search

angristan / docker-pleroma

Docker image for the Pleroma federated social network
https://git.pleroma.social/pleroma/pleroma/
MIT License
352 stars 77 forks source link

Unable to add OAUTH module to Dockerfile #31

Closed zell-mbc closed 1 year ago

zell-mbc commented 3 years ago

Hi, first of all thanks for this repository, allowed to get my instance up and running really quickly.

Now, I'd like to hook up Pleroma with my Keycloak instance and don't seem to be able to find a way to get the required module added to my Docker file. My first challenge is that I have no idea how this whole Erlang/Elixier stuff is supposed to work. Should a module like Ueberauth get downloaded from a central repository, do I have to download it from GitHub, etc.? So I ended up trying several ways for a couple of hours and finally thought I might ask here. Based on the recomendations here: https://docs-develop.pleroma.social/backend/configuration/cheatsheet/#authentication my current Dockerfile has got the following changes:

I added the OAUTH environment variable just in case.

ENV UID=911 GID=911 \
    OAUTH_CONSUMER_STRATEGIES=keycloak \
    MIX_ENV=prod

I am adding ueberauth_keycloak to a folder in /pleroma/dps like below, unfortunately it doesn't make a difference if it's there or not

RUN git clone https://github.com/Rukenshia/ueberauth_keycloak.git /pleroma/deps/ueberauth_keycloak

I modified the original RUN command like this

RUN OAUTH_CONSUMER_STRATEGIES="keycloak" mix local.rebar --force \
    && mix local.hex --force \
    && mix deps.get \
    && mix compile

The error is always…

Failed to fetch record for 'hexpm/ueberauth_keycloak' from registry (using cache instead)
This could be because the package does not exist, it was spelled incorrectly or you don't have permissions to it
** (Mix) No package with name ueberauth_keycloak (from: mix.exs) in registry

Does anyone have an idea how I can add ueberauth_keycloak (any OAuth plugin) to the registry?

mjohnson9 commented 1 year ago

Hi! I figured this out. You have to set OAUTH_CONSUMER_STRATEGIES="keycloak:ueberauth_keycloak_strategy". However, I can't seem to get Pleroma to use different scopes when making requests to Keycloak.

zell-mbc commented 1 year ago

I changed that right away, no effect. What do you use as URL to get to the Keycloak login screen? yourdomain.tld/oauth/keycloak ?

And what do your settings on the Keycloak side look like? Valid redirect URI = yourdomain.tld/oauth/keycloak/callback Anything else you set?

mjohnson9 commented 1 year ago

I ended up giving up and switching to full Mastodon.

Once I got past these hurdles, I ended up finding out that Pleroma passes the scopes requested by the end-user application to Keycloak. This meant that I would have had to define all of the Mastodon scopes within Keycloak, which I wasn't willing to do. Also, it meant that Pleroma didn't request the openid scope, so its requests for user information failed with a HTTP 403.

https://[domain]/oauth/keycloak got me to the Keycloak login, yes. For redirect, I couldn't get it to work unless I set https://[domain]/*

zell-mbc commented 1 year ago

Thanks for getting back, this has been extremely frustrating for me as well. Seeing that you got further than I ever did and still decided to abandon Pleroma tells me I should not waste any more time with this.