nijel
commented
4 years ago Did you check Weblate logs? Maybe it's duplicate of https://github.com/WeblateOrg/weblate/issues/4473?
Closed doums closed 4 years ago
nijel
commented
4 years ago Did you check Weblate logs? Maybe it's duplicate of https://github.com/WeblateOrg/weblate/issues/4473?
nijel
commented
4 years ago Looking at it again, it might just some mess in the cookies as you run both services on localhost domain - they can steal or rewrite cookies from the other app.
github-actions[bot]
commented
4 years ago This issue looks like a support question. We try to answer these reasonably fast, but in case you are looking for faster resolution, please consider purchasing support subscription and make Weblate stronger.
doums
commented
4 years ago First what is the right value of this env variable please (for Keycloak) ?
REGISTRATION_ALLOW_BACKENDS: ???Did you check Weblate logs? Maybe it's duplicate of #4473?
There is absolutely no log emitted by the weblate container on the sign in process.
WEBLATE_SOCIAL_AUTH_KEYCLOAK_ALGORITHM: RS256 is already present in the docker-compose file.
The only log I can see is on keycloak side and happens right after clicking the "keycloak" button, while the redirection to keycloak's sign in form
WARN [org.keycloak.services] (default task-1) KC-SERVICES0091: Request is missing scope 'openid' so it's not treated as OIDC, but just pure OAuth2 request.EDIT: It seems some logs appear after long waiting time or after sign in through normal form (not keycloak), but not sure if the log are relevant to the keycloak sign in process.
HTTP/1.1" 200 2390 "http://localhost:8090/" "Mozilla/5.0 (X11; Linux x86_64; rv:81.0) Gecko/20100101 Firefox/81.0"
nginx stdout | 172.18.0.1 - - [06/Oct/2020:09:09:39 +0000] "GET /static/logo-32.png HTTP/1.1" 200 1192 "http://localhost:8090/" "Mozilla/5.0 (X11; Linux x86_64; rv:81.0) Gecko/20100101 Firefox/81.0"
uwsgi stderr | [pid: 715|app: 0|req: 1/2] 172.18.0.1 () {46 vars in 796 bytes} [Tue Oct 6 09:09:50 2020] GET /accounts/login/?next=/ => generated 13601 bytes in 622 msecs (HTTP/1.1 200) 10 headers in 469 bytes (2 switches on core 0)
nginx stdout | 172.18.0.1 - - [06/Oct/2020:09:09:51 +0000] "GET /accounts/login/?next=/ HTTP/1.1" 200 4708 "http://localhost:8090/" "Mozilla/5.0 (X11; Linux x86_64; rv:81.0) Gecko/20100101 Firefox/81.0"
nginx stdout | 172.18.0.1 - - [06/Oct/2020:09:09:51 +0000] "GET /static/weblate-180.png HTTP/1.1" 200 2390 "http://localhost:8090/" "Mozilla/5.0 (X11; Linux x86_64; rv:81.0) Gecko/20100101 Firefox/81.0"
celery-main stderr | [2020-10-06 09:09:54,465: INFO/MainProcess] Received task: weblate.utils.tasks.heartbeat[34c29165-3273-4503-8433-9fc3ac32adde]
uwsgi stderr | [pid: 714|app: 0|req: 1/3] 172.18.0.1 () {52 vars in 965 bytes} [Tue Oct 6 09:09:55 2020] POST /accounts/login/keycloak/?next=/ => generated 0 bytes in 540 msecs (HTTP/1.1 302) 11 headers in 759 bytes (1 switches on core 0)
nginx stdout | 172.18.0.1 - - [06/Oct/2020:09:09:56 +0000] "POST /accounts/login/keycloak/?next=/ HTTP/1.1" 302 0 "http://localhost:8090/" "Mozilla/5.0 (X11; Linux x86_64; rv:81.0) Gecko/20100101 Firefox/81.0"
uwsgi stderr | WARNING Handled exception: AuthFailed: Authentication failed: HTTPConnectionPool(host='localhost', port=8085): Max retries exceeded with url: /auth/realms/aos/protocol/openid-connect/token (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7fa13e2e6e80>: Failed to establish a new connection: [Errno 111] Connection refused'))
uwsgi stderr | [pid: 716|app: 0|req: 1/4] 172.18.0.1 () {46 vars in 1571 bytes} [Tue Oct 6 09:10:00 2020] GET /accounts/complete/keycloak/?redirect_state=2Ldmmz0faHokiliN9j5DMQP55UkpA8if&state=2Ldmmz0faHokiliN9j5DMQP55UkpA8if&session_state=3a7c9dbc-9345-460d-8645-74dac0b14d77&code=b4fd559c-eb81-44b6-98c6-cf77a1d12279.3a7c9dbc-9345-460d-8645-74dac0b14d77.7f638188-e4db-4ee3-af40-ca6dba80c85f => generated 0 bytes in 537 msecs (HTTP/1.1 302) 11 headers in 496 bytes (2 switches on core 0)
nginx stdout | 172.18.0.1 - - [06/Oct/2020:09:10:00 +0000] "GET /accounts/complete/keycloak/?redirect_state=2Ldmmz0faHokiliN9j5DMQP55UkpA8if&state=2Ldmmz0faHokiliN9j5DMQP55UkpA8if&session_state=3a7c9dbc-9345-460d-8645-74dac0b14d77&code=b4fd559c-eb81-44b6-98c6-cf77a1d12279.3a7c9dbc-9345-460d-8645-74dac0b14d77.7f638188-e4db-4ee3-af40-ca6dba80c85f HTTP/1.1" 302 0 "http://localhost:8085/auth/realms/aos/protocol/openid-connect/auth?client_id=aos-translate&redirect_uri=http%3A%2F%2Flocalhost%3A8090%2Faccounts%2Fcomplete%2Fkeycloak%2F%3Fredirect_state%3D2Ldmmz0faHokiliN9j5DMQP55UkpA8if&state=2Ldmmz0faHokiliN9j5DMQP55UkpA8if&response_type=code" "Mozilla/5.0 (X11; Linux x86_64; rv:81.0) Gecko/20100101 Firefox/81.0"
uwsgi stderr | [pid: 716|app: 0|req: 2/5] 172.18.0.1 () {44 vars in 745 bytes} [Tue Oct 6 09:10:00 2020] GET /accounts/login/ => generated 13745 bytes in 88 msecs (HTTP/1.1 200) 10 headers in 469 bytes (2 switches on core 0)uwsgi stderr | WARNING Handled exception: AuthFailed: Authentication failed: HTTPConnectionPool(host='localhost', port=8085): Max retries exceeded with url: /auth/realms/aos/protocol/openid-connect/token (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7fa13e2e6e80>: Failed to establish a new connection: [Errno 111] Connection refused'))
This certainly is related, Weblate cannot connect to the keycloak server. Probably the URL should not be localhost unless you are using host networking in the Docker.
doums
commented
4 years ago Keycloak run on localhost as well, and on the same network:
container_name: aos-keycloak
depends_on:
- mysql
environment:
DB_USER: xxxxxxx
DB_PASSWORD: xxxxxx
DB_VENDOR: mysql
KEYCLOAK_USER: xxxxxx
KEYCLOAK_PASSWORD: xxxxxx
KEYCLOAK_IMPORT: /tmp/my_realm.json
image: jboss/keycloak:10.0.1
networks:
- web
ports:
- 8085:8080
# - 8085:8443
volumes:
- ./apps/aos-server-account/export:/tmp
- ./apps/aos-server-account/themes/aos:/opt/jboss/keycloak/themes/aos
- ./apps/aos-server-account/themes/base:/opt/jboss/keycloak/themes/base
- ./apps/aos-server-account/deployments/recaptcha-login.jar:/opt/jboss/keycloak/standalone/deployments/recaptcha-login.jarBut it's not localhost for Weblate. Please read on how Docker networking works, for example on https://docs.docker.com/network/network-tutorial-standalone/
doums
commented
4 years ago Ok thank you.
github-actions[bot]
commented
4 years ago The issue you have reported seems to be resolved now.
TafkaMax
commented
2 years ago Hey
I am also experiecing issues with keycloak installation, did you use this in the end? :
REGISTRATION_ALLOW_BACKENDS: keycloak-oauth2 #not sure of the value hereHave you tried to use OIDC plugin instead of the oauth2 one?
syed-saad-zahidi
commented
6 months ago I am facing same issue my keycloak version 23,0.6
wanseos
commented
1 week ago I am facing same issue my keycloak version 23,0.6
Quick solution:
Someone already answered in this thread, but this problem is likely to be related to your docker network setting. When you access keycloak endpoints from another container, the url should be http://{your keycloak container name}:{keycloak port} rather than http://{your keycloak host}:port:realms/....
Another thing I noticed in your screen capture is that you are using master realm which is intended to administer other realms. So you might want to add another realm and use that for individual services that you run.
Describe the bug
Hi,
With my team we are trying to setup our weblate docker container to use Keycloak as authentication system. We followed the only documentation that exists on this subject -> https://docs.weblate.org/en/weblate-4.2.2/admin/install/docker.html?#keycloak
So far we have, in a local environment, weblate running and working.
Here is the
docker-compose, relevant part:For keycloak side, we followed the steps described in the comment on the source file -> https://github.com/python-social-auth/social-core/blob/master/social_core/backends/keycloak.py
On the sign in form of weblate, now we have a button "keycloak". If we click on it, we are redirected to keycloak's own sign in form:
Here if we try to connect with wrong credential, keyclaok informs us about that, and we have to retry, but if we enter good one, we are redirected back to weblate -> http://localhost:8090/accounts/login/.
And here the problem happens: An error message appears in the UI
And we are not authenticated. There is no error in keycloak logs and in weblate logs.
Due to lack of proper documentation/guide and no explicit log, we cannot figure out what the problem is.