IdP Authentication with KeyCloak not working

hcengineering / huly-selfhost

Huly for Self Hosting

Eclipse Public License 2.0

1.7k stars 132 forks source link

IdP Authentication with KeyCloak not working #94

Open huntx opened 3 weeks ago

huntx commented 3 weeks ago

Hi all,

I trying to configure OpenID authentication via Keycloak but I am seeing the following error.

Any idea the problem reside on which side ?

My compose.yml included the following lines for account service.

      - OPENID_CLIENT_ID=huly.domain.com
      - OPENID_CLIENT_SECRET=<random string>
      - OPENID_ISSUER=https://keycloak/kc/realms/master

When click on the "Continue with OpenID" at login page

huly-selfhost-account-1       | {"level":"info","message":"try auth via","provider":"openid","timestamp":"2024-11-05T15:53:03.591Z"}
huly-selfhost-account-1       | 
huly-selfhost-account-1       | 
huly-selfhost-account-1       |   Error: Unknown authentication strategy "oidc"
huly-selfhost-account-1       |       at attempt (/usr/src/app/bundle.js:188174:27)
huly-selfhost-account-1       |       at authenticate (/usr/src/app/bundle.js:188266:23)
huly-selfhost-account-1       |       at /usr/src/app/bundle.js:188921:11
huly-selfhost-account-1       |       at new Promise (<anonymous>)
huly-selfhost-account-1       |       at /usr/src/app/bundle.js:188920:16
huly-selfhost-account-1       |       at /usr/src/app/bundle.js:188895:11
huly-selfhost-account-1       |       at new Promise (<anonymous>)
huly-selfhost-account-1       |       at passportAuthenticate (/usr/src/app/bundle.js:188866:19)
huly-selfhost-account-1       |       at /usr/src/app/bundle.js:201983:11
huly-selfhost-account-1       |       at dispatch (/usr/src/app/bundle.js:212744:36)
huly-selfhost-account-1       | 
huly-selfhost-account-1       |

lexiv0re commented 3 weeks ago

Hello @huntx, what version of the containers are you running on?

huntx commented 3 weeks ago

Hi @lexiv0re , I am currently running on v0.6333.

sudo docker image ls REPOSITORY TAG IMAGE ID CREATED SIZE minio/minio latest 802bb0d1848f 6 days ago 165MB mongo 7-jammy e0d7f1b1df90 11 days ago 782MB hardcoreeng/account v0.6.333 bf9eff8dccd7 2 weeks ago 1.13GB hardcoreeng/front v0.6.333 b0bf61db06a4 2 weeks ago 1.26GB hardcoreeng/collaborator v0.6.333 65de66a06e23 2 weeks ago 1.15GB hardcoreeng/transactor v0.6.333 863e7a485413 2 weeks ago 1.16GB hardcoreeng/workspace v0.6.333 73670051efcb 2 weeks ago 1.15GB hardcoreeng/rekoni-service v0.6.333 c6f6ecb20dd3 2 weeks ago 1.23GB elasticsearch 7.14.2 2abd5342ace0 3 years ago 1.04GB

lexiv0re commented 3 weeks ago

@huntx do you have any additional logs before the ones you posted? You'd be looking for these entries: Discovered issuer, Created OIDC client, Registered OIDC strategy or Failed to create OIDC client...

zaroot commented 3 weeks ago

I'm running v0.6.333 and this is how I have mine setup and it works:

   - OPENID_CLIENT_ID=${AUTH_CLIENT_ID}
   - OPENID_CLIENT_SECRET=${AUTH_CLIENT_SECRET}
   - OPENID_ISSUER=${AUTH_URL}/realms/${AUTH_REALM}

AUTH_CLIENT_ID should be the "Client ID" you've setup in KeyCloak, in my case "huly-client" AUTH_CLIENT_SECRET you get from KeyCloak after you created your "Client ID" I have a custom AUTH_URL and a custom AUTH_REALM but in your case it should work with OPENID_ISSUER=https://keycloak/realms/master if you are using the "master" realm.

Note that you also have to setup the access urls in KeyCloak > Clients ie: Root URL, Home URL and Valid redirect URIs In my case the Valid redirect URIs is different since the account service is running on a subdomain (not using the default nginx config provided by huly).

Hope this helps

huntx commented 2 weeks ago

I believe I have configured them correctly but problem still persists.

I suspect it could be due to my KeyCloak version.