Follow redirects while testing AuthnRequests

[lscorcia]

Hi, I was fiddling with Keycloak to see if I could use spid-sp-test to test the SPID Keycloak provider, and it seems like Keycloak emits some redirects before sending an AuthnRequest with HTTP status code 303 See Other (https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/303).

This is the commandline I am using (please ignore OIDC attributes for now):

luca@luca-VirtualBox:~$ spid_sp_test 
  --metadata-url https://login.domain.com:8443/auth/realms/spid/spid-sp-metadata 
  --authn-url "https://login.domain.com:8443/auth/realms/spid/protocol/openid-connect/auth?scope=openid+email+profile+phone+address&state=3bd6JHYXE2br8A0xFNl3DbBJS5xRIqpeRuRRH-6NSRE.11FO_fAw98M.account-console&response_type=code&client_id=keycloak_public&redirect_uri=https%3A%2F%2Flogin.domain.com%3A8443%2Fauth%2Frealms%2Fpublic%2Fbroker%2Fspid%2Fendpoint&ui_locales=en&nonce=CfaxQp3-axms2xe9aoU6xA&kc_idp_hint=spid-sp-test" --extra -tr

The process starts and successfully tests the metadata document. Right after that, it fails with the following message:

Traceback (most recent call last):
  File "/home/luca/.local/bin/spid_sp_test", line 291, in <module>
    authn_check = SpidSpAuthnReqCheck(**data_ac)
  File "/home/luca/.local/lib/python3.9/site-packages/spid_sp_test/authn_request.py", line 204, in __init__
    self.authn_request = get_authn_request(
  File "/home/luca/.local/lib/python3.9/site-packages/spid_sp_test/authn_request.py", line 155, in get_authn_request
    raise Exception(

Exception: Authn Request page returns a HTML error code: 303

Would it be possible and correct to let it automatically follow redirects?

[peppelinux]

Yes, an authn plugin with follow_redirect as parameter in the requests, we'll check together. I'll reach you on slack

[nicolabeghin]

Hi @lscorcia @peppelinux I'm starting to dig possible usage of spid-sp-test with Keycloak and the on-going SPID plugin https://github.com/italia/spid-keycloak-provider - any hint/progress on the above that I should be aware of? just to avoid having to reinvent the wheel, thanks!

[peppelinux]

Spid-sp-tests uses plugings for proxies, you can read the plugin of satosa, It uses http-post

You can change It to follow http redirect

[glatrofa]

Hi @lscorcia, have you managed to solve this redirect issue and correctly test the authn request generated by keycloak?

[glatrofa]

The request starts changing "allow_redirects": False to "allow_redirects": True at line 146 from 'spid-sp-test/src/spid-sp-test/authn_request.py' and building locally the docker image.
Only the test n. 11 will fail due to the different path to which the request is sent.

[nicolabeghin]

@glatrofa out of curiosity: how did you build the --authn-url to be passed to spid_sp_test? (if manually) thanks!

[glatrofa]

@nicolabeghin I used a keycloak oidc client url, like this one: http://localhost:8080/realms/spid/protocol/openid-connect/auth?client_id=account&scope=openid&response_type=code&redirect_uri=http://localhost:8080/realms/spid/account&state=12345&kc_idp_hint=spid-validator-demo