search

Leantime / leantime

Leantime is a goals focused project management system for non-project managers. Building with ADHD, Autism, and dyslexia in mind.
https://leantime.io
GNU Affero General Public License v3.0
4.59k stars 596 forks source link

[BUG] keycloak oidc too many redirects #2360

Closed leonidas-o closed 4 months ago

leonidas-o commented 8 months ago

What set up are you using

Describe the bug Cannot get keycloak with docker-leantime (3.0.7 also tried with3.1.1) to work. There are some 303 and 302 redirects before the browser gives up.

To Reproduce Steps to reproduce the behavior:

  1. Go to leantime's .env and add: 
    LEAN_OIDC_CLIENT_ID=MYCLIENTID
LEAN_OIDC_CLIENT_SECRET=MYSECRETHERE
LEAN_OIDC_PROVIDER_URL=https://keycloak.my-domain.com/realms/MYREALM/
  2. On the leantime login page, click on OIDC Login and type in your credentials
  3. See the redirects

Expected behavior Redirect back to leantime and the given user is logged in.

Leantime Version docker leantime:latest (3.0.7, 3.1.1)

Server Apache, nginx, IIS etc

PHP / MySQL Version docker leantime:latest docker image mysql:8.0

Additional context

127.0.0.1 -  28/Feb/2024:17:59:46 +0000 "GET /index.php" 302
127.0.0.1 -  28/Feb/2024:17:59:58 +0000 "GET /index.php" 303
127.0.0.1 -  28/Feb/2024:17:59:58 +0000 "GET /index.php" 302
127.0.0.1 -  28/Feb/2024:17:59:58 +0000 "GET /index.php" 303
127.0.0.1 -  28/Feb/2024:17:59:58 +0000 "GET /index.php" 302
127.0.0.1 -  28/Feb/2024:17:59:59 +0000 "GET /index.php" 303
127.0.0.1 -  28/Feb/2024:17:59:59 +0000 "GET /index.php" 302
127.0.0.1 -  28/Feb/2024:17:59:59 +0000 "GET /index.php" 303
127.0.0.1 -  28/Feb/2024:17:59:59 +0000 "GET /index.php" 302
127.0.0.1 -  28/Feb/2024:17:59:59 +0000 "GET /index.php" 303
127.0.0.1 -  28/Feb/2024:18:00:00 +0000 "GET /index.php" 302
127.0.0.1 -  28/Feb/2024:18:00:00 +0000 "GET /index.php" 303
127.0.0.1 -  28/Feb/2024:18:00:00 +0000 "GET /index.php" 302
127.0.0.1 -  28/Feb/2024:18:00:00 +0000 "GET /index.php" 303
127.0.0.1 -  28/Feb/2024:18:00:00 +0000 "GET /index.php" 302

Inside the container, var/www/html/logs/error.log doesn't show anything useful:

[28-Feb-2024 17:59:41 UTC] Adding Event Listener to request_terminated
[28-Feb-2024 17:59:41 UTC] Command Output: 
  2024-02-28 17:59:41 Running [Callback] ............................ 1ms DONE
  2024-02-28 17:59:41 Running [Callback] ............................ 0ms DONE
  2024-02-28 17:59:41 Running [Callback] ............................ 0ms DONE

[28-Feb-2024 17:59:41 UTC] Cron run finished

At the end firefox just shows: The page isn’t redirecting properly. When going to keycloak, under clients -> leantime -> sessions I see the user is logged in. Also under keycloak events I see some LOGIN and CODE_TO_TOKEN event types.

asadya2 commented 5 months ago

The same behavior happens with Authentik as well. The configuration is the same i.e. just set the three environment variables LEAN_OIDC_ENABLE, LEAN_OIDC_CLIENT_ID and LEAN_OIDC_CLIENT_SECRET and then try to login and it goes into a loop of 303 and 302 redirects before finally giving up.

alex3305 commented 4 months ago

I have the same issue with Dex IDP. I tried different configurations. First up the most basic configuration:

LEAN_OIDC_ENABLE=true
LEAN_OIDC_CLIENT_ID=leantime
LEAN_OIDC_CLIENT_SECRET=MySuperSecretLeantimeClientSecret
LEAN_OIDC_PROVIDER_URL=https://identity.example.com

And also a more advanced version with every setting explicitly set:

LEAN_OIDC_ENABLE=true
LEAN_OIDC_CLIENT_ID=leantime
LEAN_OIDC_CLIENT_SECRET=MySuperSecretLeantimeClientSecret
LEAN_OIDC_PROVIDER_URL=https://identity.example.com
LEAN_OIDC_SCOPES=openid,profile,email

LEAN_OIDC_AUTH_URL_OVERRIDE=https://identity.example.com/auth
LEAN_OIDC_JWKS_URL_OVERRIDE=https://identity.example.com/keys
LEAN_OIDC_TOKEN_URL_OVERRIDE=https://identity.example.com/token
LEAN_OIDC_USERINFO_URL_OVERRIDE=https://identity.example.com/userinfo

I also tried adding LEAN_OIDC_CREATE_USER=true just to rule that out, but that didn't make a difference either. Finally I also tried adding the patch from @sy-gpe in #2519, but that didn't work either. Trying to login just yields successful logins and redirects to the IdP. Also the authentication cookie is set from Dex.

Would this also be affected or perhaps resolved with #2530 ?

leonidas-o commented 4 months ago

The solution was discussed in the leantime discord session. What worked for me in the end was:

Keycloak

I think especially the Home URL was the one missing piece for me.

Access settings

Root URL:                              https://my-leantime.domain.com
Home URL:                              https://my-leantime.domain.com
Valid redirect URIs:                   https://my-leantime.domain.com/*
Valid post logout redirect URIs:       https://my-leantime.domain.com
Admin URL:                             https://my-leantime.domain.com

Leantime .env

## OpenID Connect
# required
LEAN_OIDC_ENABLE=true
LEAN_OIDC_CLIENT_ID=leantime
LEAN_OIDC_CLIENT_SECRET=myclientsecret

# required - the url for your provider (examples down below)
LEAN_OIDC_PROVIDER_URL=https://my-keycloak.domain.com/realms/my-realm

#Create User if it doesn't exist in Leantime db, otherwise fail login
LEAN_OIDC_CREATE_USER=true

# Default role for users created via OIDC (20 is editor)
LEAN_OIDC_DEFAULT_ROLE=20