OAuth2/OIDC Authorization Code Grant will not work on Federation with Kerberos auth #4256
Open
4 tasks done
Labels
bug
Something isn't working
I have checked the following:
This bug is:
Bruno version
1.39.1
Operating System
macOS 15.3.2 (24D81) / Win 11
Describe the bug
This is a very strange behavior and somewhat connected to #2650 and should also be referenced in: #1003
This bug happens, if you want to use Authorization Code Grant for OAuth2/OIDC. instead of using directly logging someone in the /authorize endpoint, our corporation has setup user federation towards ADFS. This endpoint (https://stfs.corp.com/adfs/ls/wia?) now assumes, that I should attach a Kerberos Token upon this requests. If it is not attached, a HTTP 401 is sent with a "WWW-Authenticate" header. This usually is a trigger to the browser to retry the same url with an attached Kerberos (or NTLM) token in the Header.
And strangely, this happens on Windows Systems, but fails on macOS:
It seems there is some mishandling of GSSAPI: https://en.wikipedia.org/wiki/Generic_Security_Services_Application_Program_Interface as it is stopping on one platform, but not on another.
One other thing I tested of course, is to try out the URL that fails in my system browser, and there the redirects and token attachment work very normally.
So a solution could be to use the system browser as well. Redirect to localhost with a defined port is a possibility, just like with OAuth2c: https://cloudentity.github.io/oauth2c/
"Note: To make browser flows work add http://localhost:9876/callback as a redirect URL to your client"
.bru file to reproduce the bug
no brew file needed, this is just oauth2/oidc
Screenshots/Live demo link
The text was updated successfully, but these errors were encountered: