Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

OAuth2/OIDC Authorization Code Grant will not work on Federation with Kerberos auth #4256

Open
4 tasks done
markaltmann opened this issue Mar 17, 2025 · 0 comments
Open
4 tasks done
Assignees
Labels
bug Something isn't working

Comments

@markaltmann
Copy link

I have checked the following:

  • I have searched existing issues and found nothing related to my issue.

This bug is:

  • making Bruno unusable for me
  • slowing me down but I'm able to continue working
  • annoying

Bruno version

1.39.1

Operating System

macOS 15.3.2 (24D81) / Win 11

Describe the bug

This is a very strange behavior and somewhat connected to #2650 and should also be referenced in: #1003

This bug happens, if you want to use Authorization Code Grant for OAuth2/OIDC. instead of using directly logging someone in the /authorize endpoint, our corporation has setup user federation towards ADFS. This endpoint (https://stfs.corp.com/adfs/ls/wia?) now assumes, that I should attach a Kerberos Token upon this requests. If it is not attached, a HTTP 401 is sent with a "WWW-Authenticate" header. This usually is a trigger to the browser to retry the same url with an attached Kerberos (or NTLM) token in the Header.
And strangely, this happens on Windows Systems, but fails on macOS:

Image

It seems there is some mishandling of GSSAPI: https://en.wikipedia.org/wiki/Generic_Security_Services_Application_Program_Interface as it is stopping on one platform, but not on another.

One other thing I tested of course, is to try out the URL that fails in my system browser, and there the redirects and token attachment work very normally.
So a solution could be to use the system browser as well. Redirect to localhost with a defined port is a possibility, just like with OAuth2c: https://cloudentity.github.io/oauth2c/
"Note: To make browser flows work add http://localhost:9876/callback as a redirect URL to your client"

.bru file to reproduce the bug

no brew file needed, this is just oauth2/oidc

Screenshots/Live demo link

Image

@markaltmann markaltmann added the bug Something isn't working label Mar 17, 2025
@anusree-bruno anusree-bruno self-assigned this Mar 17, 2025
# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants