Hi,
I am currently setting up Cloudflare access with a generic openID provider as an access
login method with Keycloak.
The configuration is complete from both ends, however when I test from cloudflare, after
the authentication is done I see the error "OIDC ERROR: Failed to exchange code for
token. Make sure the client secret is correct. undefined".
From a trace that I took on the keycloak server, I see that the server is authenticating
the user and responding back, but cloudflare is still displaying this error.
Below is the TCP stream between client (cloudflare) and server (keycloak):
******************* START STREAM *******************
GET
/auth/realms/[**SUPRESSED**]/protocol/openid-connect/auth?client_id=cloudflare-access&redirect_uri=https%3A%2F%2F[**SUPRESSED**].cloudflareaccess.com%2Fcdn-cgi%2Faccess%2Fcallback&response_type=code&state=b59047eb1016be0d59b306a2c35b74d9323864549c7d7ae2c78775e890b4c04c.JTdCJTIyaG9zdG5hbWUlMjIlM0ElMjJ4Y2FsaWJlci5jbG91ZGZsYXJlYWNjZXNzLmNvbSUyMiUyQyUyMnJlZGlyZWN0VVJMJTIyJTNBJTIyJTJGJTIyJTJDJTIyYXVkJTIyJTNBJTIyJTIyJTJDJTIyaWRwSWQlMjIlM0ElMjJiZGY3ZmY5Ni1kNzg4LTRmZGUtYWE1Ny1hNmFmOTZkOWM0ZmUlMjIlMkMlMjJpc0VudFNldHVwJTIyJTNBZmFsc2UlMkMlMjJpc0lEUFRlc3QlMjIlM0F0cnVlJTJDJTIybm9uY2UlMjIlM0ElMjJjNWhPRTZFN3dIMHo0WTdGJTIyJTdE&scope=openid+email+profile
HTTP/1.1
Host: keycloak.[**SUPRESSED**].io:8180
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/76.0.3809.100 Safari/537.36
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Sec-Fetch-Site: cross-site
Referer:
https://dash.cloudflare.com/
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: AUTH_SESSION_ID=dc1416f0-fc39-457d-80fd-48daa16db16b;
KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3Yzk0NGUzMi0zZTk2LTRmNjctOGJkMC1jZDUwN2QzNTkxZTcifQ.eyJqdGkiOiI3ZDI4YWQ0ZS0zN2U1LTRkMWEtOWZkNS0zYzQ1YjQ2MzQzNzAiLCJleHAiOjE1NjY5MzI2NDYsIm5iZiI6MCwiaWF0IjoxNTY2ODk2NjQ2LCJpc3MiOiJodHRwOi8va2V5Y2xvYWsueGNhbGliZXIuaW86ODE4MC9hdXRoL3JlYWxtcy9YQ2FsaWJlciIsInN1YiI6ImU5NDA3OWJhLTNhNzUtNDc1ZS1hM2MyLWFiZTIyMjY4MWFiYSIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6ImRjMTQxNmYwLWZjMzktNDU3ZC04MGZkLTQ4ZGFhMTZkYjE2YiIsInN0YXRlX2NoZWNrZXIiOiJTeDJOSEZoc1lSUDk2TFF5S3RiZDNINVc3UzhKSXdqX3BLcE1ZSEFiNWhBIn0.zHM0hLg96gEPGTdaBjX0KSaZ4hGoETTKc-efvfqni90;
KEYCLOAK_SESSION=[**SUPRESSED**]/e94079ba-3a75-475e-a3c2-abe222681aba/dc1416f0-fc39-457d-80fd-48daa16db16b;
_ga=GA1.2.424301711.1560267296; __cfduid=d23d08383e8ff667abef204b0821031e01562311327;
__zlcmid=tPiP7fQJt3UNtf; _gid=GA1.2.1095447441.1566802604
HTTP/1.1 200 OK
Cache-Control: no-store, must-revalidate, max-age=0
Set-Cookie: AUTH_SESSION_ID=3aae7e12-8755-412f-b565-a65c9b756f9a; Version=1;
Path=/auth/realms/[**SUPRESSED**]/; HttpOnly
Set-Cookie:
KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3Yzk0NGUzMi0zZTk2LTRmNjctOGJkMC1jZDUwN2QzNTkxZTcifQ.eyJjaWQiOiJjbG91ZGZsYXJlLWFjY2VzcyIsInB0eSI6Im9wZW5pZC1jb25uZWN0IiwicnVyaSI6Imh0dHBzOi8veGNhbGliZXIuY2xvdWRmbGFyZWFjY2Vzcy5jb20vY2RuLWNnaS9hY2Nlc3MvY2FsbGJhY2siLCJhY3QiOiJBVVRIRU5USUNBVEUiLCJub3RlcyI6eyJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIiwiaXNzIjoiaHR0cDovL2tleWNsb2FrLnhjYWxpYmVyLmlvOjgxODAvYXV0aC9yZWFsbXMvWENhbGliZXIiLCJyZXNwb25zZV90eXBlIjoiY29kZSIsImNvZGVfY2hhbGxlbmdlX21ldGhvZCI6InBsYWluIiwicmVkaXJlY3RfdXJpIjoiaHR0cHM6Ly94Y2FsaWJlci5jbG91ZGZsYXJlYWNjZXNzLmNvbS9jZG4tY2dpL2FjY2Vzcy9jYWxsYmFjayIsInN0YXRlIjoiYjU5MDQ3ZWIxMDE2YmUwZDU5YjMwNmEyYzM1Yjc0ZDkzMjM4NjQ1NDljN2Q3YWUyYzc4Nzc1ZTg5MGI0YzA0Yy5KVGRDSlRJeWFHOXpkRzVoYldVbE1qSWxNMEVsTWpKNFkyRnNhV0psY2k1amJHOTFaR1pzWVhKbFlXTmpaWE56TG1OdmJTVXlNaVV5UXlVeU1uSmxaR2x5WldOMFZWSk1KVEl5SlROQkpUSXlKVEpHSlRJeUpUSkRKVEl5WVhWa0pUSXlKVE5CSlRJeUpUSXlKVEpESlRJeWFXUndTV1FsTWpJbE0wRWxNakppWkdZM1ptWTVOaTFrTnpnNExUUm1aR1V0WVdFMU55MWhObUZtT1Raa09XTTBabVVsTWpJbE1rTWxNakpwYzBWdWRGTmxkSFZ3SlRJeUpUTkJabUZzYzJVbE1rTWxNakpwYzBsRVVGUmxjM1FsTWpJbE0wRjBjblZsSlRKREpUSXlibTl1WTJVbE1qSWxNMEVsTWpKak5XaFBSVFpGTjNkSU1IbzBXVGRHSlRJeUpUZEUifX0.nRE_5ul_l3S9FA8-mN23OzZUGGSYN_khFaQ4HSxeuWM;
Version=1; Path=/auth/realms/[**SUPRESSED**]/; HttpOnly
Set-Cookie: KEYCLOAK_IDENTITY=; Version=1; Comment=Expiring cookie; Expires=Thu,
01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/[**SUPRESSED**]/; HttpOnly
Set-Cookie: KEYCLOAK_SESSION=; Version=1; Comment=Expiring cookie; Expires=Thu,
01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/[**SUPRESSED**]/
Set-Cookie: KEYCLOAK_IDENTITY=; Version=1; Comment=Expiring cookie; Expires=Thu,
01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/[**SUPRESSED**]; HttpOnly
Set-Cookie: KEYCLOAK_SESSION=; Version=1; Comment=Expiring cookie; Expires=Thu,
01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/[**SUPRESSED**]
Set-Cookie: KEYCLOAK_IDENTITY=; Version=1; Comment=Expiring cookie; Expires=Thu,
01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/[**SUPRESSED**]; HttpOnly
Set-Cookie: KEYCLOAK_SESSION=; Version=1; Comment=Expiring cookie; Expires=Thu,
01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/[**SUPRESSED**]
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-src 'self'; frame-ancestors 'self';
object-src 'none';
Date: Tue, 27 Aug 2019 09:05:11 GMT
Connection: keep-alive
X-Robots-Tag: none
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
Content-Type: text/html;charset=utf-8
Content-Length: 3013
Content-Language: en
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">;
<html
xmlns="http://www.w3.org/1999/xhtml"; class="login-pf">
<head>
<meta charset="utf-8">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"
/>
<meta name="robots" content="noindex, nofollow">
<meta name="viewport"
content="width=device-width,initial-scale=1"/>
<title>Log in to [**SUPRESSED**]</title>
<link rel="icon"
href="/auth/resources/5.0.0/login/keycloak/img/favicon.ico" />
<link
href="/auth/resources/5.0.0/login/keycloak/node_modules/patternfly/dist/css/patternfly.css"
rel="stylesheet" />
<link
href="/auth/resources/5.0.0/login/keycloak/node_modules/patternfly/dist/css/patternfly-additions.css"
rel="stylesheet" />
<link href="/auth/resources/5.0.0/login/keycloak/lib/zocial/zocial.css"
rel="stylesheet" />
<link href="/auth/resources/5.0.0/login/keycloak/css/login.css"
rel="stylesheet" />
</head>
<body class="">
<div class="login-pf-page">
<div id="kc-header" class="login-pf-page-header">
<div id="kc-header-wrapper" class=""><div
class="kc-logo-text"><span>[**SUPRESSED**]</span></div></div>
</div>
<div class="card-pf ">
<header class="login-pf-header">
<h1 id="kc-page-title"> Log In
</h1>
</header>
<div id="kc-content">
<div id="kc-content-wrapper">
<div id="kc-form" >
<div id="kc-form-wrapper" >
<form id="kc-form-login" onsubmit="login.disabled = true; return
true;"
action="http://keycloak.[**SUPRESSED**].io:8180/auth/realms/[**SUPRESSED**]/login-actions/authenticate?session_code=f3NG2Rjv0G4ymg2pQqwGMvrxu_rXJXtmZnDCZgsPkb4&execution=07ebd6fc-53e0-4fae-a6dd-5e32b9cf1b73&client_id=cloudflare-access&tab_id=IAnjjExJu-4";
method="post">
<div class="form-group">
<label for="username" class="control-label">Username or
email</label>
<input tabindex="1" id="username" class="form-control"
name="username" value="" type="text" autofocus
autocomplete="off" />
</div>
<div class="form-group">
<label for="password"
class="control-label">Password</label>
<input tabindex="2" id="password" class="form-control"
name="password" type="password" autocomplete="off" />
</div>
<div class="form-group login-pf-settings">
<div id="kc-form-options">
</div>
<div class="">
</div>
</div>
<div id="kc-form-buttons" class="form-group">
<input tabindex="4" class="btn btn-primary btn-block btn-lg"
name="login" id="kc-login" type="submit" value="Log
In"/>
</div>
</form>
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>
POST
/auth/realms/[**SUPRESSED**]/login-actions/authenticate?session_code=f3NG2Rjv0G4ymg2pQqwGMvrxu_rXJXtmZnDCZgsPkb4&execution=07ebd6fc-53e0-4fae-a6dd-5e32b9cf1b73&client_id=cloudflare-access&tab_id=IAnjjExJu-4
HTTP/1.1
Host: keycloak.[**SUPRESSED**].io:8180
Connection: keep-alive
Content-Length: 30
Cache-Control: max-age=0
Origin:
http://keycloak.[**SUPRESSED**].io:8180
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/76.0.3809.100 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer:
http://keycloak.[**SUPRESSED**].io:8180/auth/realms/[**SUPRESSED**]/proto...
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: AUTH_SESSION_ID=3aae7e12-8755-412f-b565-a65c9b756f9a;
KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3Yzk0NGUzMi0zZTk2LTRmNjctOGJkMC1jZDUwN2QzNTkxZTcifQ.eyJjaWQiOiJjbG91ZGZsYXJlLWFjY2VzcyIsInB0eSI6Im9wZW5pZC1jb25uZWN0IiwicnVyaSI6Imh0dHBzOi8veGNhbGliZXIuY2xvdWRmbGFyZWFjY2Vzcy5jb20vY2RuLWNnaS9hY2Nlc3MvY2FsbGJhY2siLCJhY3QiOiJBVVRIRU5USUNBVEUiLCJub3RlcyI6eyJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIiwiaXNzIjoiaHR0cDovL2tleWNsb2FrLnhjYWxpYmVyLmlvOjgxODAvYXV0aC9yZWFsbXMvWENhbGliZXIiLCJyZXNwb25zZV90eXBlIjoiY29kZSIsImNvZGVfY2hhbGxlbmdlX21ldGhvZCI6InBsYWluIiwicmVkaXJlY3RfdXJpIjoiaHR0cHM6Ly94Y2FsaWJlci5jbG91ZGZsYXJlYWNjZXNzLmNvbS9jZG4tY2dpL2FjY2Vzcy9jYWxsYmFjayIsInN0YXRlIjoiYjU5MDQ3ZWIxMDE2YmUwZDU5YjMwNmEyYzM1Yjc0ZDkzMjM4NjQ1NDljN2Q3YWUyYzc4Nzc1ZTg5MGI0YzA0Yy5KVGRDSlRJeWFHOXpkRzVoYldVbE1qSWxNMEVsTWpKNFkyRnNhV0psY2k1amJHOTFaR1pzWVhKbFlXTmpaWE56TG1OdmJTVXlNaVV5UXlVeU1uSmxaR2x5WldOMFZWSk1KVEl5SlROQkpUSXlKVEpHSlRJeUpUSkRKVEl5WVhWa0pUSXlKVE5CSlRJeUpUSXlKVEpESlRJeWFXUndTV1FsTWpJbE0wRWxNakppWkdZM1ptWTVOaTFrTnpnNExUUm1aR1V0WVdFMU55MWhObUZtT1Raa09XTTBabVVsTWpJbE1rTWxNakpwYzBWdWRGTmxkSFZ3SlRJeUpUTkJabUZzYzJVbE1rTWxNakpwYzBsRVVGUmxjM1FsTWpJbE0wRjBjblZsSlRKREpUSXlibTl1WTJVbE1qSWxNMEVsTWpKak5XaFBSVFpGTjNkSU1IbzBXVGRHSlRJeUpUZEUifX0.nRE_5ul_l3S9FA8-mN23OzZUGGSYN_khFaQ4HSxeuWM;
_ga=GA1.2.424301711.1560267296; __cfduid=d23d08383e8ff667abef204b0821031e01562311327;
__zlcmid=tPiP7fQJt3UNtf; _gid=GA1.2.1095447441.1566802604
username=[**SUPRESSED**]&password=[**SUPRESSED**]HTTP/1.1 302 Found
Connection: keep-alive
Cache-Control: no-store, must-revalidate, max-age=0
Set-Cookie: KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0;
Path=/auth/realms/[**SUPRESSED**]/; HttpOnly
Set-Cookie:
KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3Yzk0NGUzMi0zZTk2LTRmNjctOGJkMC1jZDUwN2QzNTkxZTcifQ.eyJqdGkiOiI5ZDEyY2Y2NS00MzRlLTQ3ZjItODAyYi01MTFiMDFmZjVkMTUiLCJleHAiOjE1NjY5MzI3MTYsIm5iZiI6MCwiaWF0IjoxNTY2ODk2NzE2LCJpc3MiOiJodHRwOi8va2V5Y2xvYWsueGNhbGliZXIuaW86ODE4MC9hdXRoL3JlYWxtcy9YQ2FsaWJlciIsInN1YiI6ImU5NDA3OWJhLTNhNzUtNDc1ZS1hM2MyLWFiZTIyMjY4MWFiYSIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjNhYWU3ZTEyLTg3NTUtNDEyZi1iNTY1LWE2NWM5Yjc1NmY5YSIsInN0YXRlX2NoZWNrZXIiOiJOQ3M2LVR2T0JPaVg3VWIyUzM3NldvV3piOF91M1pVUXY1ODVOVU5mV2pBIn0.BOFLzvv6qXrMopCHd6uas0g_ywNDHskE3WRvwwS2oWY;
Version=1; Path=/auth/realms/[**SUPRESSED**]/; HttpOnly
Set-Cookie:
KEYCLOAK_SESSION=[**SUPRESSED**]/e94079ba-3a75-475e-a3c2-abe222681aba/3aae7e12-8755-412f-b565-a65c9b756f9a;
Version=1; Expires=Tue, 27-Aug-2019 19:05:16 GMT; Max-Age=36000;
Path=/auth/realms/[**SUPRESSED**]/
Set-Cookie: KEYCLOAK_REMEMBER_ME=; Version=1; Comment=Expiring cookie; Expires=Thu,
01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/[**SUPRESSED**]/; HttpOnly
P3P: CP="This is not a P3P policy!"
Location:
https://[**SUPRESSED**].cloudflareaccess.com/cdn-cgi/access/callback?state=b59047eb1016be0d59b306a2c35b74d9323864549c7d7ae2c78775e890b4c04c.JTdCJTIyaG9zdG5hbWUlMjIlM0ElMjJ4Y2FsaWJlci5jbG91ZGZsYXJlYWNjZXNzLmNvbSUyMiUyQyUyMnJlZGlyZWN0VVJMJTIyJTNBJTIyJTJGJTIyJTJDJTIyYXVkJTIyJTNBJTIyJTIyJTJDJTIyaWRwSWQlMjIlM0ElMjJiZGY3ZmY5Ni1kNzg4LTRmZGUtYWE1Ny1hNmFmOTZkOWM0ZmUlMjIlMkMlMjJpc0VudFNldHVwJTIyJTNBZmFsc2UlMkMlMjJpc0lEUFRlc3QlMjIlM0F0cnVlJTJDJTIybm9uY2UlMjIlM0ElMjJjNWhPRTZFN3dIMHo0WTdGJTIyJTdE&session_state=3aae7e12-8755-412f-b565-a65c9b756f9a&code=af698d46-23a0-44e2-9832-71f5434ccf69.3aae7e12-8755-412f-b565-a65c9b756f9a.975d74ab-0c36-465e-bb38-32a0559eca73
Content-Length: 0
Date: Tue, 27 Aug 2019 09:05:16 GMT
******************* END STREAM *******************
Let me know if you have any further queries.
Regards,
Iommi