Skip to content

Commit 2509116

Browse files
Fix Keycloak OIDC flow (calcom#27716)
Some OIDC providers like Keycloak (v18+) include an `iss` (issuer) parameter in the authentication response for security (as per RFC 9207). The oidc route was explicitly extracting only `code` and `state`, thus losing the `iss` parameter and other potential parameters like `session_state`. When Jackson passed the incomplete set of parameters to `openid-client`, the library failed validation with the error `invalid response encountered` because it expected the `iss` parameter to be present if the server supports it. Fixes calcom#22238. Co-authored-by: Sahitya Chandra <sahityajb@gmail.com>
1 parent a8e27c3 commit 2509116

1 file changed

Lines changed: 5 additions & 7 deletions

File tree

apps/web/app/api/auth/oidc/route.ts

Lines changed: 5 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -9,20 +9,18 @@ import logger from "@calcom/lib/logger";
99
// This is the callback endpoint for the OIDC provider
1010
// A team must set this endpoint in the OIDC provider's configuration
1111
async function handler(req: NextRequest) {
12-
const log = logger.getSubLogger({ prefix: ["[ODIC auth]"] });
12+
const log = logger.getSubLogger({ prefix: ["[OIDC auth]"] });
1313
const { searchParams } = req.nextUrl;
14-
const code = searchParams.get("code");
15-
const state = searchParams.get("state");
16-
const tenant = searchParams.get("tenant");
14+
const params = Object.fromEntries(searchParams.entries());
1715

18-
if (!code || !state) {
16+
if (!params.code || !params.state) {
1917
return NextResponse.json({ message: "Code and state are required" }, { status: 400 });
2018
}
2119

2220
const { oauthController } = await jackson();
2321

2422
try {
25-
const { redirect_url } = await oauthController.oidcAuthzResponse({ code, state });
23+
const { redirect_url } = await oauthController.oidcAuthzResponse(params);
2624

2725
if (!redirect_url) {
2826
throw new HttpError({
@@ -33,7 +31,7 @@ async function handler(req: NextRequest) {
3331

3432
return NextResponse.redirect(redirect_url, 302);
3533
} catch (err) {
36-
log.error(`Error authorizing tenant ${tenant}: ${err}`);
34+
log.error(`Error authorizing tenant ${params.tenant}: ${err}`);
3735
const { message, statusCode = 500 } = err as HttpError;
3836

3937
return NextResponse.json({ message }, { status: statusCode });

0 commit comments

Comments
 (0)