Closed dharmendrapanday closed 2 months ago
AFaust
commented
4 months ago I have not checked what recent changes Keycloak v24 may have introduced that changed the behaviour. The most recent version I have used myself is v23, which worked fine. Do you have any log output or (anonymised) network trace that shows the behaviour?
dharmendrapanday
commented
2 months ago Sorry for reply late, Due to some other urgent work we put this on hold..
Now, I have started working again. Here is error message I am getting in alfresco logs.
alfresco_1 | 2024-07-25 12:49:12,295 WARN [content.transform.LocalTransformServiceRegistry] [QuartzScheduler_Worker-1] Transformer "htmlToPdfViaTXT" ignored as step transforms ("string", "libreoffice") do not exist. Read from resource alfresco/transforms/0100-basePipelines.json
share_1 | 2024-07-25 12:49:15,381 ERROR [keycloak.adapters.OAuthRequestAuthenticator] [http-nio-8080-exec-6] failed to turn code into token
share_1 | 2024-07-25 12:49:15,382 ERROR [keycloak.adapters.OAuthRequestAuthenticator] [http-nio-8080-exec-6] status from server: 400
share_1 | 2024-07-25 12:49:15,382 ERROR [keycloak.adapters.OAuthRequestAuthenticator] [http-nio-8080-exec-6] {"error":"invalid_grant","error_description":"Incorrect redirect_uri"}
share_1 | 2024-07-25 12:49:15,382 WARN [share.web.KeycloakAuthenticationFilter] [http-nio-8080-exec-6] Keycloak authentication failed due to
dharmendrapanday
commented
2 months ago Alfresco share config -
<config evaluator="string-compare" condition="Keycloak">
<keycloak-auth-config>
<enhance-login-form>true</enhance-login-form>
<enable-sso-filter>true</enable-sso-filter>
<force-keycloak-sso>true</force-keycloak-sso>
<perform-token-exchange>false</perform-token-exchange>
</keycloak-auth-config>
<keycloak-adapter-config>
<forced-route-url></forced-route-url>
<auth-server-url>https://keycloakurl/auth</auth-server-url>
<realm>company</realm>
<resource>dev</resource>
<public-client>false</public-client>
<credentials>
<provider>secret</provider>
<secret>******</secret>
</credentials>
</keycloak-adapter-config>
</config>Alfresco Repo Config authentication.chain=alfrescoNtlm1:alfrescoNtlm,keycloak1:keycloak
keycloak.authentication.enabled=true keycloak.authentication.sso.enabled=true keycloak.authentication.handlePublicApi=true keycloak.authentication.allowTicketLogons=true keycloak.authentication.allowHttpBasicLogon=true keycloak.authentication.allowUserNamePasswordLogin=true keycloak.authentication.mapAuthorities=true keycloak.authentication.mapPersonPropertiesOnLogin=true
keycloak.synchronization.enabled=false keycloak.adapter.auth-server-url=https://keycloak.com/auth keycloak.adapter.realm=company keycloak.adapter.resource=dev-repo keycloak.adapter.credentials.secret=**** keycloak.adapter.verify-token-audience=false
keycloak.adapter.directAuthHost=https://keycloak.com/auth
keycloak.adapter.principal-attribute=username keycloak.principal-attribute=username keycloak.adapter.verify-token-audience=false
dharmendrapanday
commented
2 months ago There is an issue with Keycloak where user need to set "Exclude Issuer From Authentication Response" to ON. Here is the article. https://github.com/keycloak/keycloak/discussions/25684
We are running alfresco-keycloak module with Alfresco Version 7.2 with Keycloak version v20 which works perfectly fine without any problem.
After Upgrade of Keycloak version v24 yesterday, We get the SSO login page where it redirect back to Alfresco login page after keycloak authentication again and again. We have not enforced SSO login, Users(external users) have option login with basic auth and keycloak SSO( Company Employee) as well.
can you please suggest what could be wrong ....