Local development using remote Keycloak server in Firefox

[bleumink]

When developing locally, but using a remote Keycloak server, authentication does not seem to work. This is not an issue when running Keycloak on the same domain, or when both are deployed remotely. Authentication also works as expected using Chrome or Edge.

Currently investigation, this is probably caused by Firefox specific cookie blocking.

[CHerSun]

I'm trying to use remote keycloak as well. And cannot get any response, it just looks like it timeouts.

Maybe the same issue as you've described, or misconfiguration on keycloak side. Could you clarify what are the requirements on keycloak side for the client?

Also, if I can help in any way with troubleshooting - I'd be glad to help. Maybe fetching some kind of logs?

[bleumink]

For a basic configuration, you need to set the following on the client:

• access type to 'public'
• valid redirect url to 'https://hostname:port/*'
• web origins to the url of your app And use Chrome during development just in case to avoid the issue described above.

Let me know if this helps, otherwise we'll have to dig a little deeper.

[CHerSun]

Thank you for fast response!

It took me some time to set this up. I'd suggest to add this to readme, if possible.

I had to disable Client authentication for the keycloak client (makes that client public). But it still reported login error on keycloak side with only redirect URI logged as extra info, showing completely nothing in streamlit and app logs. So I've added redirect URI to Valid redirect URI list of the client (http://localhost:8501/* in my case; local dev too with remote Keycloak).

Now it shows up in all browsers I've tested (Firefox, Edge, Chrome) via popup (still need some time to work out iframe permissions from Keycloak & proxy side; I'd appreciate any pointers on this).

update: looks like iframe is no longer a viable option due to security concerns and browser settings.

[bleumink]

Awesome that you got it working! I've added some instructions to the readme as well, nothing complicated, but enough to get people started. What issues are you running into with the iframe? From the Keycloak side, requests from the web origins set at the client should be fine.

[CHerSun]

No issues really. I just don't like a popup, I'd prefer it embedded in the streamlit page, but that doesn't look feasible from what I've read. Correct me, if I'm wrong.

Anyway, it is working, and that's awesome. Thank you again!

[CHerSun]

Now it shows up in all browsers I've tested (Firefox, Edge, Chrome) via popup...

Hmm, this is wrong. I was satisfied to get popup working in all browsers, but didn't try to actually login in all browsers.

After login Firefox shows empty streamlit page only. Chrome properly shows logged in user info.

[CHerSun]

Sorry for the spam. I was looking up what's wrong with Firefox specifically. Found this IBM article: https://www.ibm.com/support/pages/single-sign-sso-logout-fails-firefox-browser .

I had strict privacy settings, so I've followed the article and set custom privacy settings with lighter cookies blocking level. After that I was able to get a reply from keycloak (user info) using Firefox too.

update: looks like it's enough to just add cookies exclusions (permit) and not change general privacy settings. I've added localhost and Keycloak address to exclusions. Ideally need someone else to check this, as I had a session already logged in, when testing this.

[bleumink]

No worries, sorry for the late reply. Great that your figured out what the issue was with Firefox. This shouldn't not be an issue when both keycloak and the streamlit app are running on the same domain though. Have you found this to be the case? I will do some more testing with cloud deployments as well.

[CHerSun]

Once properly deployed and secured with HTTPS - everything works fine immediately with no extra browser configuration. We've deployed a micro booking app (parking) thanks to your component.

Not sure if this is the proper place, but I got 1 question - it looks like idle session expires in ~1 hour whatever settings I set in Keycloak. I'm not sure where to dig next - it's quite bothersome to authenticate all the time from mobile. Could you advise on this?

[bleumink]

I have no experience with Keycloak on mobile unfortunately. It sounds like an issue with setting cookies, so that when the refresh token expires, the user can't reauthenticate using a Keycloak cookie and must sign in again to get a new token. Is this still an issue for you?

Great to hear that you deployed an app using this component!

[CHerSun]

Could you maybe add some logging from JS component back to Python? To get a grasp of what's happening inside.

[bleumink]

That's something I've looked at earlier. I found the keycloak-js libary that handles the actual keycloak stuff on the JS side to be very unhelpful and had a hard time distinguishing errors caused by a wrong passwords from issues with the configuration for example. The limited feedback you get is a result from that. I've found the console to be more helpful during debugging. I might revisit this though, I agree more feedback on the Python side would be nice, perhaps through an optional error field in the dataclass.