Content

OpenID Connect with Keycloak Not Working

Added by Thomas Johnson over 6 years ago

I'm running openproject in a docker container, started with the following command:

docker run --rm -p 8090:80 --name openproject -e SECRET_KEY_BASE=secret \
  -v /var/lib/openproject/pgdata:/var/lib/postgresql/9.6/main \
  -v /var/lib/openproject/logs:/var/log/supervisor \
  -v /var/lib/openproject/static:/var/db/openproject \
  -e EMAIL_DELIVERY_METHOD=smtp \
  -e SMTP_ADDRESS=smtp.sendgrid.net \
  -e SMTP_PORT=587 \
  -e SMTP_DOMAIN=my.domain.com \
  -e SMTP_AUTHENTICATION=login \
  -e SMTP_ENABLE_STARTTLS_AUTO=true \
  -e SMTP_USER_NAME="apikey" \
  -e SMTP_PASSWORD="apikey" \
  openproject/community:8

The application starts up fine, but then I go into the container and add a config/configuration.yml file of the following:

default:
  openid_connect:
    keycloak:
      port: 443
      scheme: "https"
      host: "keycloak.mydomain.com"
      identifier: "openproject"
      secret: "mysecret"
      authorization_endpoint: "https://keycloak.mydomain.com/auth/realms/myrealm/protocol/openid-connect/auth"
      token_endpoint: "https://keycloak.mydomain.com/auth/realms/myrealm/protocol/openid-connect/auth"
      userinfo_endpoint: "https://keycloak.mydomain.com/auth/realms/myrealm/protocol/openid-connect/auth"
      end_session_endpoint: 'https://keycloak.mydomain.com/auth/realms/myrealm/protocol/openid-connect/logout'
      discovery: false
      issuer: "https://openproject.mydomain.com/login"
      display_name: "Keycloak"

When I go through the sign-on process, it takes me to a url of this form:

https://openproject.mydomain.com/auth/keycloak/callback?session_state=73d0af3a-0f19-4df7-a31a-e7aee919d988&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..q3-IUJTCXAVi2O88FrlA6Q.3FV_nFwvwOPfaenIOLJ7JnJ1KPgUuSrbBdEPg2T1Lae86CYukjd7UDCeo2pev-Ix8QdmoqGw_DCVddnoW1eA4BHHK3N8U40pGY4pdl1qypROTsD1MQr-dMxXJxkr2Td_kZljA_0ljUWk7Bp0XE9mn9HJ8EYw-xTQbGUHdVhOyLIG-XZlteijyujb3CauoWTWJd-g6trF6Bck3mVTWo5t9Db1pwtN4Zw7Mi9O6PbyAFQR9QlJCAFaRQG6OG4-vqQp.D6P1ABFUiN0Gk6Jb5eMK_A

With the following text:

Internal error

An error occurred on the page you were trying to access.
If you continue to experience problems please contact your OpenProject administrator for assistance.

If you are the OpenProject administrator, check your log files for details about the error.

Ok, so it's a 500 error. Let's check the logs:

App 403 output: Started GET "/auth/keycloak" for [ip address] at 2018-12-03 14:30:00 +0000
App 403 output: I, [2018-12-03T14:30:00.294978 #403]  INFO -- omniauth: (keycloak) Request phase initiated.
App 403 output: Started GET "/auth/keycloak/callback?session_state=73d0af3a-0f19-4df7-a31a-e7aee919d988&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..VwVqORfnxywlJ7fDo4jP1Q.KFwHfqwzwftKxIH-A4HWKQigUMCTLwX4R1dbPN1Dsul2LXUgZov8sNjy5-h4Fghj1V_u7w7l8bGffLnFkRQV4jcz5suN9eAW7kMkauxLCw84nMfbxE10P1ffLQMEtxUPCnpkeqPMyk-C70aIexVl15iHQCYdiIUS-YPrOP2v_6HIU7G99YwP72kDZzbCZS5i0JDOR5_L80fL8f9zi_sqPhUs1OxCdIAW_VB-NRhzIouVE9p50G4X4jcUj5eafluy.pfhENUqe4IrjOnRwaeiQSw" for [ip address] at 2018-12-03 14:30:00 +0000
App 403 output: I, [2018-12-03T14:30:00.531723 #403]  INFO -- omniauth: (keycloak) Callback phase initiated.
App 403 output:   
App 403 output: Rack::OAuth2::Client::Error (Unknown :: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
App 403 output: <html xmlns="http://www.w3.org/1999/xhtml" class="login-pf">
App 403 output: 
App 403 output: <head>
App 403 output:     <meta charset="utf-8">
App 403 output:     <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
App 403 output:     <meta name="robots" content="noindex, nofollow">
App 403 output: 
App 403 output:             <meta name="viewport" content="width=device-width,initial-scale=1"/>
App 403 output:     <title>Log in to myrealm</title>
App 403 output:     <link rel="icon" href="/auth/resources/4.5.0.final/login/keycloak/img/favicon.ico" />
App 403 output:             <link href="/auth/resources/4.5.0.final/login/keycloak/node_modules/patternfly/dist/css/patternfly.css" rel="stylesheet" />
App 403 output:             <link href="/auth/resources/4.5.0.final/login/keycloak/node_modules/patternfly/dist/css/patternfly-additions.css" rel="stylesheet" />
App 403 output:             <link href="/auth/resources/4.5.0.final/login/keycloak/lib/zocial/zocial.css" rel="stylesheet" />
App 403 output:             <link href="/auth/resources/4.5.0.final/login/keycloak/css/login.css" rel="stylesheet" />
App 403 output: </head>
App 403 output: 
App 403 output: <body class="">
App 403 output:   <div class="login-pf-page">
App 403 output:     <div id="kc-header" class="login-pf-page-header">
App 403 output:       <div id="kc-header-wrapper" class="">myrealm</div>
App 403 output:     </div>
App 403 output:     <div class="card-pf ">
App 403 output:       <header class="login-pf-header">
App 403 output:         <h1 id="kc-page-title">        We&#39;re sorry...
App 403 output: </h1>
App 403 output:       </header>
App 403 output:       <div id="kc-content">
App 403 output:         <div id="kc-content-wrapper">
App 403 output: 
App 403 output: 
App 403 output:         <div id="kc-error-message">
App 403 output:             <p class="instruction">Missing parameters: client_id</p>
App 403 output:         </div>
App 403 output: 
App 403 output:         </div>
App 403 output:       </div>
App 403 output: 
App 403 output:     </div>
App 403 output:   </div>
App 403 output: </body>
App 403 output: </html>
App 403 output: ):
App 403 output:   
App 403 output: app/middleware/reset_current_user.rb:47:in `call'

Is it something I'm screwing up with my keycloak client config?

This is in the nginx logs, in agreement with the above error:

192.168.100.1 - openproject [03/Dec/2018:09:16:10 -0500] "POST /auth/realms/myrealm/protocol/openid-connect/auth HTTP/1.1" 400 1646 "-" "Rack::OAuth2 (1.9.2) (2.8.3, ruby 2.5.3 (2018-10-18))" "-"

As far as I can tell from the request sequence, the client id is getting included in the query params from openproject:

[ip address] - - [03/Dec/2018:09:16:07 -0500] "GET /auth/realms/myrealm/protocol/openid-connect/auth?client_id=openproject&nonce=2e19474430a623215ce9b137885bcc03&redirect_uri=https%3A%2F%2Fopenproject.mydomain.com%2Fauth%2Fkeycloak%2Fcallback&response_type=code&scope=openid+email+profile HTTP/1.1" 200 4076 "https://openproject.mydomain.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3568.0 Safari/537.36" "-"

Replies (1)

RE: OpenID Connect with Keycloak Not Working - Added by Thomas Johnson over 6 years ago

I'm dumb, it was the config:

default:
  omniauth_direct_login_provider: openid
  openid_connect:
    keycloak:
      port: 443
      scheme: "https"
      host: "keycloak.mydomain.com"
      identifier: "openproject"
      secret: "my-secret"
      authorization_endpoint: "https://keycloak.mydomain.com/auth/realms/myrealm/protocol/openid-connect/auth"
      token_endpoint: "https://keycloak.mydomain.com/auth/realms/myrealm/protocol/openid-connect/token"
      userinfo_endpoint: "https://keycloak.mydomain.com/auth/realms/myrealm/protocol/openid-connect/userinfo"
      end_session_endpoint: 'https://keycloak.mydomain.com/auth/realms/myrealm/protocol/openid-connect/logout'
      discovery: false
      issuer: "https://openproject.mydomain.com/login"
      display_name: "Keycloak"
      scope: "openid"
      resource: "openproject"

Top Menu

Side Menu

Content

OpenID Connect with Keycloak Not Working

Internal error

Replies (1)

RE: OpenID Connect with Keycloak Not Working - Added by Thomas Johnson over 6 years ago