OIDC configuration failure with KeyCloak

[tomjones1977]

Describe the bug OIDC cannot be configured with KeyCloak - Vectr shows Identity provider configuration was not valid or was misconfigured.

To Reproduce Steps to reproduce the behavior:

1. Set up Vectr as per docker-compose instructions
2. Log in as local admin user and configure OIDC
3. Use .well-known, client ID and client secret from KeyCloak
4. Set name and username to preferred_username
5. Vectr shows Identity provider configuration was not valid or was misconfigured. and will not save config.

Expected behavior OIDC configured correctly.

Screenshots

Desktop (please complete the following information):

• OS: Windows 10
• Browser Firefox
• Version 117.0

Additional context Docker Compose logs show the following error when trying to save the config in the web interface:

dev-vectr-tomcat-1         | 2023-10-27 17:00:38,918 ERROR [com.sra.vectr.auth.web.service.IdentityProviderService] - Stack trace:
dev-vectr-tomcat-1         | org.pac4j.core.exception.TechnicalException: privateKeyJwtConfig cannot be null

[SRAPSpencer]

In general, this suggests an error in the SSO configuration on the IdP side. As part of our guidelines we don't provide support for SSO integrations in community edition beyond the docs.

https://github.com/SecurityRiskAdvisors/VECTR/issues/146

If you believe this to truly be a bug, we would need to look at the configuration details. Given the sensitivity of SSO configs you could email us at vectrops@sra.io and depending on availability we may be able to assess.

[doodleincode]

Based on the exception message, it may seem like Keycloak is configured to use private_key_jwt which VECTR does not support. Make sure that Keycloak is using client_secret as the credentialing method for OIDC.

[tomjones1977]

The client configured in KeyCloak was set to client secret, which has worked for other clients on this KeyCloak server. The client id and secret pasted into Vectr are from this client page.

I've tried changing the auth method to Signed JWT with Client Secret (which is different to all the other client configs) and still no change to the error message generated.

The only reference to the error I can find online is in the pac4j docs: https://www.pac4j.org/docs/clients/openid-connect.html#3-advanced-configuration

Under the advanced configuration section there is an example of how to configure the client to use the JWT token instead of client secret - unless I'm mistaken and this is meant to be pulled from the .well-known URL?

[SRAPSpencer]

The client configured in KeyCloak was set to client secret, which has worked for other clients on this KeyCloak server. The client id and secret pasted into Vectr are from this client page.

I've tried changing the auth method to Signed JWT with Client Secret (which is different to all the other client configs) and still no change to the error message generated.

The only reference to the error I can find online is in the pac4j docs: https://www.pac4j.org/docs/clients/openid-connect.html#3-advanced-configuration

Under the advanced configuration section there is an example of how to configure the client to use the JWT token instead of client secret - unless I'm mistaken and this is meant to be pulled from the .well-known URL?

Thanks for providing the link. We do believe this to be a bug with our implementation method of pac4j and OIDC. The suspected issue is pac4j is picking up the first defined method which happens to be unique for Keycloak vs other providers. If you could modify Keycloak to provide a well-known that only lists client_secret or lists it first that may resolve the issue.

We have the root cause fix scheduled to be fixed in our next major version release, but that may not be for some period of time.

[tomjones1977]

This now works as of version 9.0.2.