Missing State - Keycloak IDP - Social Login #285
Comments
|
If I understand your flow correctly, are you saying that your Keycloak is setup to allow users to authenticate via a third party IDP, like Facebook/Twitter/etc? If this is the case then Keycloak is acting as an OpenID Connect Relay, and you need to ensure that Keycloak is passing the state to the third party IDP so that it is then passed back to the WordPress endpoint. |
timnolte
added
need more info
|
Thanks Tim for your quick response. Yes. Keycloak is setup to allow users to authenticate via a third party IDP like facebook, LinkedIn and google. There is no issue in signing up directly but have an issue with using third party IDP.
Please suggest --Srikar |
|
Tim, I have figured out the problem. When we are using to login through third party IDP, its appending "#38;" If that gets removed then its logging in properly. How to remove "#38;" from url? "#38;" should be removed from below The URL that works: Srikar |
|
Tim, function get_login_url($login_url=false, $redirect=false) { If I change from esc_url to esc_url_raw and its still not working. --Srikar |
|
I believe the problem here is that the URL is being double escaped, you shouldn't be escaping the URL we are providing. |
|
Tim, The only function we are using for this plugin is for redirecting url which is working fine for normal login. I am not a word press developer. Do we need to make changes to this code in order to make it work. I have removed the below function from functions.php and tested it to check whether its working but the same issue. function get_login_url($login_url=false, $redirect=false) { Default plugin is giving this error. --Srikar |
|
Tim -- Can you please guide here on what needs to be done. |
|
@srikar-cogent are you saying that the URL that the plugin is generating sometimes includes those characters? Have you reviewed/inspected the page source to determine what is being generated on the WordPress site for the IDP(Keycloak) authentication URL before making the trip to the IDP(Keycloak)? I still believe you have a relay issue where Keycloak is changing the URL when sending to you social media platforms. |
|
Thanks Tim. You are so nice. Let me figure that one out and get back to you. We also have another redirection issue... www.example.com/career-advice --- User login from this page and should come back to this page -- Not working as its appending www.example.com/career-advice/career-advice www.example.com/career-advice/Post1 -- User login from this page Post1 and coming back to post1 -- working as expected. site url: www.example.com/career-advice The code that we have used in functions.php is: function get_login_url($login_url=false, $redirect=false) { We have followed this #257 but still getting an issue on home page redirection.. Please advise. |
|
Tim -- Did you get a chance to look into the above issue? I see that you are working on Open ID redirection issues in the future releases. Does it solve the above problem? --Srikar |
|
@srikar-cogent I have not looked into anything. Since you are only providing my "example.com" URLs there is nothing for me to look at. You will have to look at what is being set in the redirect cookie, from the Developer Console, when you visit your |
|
Tim -- Currently the cookie is set to https://www.example.com/career-advice/career-advice/. Looks like I need to make use of openid-connect-generic-cookie-redirect-url to setup redirect URI properly. |
|
@srikar-cogent I don't think you should be using |
|
Tim -- We have tried all possible ways from keycloak and its not removing #38 if its a social login. We have tried to login with the same url into the java application by changing the redirect uri and its working with no issues but we are getting this issue on wordpress saying "?login-error=missing-state&message=Missing+state". We are running out of options and see if you can help. --Srikar. |
|
@srikar-cogent have you confirmed what the URL is that is being output for your login button. What does the URL look like when you get to Keycloak before selecting the third party Identity Provider for performing the authentication? |
|
@srikar-cogent OK, a quick verification confirmed that you are double encoding the URL. The |
|
Tim — Here is the url that we are using for social login. If we change the redirect uri then it gets getting logged into properly into our java application as I said. We are using default plugin code and not doing anything to double encoding the url. |
|
@srikar-cogent so I took a look at your site and the URL being generated and output on the main site for the Login button is |
|
@srikar-cogent so looking at things it appears that you have both a WordPress install and a Keycloak install on the same domain? This means that what you have is Keycloak setup as a proxy for the Facebook/Google/LinkedIn SSO logins. This means the problem with the URLs is being caused by Keycloak and not the WordPress plugin. |
|
Tim -- When we are trying to social login we are getting this issue: Looks like "missing state" is the error showing in the url. If you click on the "login" button again more time its signing up automatically without asking for credentials. Wordpress Social Login URL: Front-end Social Login URL: Keycloak is generating social login urls properly in my opinion. The difference between both the urls above are mostly the redirect uri. --Srikar |
|
Tim -- We have figured out the issue. We are using ithemes pro which changed the login and logout URL. redirect_uri is now = https://www.gradsiren.com/career-advice/wp-admin/admin-ajax.php?action%3Dopenid-connect-authorize If we change it to https://www.gradsiren.com/career-advice/ithemesfd/wp-admin/admin-ajax.php?action%3Dopenid-connect-authorize -- then it's working. Can you suggest how to change the redirect URI? Once again thanks for your help and great support. --Srikar |
|
Hello Tim -- Do you have any recommendations on how to change redirect URI by just adding one extra folder. If we change it to https://www.gradsiren.com/career-advice/**ithemesfd**/wp-admin/admin-ajax.php?action%3Dopenid-connect-authorize -- then it's working. |
|
How to change the path of redirect uri from https://www.gradsiren.com/career-advice/openid-connect-authorize |
|
Hello Tim and Daggerhart -- We are stuck at this point. Can you guys help? |
|
@srikar-cogent Getting caught up on this. Looks like there is not a way to change the alternate redirect_uri at this time. I'm currently in the middle of a site launch and can't go much further, but I submitted an untested proof of concept PR #286. If you want to review that and test it with your use case, that would be great. |
|
@srikar-cogent I have a PR that should be addressing some issues with redirection, however, the PR that @daggerhart worked up will need to be looked at and incorporated separately. |
|
Tim -- We have removed ithemes completely and reinstalled back with "no hiding" functionality which is working fine. The redirection is not working properly as part of the plugin as we have written a separate code in the functions.php for the login process which is working: function get_login_url($login_url=false, $redirect=false) { But our problem still persists with registration If you come from
Do you have any suggestions for the redirection of the registration process? Daggerhart -- I have tested by adding this to the functions.php add_filter( 'openid-connect-generic-alter-alternate-redirect-uri', function( $redirect_uri ) { It's not working and not even taking to the keycloak login page. We have resolved the redirection issue by removing that hiding login from ithemes which would be an easier option at this point. --Srikar |
|
@srikar-cogent there are a bunch of Redirection fixes in the pending PR(#289) I worked on yesterday, and just finished up tonight, Once this PR is merged in and we can deploy a new version of the plugin redirection should be handled properly. |
|
Thanks, Tim for your quick response. You are awesome. |
|
@srikar-cogent also, note that unless you manually updated the plugin also with the changes that @daggerhart added in his PR the |
|
Make sense Tim. I don't want to make any changes to the plugin myself as it might break something as we are good for now. |
|
@srikar-cogent new version of the plugin has been released. Give it a try and let us know how it's working for you. |
|
Tim, The redirection is not working. I have used this for login button -- do_shortcode("[openid_connect_generic_auth_url] Step 1. https://www.gradsiren.com/career-advice/best-interview-tips-for-face-to-face-round/ I have removed this code in functions.php which I have used in the past to make the redirection work properly. /* return esc_url(do_shortcode( '[openid_connect_generic_auth_url redirect_to="'.home_url( $wp->request ).'" ]' )); Please let me know what you think. You can also test it from your end also. |
|
@srikar-cogent do you have the "Redirect Back to Origin Page" plugin setting turned on? |
|
@srikar-cogent OK, I need to do some digging as my test site is not working also with the option turned on and so I'm thinking there is an issue with the redirect URL not getting picked up from the transient or something. I might need to push out another release. Stand by. |
|
Yes "Redirect Back to Origin Page" is ON |
|
@srikar-cogent just a heads up that I have another PR, tested fully with and IDP and the Redirect Back setting is fully working as expected. Should have this released in the next few days at the latest. |
|
Tim -- Please let me know once the code is pushed into production so I can test it. |
|
@srikar-cogent latest version with fixes has been release. Give it another try, thanks! |
|
Tim -- Same issue not working. The redirection is not working. I have used this for login button -- do_shortcode("[openid_connect_generic_auth_url] Step 1. https://www.gradsiren.com/career-advice/best-interview-tips-for-face-to-face-round/ I have removed this code in functions.php which I have used in the past to make the redirection work properly. /* return esc_url(do_shortcode( '[openid_connect_generic_auth_url redirect_to="'.home_url( $wp->request ).'" ]' )); Please let me know what you think. You can also test it from your end also. |
|
@srikar-cogent can you explain what doesn't work. I've tested all of the most recent code and it should be working as expected unless you are using something non-standard to WordPress Core APIs or there is an issue with how you are inserting the login button. |
|
The redirection is not working. Step 1. https://www.gradsiren.com/career-advice/best-interview-tips-for-face-to-face-round/ Login code is do_shortcode("[openid_connect_generic_auth_url] Please let me know your thoughts. |
|
@srikar-cogent do you have any object caching setup on your site? Also, can you install the Transienta Manager plugin and take a look at the redirect_to value set on the matching state transient for the login button that you are clicking on. |
|
We have a CDN setup from stackpath. We haven't done anything special from the WordPress site. redirect_to_value is setup to https://www.gradsiren.com/career-advice instead of https://www.gradsiren.com/career-advice/best-interview-tips-for-face-to-face-round. |
|
Where do you have the |
|
Thanks for your quick response. If I use this in functions.php function get_login_url($login_url=false, $redirect=false) return esc_url(do_shortcode( '[openid_connect_generic_auth_url redirect_to="'.home_url( $wp->request ).'" ]' )); and then calling login its working. This is also working for previous versions also. I thought that new updates will work but looks like we need this in functions.php to make it work. |
|
Tim, The above one is working for the login URL. Is there any specific function for the registration url? We are using a keycloak registration URL but the redirection is not working. for sign up (registration) we are using "https://www.gradsiren.com/auth/realms/GradSiren-V2.0/protocol/openid-connect/registrations?response_type=code&client_id=GSCMS_CA&scope=openid%20email&redirect_uri=https%3A%2F%2Fwww.gradsiren.com%2Fcareer-advice%2Fgswpwyfl17%2Fwp-admin%2Fadmin-ajax.php%3Faction%3Dopenid-connect-authorize" |
|
@srikar-cogent I'm still not quite clear on where you were calling the |
|
we are calling this (do_shortcode( '[openid_connect_generic_auth_url...) in header.php file under themes folder. |
|
is there any shortcode for user registration just like login? |
|
Tim -- I have used this code in functions.php to make it work but its not working add_filter( 'registration_redirect', 'redirect_after_registration' ); we are sending to a keycloak registration page but not to a wordpress registration page (action=register in wp_login.php). |
@srikar-cogent there isn't any shortcode for registration as that would to a degree be out of scope for SSO since users generally get created though the IDP. To be honest your use of this plugin to perform Social Media platforms is a little bit out of the norm for the typical use of this plugin. Most people implementing the plugin are using a single IDP for central user management. Generally this plugin is used to provide a login button that takes users directly to the IDP authentication endpoint to login. The plugin does of course provide auto-provisioning of new users that have authenticated to the IDP, which is the feature I'm assuming you are using with the Social Media platforms. |
Hello,
We are using keycloak as an IDP and could able to login into Wordpress through keyclok login as a normal user. If I am logging in as a social user then getting missing state issue. It seems like this is a redirection issue.
Can you suggest on how to resolve this issue. This plugin is behaving properly for logging as normal user but not as a google user.
Srikar
The text was updated successfully, but these errors were encountered: