eikek
Problems with using Keycloak as OAuth provider
I am trying (both 1.12.1 and 1.13.0) to let authentication be handled by keycloak, but I have some issues.
My config looks like this
{
enabled = true
id = "keycloak"
name = "KeyCloak"
scope = "email "
icon = "fab fa-openid"
authorize-url = "https://auth.EXAMPLE/realms/EXAMPLE-internal/protocol/openid-connect/auth"
token-url = "https://auth.EXAMPLE/realms/EXAMPLE-internal/protocol/openid-connect/token"
user-url = "https://auth.EXAMPLE/realms/EXAMPLE-internal/protocol/openid-connect/userinfo"
user-id-key = "email"
user-email-key = "email"
client-id = "sharry-auth"
client-secret = "<secret>"
}
And it seems like the authentication with keycloak goes fine, but in the return to sharry, It get this error on resume
(https://SHARRY.EXAMPLE.COM/api/v2/open/auth/oauth/keycloak/resume?state=...)
`Internal Error: Malformed message body: Invalid JSON: empty body``
It looks like the same error as in #889
Hi @lauer - that error means, that when trying to reach to the user endpoint, the json is empty. So it cannot get the user name etc.
If you set this in the config:
sharry.restserver.logging.levels = {
"sharry.restserver.oauth" = "Trace"
}
you should get more details. Your config looks good to me. Which version of keycloak are you using?
I just tried with my test setup and it works. I have this in my config:
user-id-key = "preferred_username"
user-email-key = "email"
scope = "openid"
client-id = "<client-id>"
client-secret = "<secret>"
Then the keycloak config is very simple. I only created a client with redirect url set to http://localhost:9090/* (for testing).
Strange. I have tried minimum-level = "Trace" but it does not seems to log more (json format)
I just get a 403 red error on the sign-in page, and no actually saying error message in logfile.
{
"level": "INFO",
"levelValue": 300.0,
"message": "Got user id: None",
"additionalMessages": [],
"fileName": "CodeFlow.scala",
"className": "sharry.restserver.oauth.CodeFlow",
"methodName": "resp",
"line": 100,
"column": null,
"data": {},
"traces": [],
"timestamp": 1705312876714,
"date": "2024-01-15",
"time": "11:01:16.714+-1-60"
}
{
"level": "TRACE",
"levelValue": 100.0,
"message": "user structure: {\"sub\":\"64a8d0c3-edb2-4a44-8fba-15345cfd797c\",\"email_verified\":true,\"name\":\"NAME\",\"preferred_username\":\"EMAIL\",\"given_name\":\"Jesper\",\"family_name\":\"LAST_NAME\",\"email\":\"EMAIL\"}",
"additionalMessages": [],
"fileName": "CodeFlow.scala",
"className": "sharry.restserver.oauth.CodeFlow",
"methodName": "resp",
"line": 98,
"column": null,
"data": {},
"traces": [],
"timestamp": 1705312876711,
"date": "2024-01-15",
"time": "11:01:16.711+-1-60"
}
{
"level": "INFO",
"levelValue": 300.0,
"message": "HTTP/1.1 403 Forbidden",
"additionalMessages": [],
"fileName": "",
"className": "org.http4s.server.middleware.Logger",
"methodName": null,
"line": null,
"column": null,
"data": {},
"traces": [],
"timestamp": 1705312876811,
"date": "2024-01-15",
"time": "11:01:16.811+-1-60"
}
Hereafter there is a session registed at keycloak, and I get this error message when I try again
An invalid response was received from the upstream server.
Hm, strange 🤔 Can you perhaps try with my settings, use scope=openid and user-id-key=preferred_username? Just curious... though I think it should work with your settings as well. The response actually contains everything (the logged user-structure).
I am using sharry with Keycloak, and I can confirm that I had to set user-id-key = "preferred_username" to make it work.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. This only applies to 'question' issues. Always feel free to reopen or create new issues. Thank you!
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}