi1383]

@bmgeek

It was easy to use for us :)

[mhkarimi1383]

But you can fork and fix the PR if you are interested then use your port

[SFQEP]

Encountered the same issue! Any solution?