search

Forceu / Gokapi

Lightweight selfhosted Firefox Send alternative without public upload. AWS S3 supported.
GNU Affero General Public License v3.0
1.71k stars 69 forks source link

User not authorised when login in with keycloak #158

Closed SimonHenz97 closed 6 months ago

SimonHenz97 commented 6 months ago

Hey, I tried to use Keycloak as provider. I followed the setup guide and added users, groups and the corresponding scops to my realm but after login in I get the message that gokapi doesn't authorise the user. Even the admin user gets rejected

image

{
  "Authentication": {
    "Method": 1,
    "SaltAdmin": "redacted",
    "SaltFiles": "redacted",
    "Username": "",
    "Password": "",
    "HeaderKey": "",
    "OauthProvider": "redacted",
    "OAuthClientId": "gokapi-dev",
    "OAuthClientSecret": "redacted",
    "OauthUserScope": "",
    "OauthGroupScope": "groups",
    "OAuthRecheckInterval": 12,
    "HeaderUsers": null,
    "OAuthGroups": [
      "admins"
    ],
    "OauthUsers": []
  },
  "Port": ":53842",
  "ServerUrl": "http://redacted/",
  "RedirectUrl": "http://redacted/login",
  "PublicName": "ZimaShare",
  "ConfigVersion": 18,
  "LengthId": 15,
  "DataDir": "data",
  "MaxMemory": 40,
  "UseSsl": false,
  "MaxFileSizeMB": 102400,
  "Encryption": {
    "Level": 0,
    "Cipher": null,
    "Salt": "",
    "Checksum": "",
    "ChecksumSalt": ""
  },
  "PicturesAlwaysLocal": false,
  "SaveIp": false
}

I also get this Keycloak error, but I don't know if it is relevant

2024-04-27 15:08:25,600 WARN  [org.keycloak.protocol.oidc.utils.OAuth2CodeParser] (executor-thread-18) Invalid format of the code
2024-04-27 15:08:25,602 WARN  [org.keycloak.events] (executor-thread-18) type=CODE_TO_TOKEN_ERROR, realmId=a1e7a995-b5e4-45cc-93f6-49dad0f1faf9, clientId=gokapi-dev, userId=null, ipAddress=redacted, error=invalid_code, grant_type=authorization_code, client_auth_method=client-secret
Forceu commented 6 months ago

Is the keycloak user part of the group "admins"? In this case you set up Gokapi to only allow users to access that are part of the group and either the user is not part of it or the value is not transmitted correctly by keycloak

SimonHenz97 commented 6 months ago

I have 3 Users:

None of them are authorised by gokapi The groups are not in the access token, even though I have them enabled

image image

Forceu commented 6 months ago

Thank you very much for your feedback! When I tested it, I used the group "admin", however with the predefined mapping, "admin" was always appended. I fixed the documentation to show this.

Please try a custom mapper as described here and let me know if that fixes the issue

SimonHenz97 commented 6 months ago

Yes that configuration works now!

I thought there might be a non admin user level page with only the files of the current user but I guess something like this isn't implemented yet.

Forceu commented 6 months ago

Great to hear! Yes, that it currently on my todo list, but I can't say yet when it will be implemented.