[DOP-29772] Change Keycloak redirect from 307 to 401

.env.docker

@@ -26,7 +26,7 @@ SYNCMASTER__AUTH__KEYCLOAK__SERVER_URL=http://keycloak:8080
 SYNCMASTER__AUTH__KEYCLOAK__REALM_NAME=manually_created
 SYNCMASTER__AUTH__KEYCLOAK__CLIENT_ID=manually_created
 SYNCMASTER__AUTH__KEYCLOAK__CLIENT_SECRET=generated_by_keycloak
-SYNCMASTER__AUTH__KEYCLOAK__REDIRECT_URI=http://localhost:8000/auth/callback
+SYNCMASTER__AUTH__KEYCLOAK__REDIRECT_URI=http://localhost:3000/auth/callback
 SYNCMASTER__AUTH__KEYCLOAK__SCOPE=email
 SYNCMASTER__AUTH__KEYCLOAK__VERIFY_SSL=False
 

.env.local

@@ -26,7 +26,7 @@ export SYNCMASTER__AUTH__KEYCLOAK__SERVER_URL=http://localhost:8080
 export SYNCMASTER__AUTH__KEYCLOAK__REALM_NAME=manually_created
 export SYNCMASTER__AUTH__KEYCLOAK__CLIENT_ID=manually_created
 export SYNCMASTER__AUTH__KEYCLOAK__CLIENT_SECRET=generated_by_keycloak
-export SYNCMASTER__AUTH__KEYCLOAK__REDIRECT_URI=http://localhost:8000/auth/callback
+export SYNCMASTER__AUTH__KEYCLOAK__REDIRECT_URI=http://localhost:3000/auth/callback
 export SYNCMASTER__AUTH__KEYCLOAK__SCOPE=email
 export SYNCMASTER__AUTH__KEYCLOAK__VERIFY_SSL=False
 

docs/changelog/next_release/274.improvement.rst

@@ -0,0 +1 @@
+Replace 307 redirect to Keycloak auth page with 401 response, due to browser restrictions for redirect + CORS + localhost.

docs/reference/server/auth/keycloak/local_installation.rst

@@ -73,11 +73,11 @@ Set ``client_authentication`` **ON** to receive client_secret
 Configure Redirect URI
 ~~~~~~~~~~~~~~~~~~~~~~
 
-To configure the redirect URI where the browser will redirect to exchange the code provided from Keycloak for an access token, set the `SYNCMASTER__AUTH__KEYCLOAK__REDIRECT_URI` environment variable. The default value for local development is `http://localhost:8000/auth/callback`.
+To configure the redirect URI where the browser will redirect to exchange the code provided from Keycloak for an access token, set the `SYNCMASTER__AUTH__KEYCLOAK__REDIRECT_URI` environment variable. The default value for local development is `http://localhost:3000/auth/callback`.
 
 .. code-block:: console
 
-    $ export SYNCMASTER__AUTH__KEYCLOAK__REDIRECT_URI=http://localhost:8000/auth/callback
+    $ export SYNCMASTER__AUTH__KEYCLOAK__REDIRECT_URI=http://localhost:3000/auth/callback
 
 Configure the client redirect URI
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -112,7 +112,7 @@ After this you can user `KeycloakAuthProvider` in your application with provided
 .. code-block:: console
 
     $ export SYNCMASTER__AUTH__KEYCLOAK__SERVER_URL=http://keycloak:8080
-    $ export SYNCMASTER__AUTH__KEYCLOAK__REDIRECT_URI=http://localhost:8000/auth/callback
+    $ export SYNCMASTER__AUTH__KEYCLOAK__REDIRECT_URI=http://localhost:3000/auth/callback
     $ export SYNCMASTER__AUTH__KEYCLOAK__REALM_NAME=fastapi_realm
     $ export SYNCMASTER__AUTH__KEYCLOAK__CLIENT_ID=fastapi_client
     $ export SYNCMASTER__AUTH__KEYCLOAK__CLIENT_SECRET=6x6gn8uJdWSBmP8FqbNRSoGdvaoaFeez

pyproject.toml

@@ -136,6 +136,7 @@ faker = "^37.4.0"
 coverage = "^7.9.1"
 gevent = ">=24.11.1,<26.0.0"
 responses = "^0.25.7"
+dirty-equals = "^0.9.0"
 
 [tool.poetry.group.dev.dependencies]
 mypy = "^1.15.0"

syncmaster/server/api/v1/auth.py

@@ -1,10 +1,9 @@
 # SPDX-FileCopyrightText: 2023-2024 MTS PJSC
 # SPDX-License-Identifier: Apache-2.0
-from http.client import NOT_FOUND
+from http.client import NO_CONTENT
 from typing import Annotated
 
-from fastapi import APIRouter, Depends, HTTPException, Request
-from fastapi.responses import RedirectResponse
+from fastapi import APIRouter, Depends, Request, Response
 from fastapi.security import OAuth2PasswordRequestForm
 
 from syncmaster.errors.registration import get_error_responses
@@ -17,7 +16,6 @@
     DummyAuthProvider,
     KeycloakAuthProvider,
 )
-from syncmaster.server.utils.state import validate_state
 
 router = APIRouter(
     prefix="/auth",
@@ -42,21 +40,17 @@ async def token(
     return AuthTokenSchema.model_validate(token)
 
 
-@router.get("/callback")
+@router.get("/callback", status_code=NO_CONTENT)
 async def auth_callback(
     request: Request,
     code: str,
-    state: str,
     auth_provider: Annotated[KeycloakAuthProvider, Depends(Stub(AuthProvider))],
 ):
-    original_redirect_url = validate_state(state)
-    if not original_redirect_url:
-        raise HTTPException(status_code=NOT_FOUND, detail="Invalid state parameter")
     token = await auth_provider.get_token_authorization_code_grant(
         code=code,
         redirect_uri=auth_provider.settings.keycloak.redirect_uri,
     )
     request.session["access_token"] = token["access_token"]
     request.session["refresh_token"] = token["refresh_token"]
 
-    return RedirectResponse(url=original_redirect_url)
+    return Response(status_code=NO_CONTENT)

syncmaster/server/handler.py

@@ -5,7 +5,6 @@
 
 from fastapi import HTTPException, Request, Response, status
 from fastapi.exceptions import RequestValidationError
-from fastapi.responses import RedirectResponse
 from pydantic import ValidationError
 
 from syncmaster.errors.base import APIErrorSchema, BaseErrorSchema
@@ -113,7 +112,7 @@ async def syncmsater_exception_handler(request: Request, exc: SyncmasterError):
         return unknown_exception_handler(request, exc)
 
     content = response.schema(  # type: ignore[call-arg]
-        message=exc.message if hasattr(exc, "message") else "",
+        message=getattr(exc, "message", ""),
     )
     if isinstance(exc, AuthDataNotFoundError):
         content.code = "not_found"
@@ -124,7 +123,10 @@ async def syncmsater_exception_handler(request: Request, exc: SyncmasterError):
         )
 
     if isinstance(exc, RedirectException):
-        return RedirectResponse(url=exc.redirect_url)
+        content.code = "unauthorized"
+        content.message = "Please authorize using provided URL"
+        content.details = exc.redirect_url
+        return exception_json_response(status=status.HTTP_401_UNAUTHORIZED, content=content)
 
     if isinstance(exc, AuthorizationError):
         content.code = "unauthorized"

syncmaster/server/providers/auth/keycloak_provider.py

@@ -13,7 +13,6 @@
 from syncmaster.server.providers.auth.base_provider import AuthProvider
 from syncmaster.server.services.unit_of_work import UnitOfWork
 from syncmaster.server.settings.auth.keycloak import KeycloakAuthProviderSettings
-from syncmaster.server.utils.state import generate_state
 
 log = logging.getLogger(__name__)
 
@@ -137,10 +136,8 @@ async def refresh_access_token(self, refresh_token: str) -> dict[str, Any]:
         return new_tokens
 
     def redirect_to_auth(self, path: str) -> None:
-        state = generate_state(path)
         auth_url = self.keycloak_openid.auth_url(
             redirect_uri=self.settings.keycloak.redirect_uri,
             scope=self.settings.keycloak.scope,
-            state=state,
         )
         raise RedirectException(redirect_url=auth_url)

tests/test_unit/test_auth/test_auth_keycloak.py

@@ -2,6 +2,7 @@
 
 import pytest
 import responses
+from dirty_equals import IsStr
 from httpx import AsyncClient
 
 from syncmaster.server.settings import ServerAppSettings as Settings
@@ -23,14 +24,18 @@
     ],
     indirect=True,
 )
-async def test_get_keycloak_user_unauthorized(client: AsyncClient, mock_keycloak_well_known):
+async def test_keycloak_get_user_unauthorized(client: AsyncClient, mock_keycloak_well_known):
     response = await client.get("/v1/users/some_user_id")
 
     # redirect unauthorized user to Keycloak
-    assert response.status_code == 307, response.text
-    assert "protocol/openid-connect/auth?" in str(
-        response.next_request.url,
-    )
+    assert response.status_code == 401, response.text
+    assert response.json() == {
+        "error": {
+            "code": "unauthorized",
+            "message": "Please authorize using provided URL",
+            "details": IsStr(regex=r".*protocol/openid-connect/auth\?.*"),
+        },
+    }
 
 
 @responses.activate
@@ -46,7 +51,7 @@ async def test_get_keycloak_user_unauthorized(client: AsyncClient, mock_keycloak
     ],
     indirect=True,
 )
-async def test_get_keycloak_user_authorized(
+async def test_keycloak_get_user_authorized(
     client: AsyncClient,
     simple_user: MockUser,
     settings: Settings,
@@ -84,7 +89,7 @@ async def test_get_keycloak_user_authorized(
     ],
     indirect=True,
 )
-async def test_get_keycloak_user_expired_access_token(
+async def test_keycloak_get_user_expired_access_token(
     caplog,
     client: AsyncClient,
     simple_user: MockUser,
@@ -129,7 +134,7 @@ async def test_get_keycloak_user_expired_access_token(
     ],
     indirect=True,
 )
-async def test_get_keycloak_user_inactive(
+async def test_keycloak_get_user_inactive(
     client: AsyncClient,
     simple_user: MockUser,
     inactive_user: MockUser,
@@ -155,3 +160,33 @@ async def test_get_keycloak_user_inactive(
             "details": None,
         },
     }
+
+
+@responses.activate
+@pytest.mark.parametrize(
+    "settings",
+    [
+        {
+            "auth": {
+                "provider": KEYCLOAK_PROVIDER,
+            },
+        },
+    ],
+    indirect=True,
+)
+async def test_keycloak_auth_callback(
+    client: AsyncClient,
+    settings: Settings,
+    mock_keycloak_well_known,
+    mock_keycloak_realm,
+    mock_keycloak_token_refresh,
+    caplog,
+):
+    with caplog.at_level(logging.DEBUG):
+        response = await client.get(
+            "/v1/auth/callback",
+            params={"code": "testcode"},
+        )
+
+    assert response.cookies.get("session"), caplog.text  # cookie is set
+    assert response.status_code == 204, response.json()