[keycloak-user] OIDC login URLs, how to hide them from the user??

Tue Jan 22 10:36:05 EST 2019

Hi,

When a user hits a (Keycloak gatekeeper) protected site, they get
redirected to the keycloak server login page, a URL like this :

https://auth.website.org.uk/auth/realms/saturn/protocol/openid-connect/auth?client_id=alb&redirect_uri=https%3A%2F%2Fwww.website.org.uk%2Foauth%2Fcallback&response_type=code&scope=openid+email+profile&state=7103645f-0d0e-4015-ff62-206ff3eb44bf

So, a typical new user journey looks like "type in https colon slash *which
slash was it? oh that one* and another slash ww dot website dot com *oops
no, www and dot org dot uk ENTER"
*I don't want to type _that_ in again : Click Bookmark button QUICK*

So they've now bookmarked a login page that includes a state of 7103....

The session they have works and if they don't use their bookmark, it works.

If they come back to it later, and use the bookmark, get asked to login and
then get a "403 authorisation denied" error.
The gatekeeper logs say :
1.5481603986412873e+09 error State parameter mismatch
1.5481603986665585e+09 error unable to exchange code for access token {"error":
"invalid_grant: Incorrect redirect_uri"}

So, how can I make this user journey easier with keycloak?
Ideally I'd like to hide the auth urls completely, their browser doesn't
need to know they're authenticating on different site.
I tried a "sign-in-page" with a frame containing the login page from
keycloak :
<html>
<frameset cols="100%">
<frame src="{{ .redirect }}">
</frameset>
</html>
(and change the security settings for frame-ancestors )

And when you've logged in, you get an empty page with a 403 error.
Gatekeeper says "unable to exchange code for access token {"error":
"invalid_grant: Incorrect redirect_uri"}" again.
Keycloak says :
type=CODE_TO_TOKEN_ERROR, realmId=86979f4f-7314-4fb6-86bc-3516fcb0c3ae,
clientId=alb, userId=01cf3b8f-498e-46b8-815e-6a9a5c2dda1c,
ipAddress=180.430.597.666, error=invalid_code,
grant_type=authorization_code,
code_id=02221f30-faa5-48ad-aae6-a5adec6a705a,
client_auth_method=client-secret
(ip address etc. has been obfuscated)

IF the user is clever, they can then remove
the oauth/authorize?state=ba4fcb0d-6ecf-4afe-8b98-e0fbcbc4ca25 from the URL
in the browser and the session carries on quite happily.

Is there a setting I'm getting wrong in keycloak somewhere that is breaking
this?
In this first instance, we are returning to an old "state". I can imagine
that not working.

But the second setup, I'm just logging in to keycloak, in a frame, nothing
else has changed from a "working" setup, just the login page is in a frame.
(I also need to figure out how to escape the frame!!)

Thanks,
Max