search

mealie-recipes / mealie

Mealie is a self hosted recipe manager and meal planner with a RestAPI backend and a reactive frontend application built in Vue for a pleasant user experience for the whole family. Easily add recipes into your database by providing the url and mealie will automatically import the relevant data or add a family recipe with the UI editor
https://docs.mealie.io
GNU Affero General Public License v3.0
5.69k stars 617 forks source link

[BUG] - Ignoring OIDC_CONFIGURATION_URL variable #3853

Closed stp14 closed 9 hours ago

stp14 commented 1 week ago

First Check

What is the issue you are experiencing?

I am not able to get OIDC working in Mealie with Keycloak, using a realm named anything other than mealie-realm. I have other applications successfully authenticating with Keycloak, so I feel pretty good about that side. But no matter what other config settings I give to Mealie, I get a 404 when I click the button to login with Keycloak.

I used the client scope and client yaml, and the server env vars, from guillomep in the Github guide - other than I changed the realm name to match what's in my Keycloak.

Looking at Firefox logs, I see: Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://keycloak.<my domain>/realms/mealie-realm/.well-known/openid-configuration. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 404. even when my OIDC_CONFIGURATION_URL environment variable is set to "https://keycloak.<my domain>/realms/<my realm>/.well-known/openid-configuration

If I temporarily change my Keycloak realm to called mealie-realm, clicking the OIDC button on Mealie brings up the Keycloak login - so it seems like it's picking up the domain but not the path for the OIDC_CONFIGURATION_URL or... something?

Steps to Reproduce

1.) Deploy and validated Keycloak for OIDC authentication 2.) Deploy Mealie - I am using Ansible to deploy the Docker container, and setting the environment variables in the Ansible block:

            PUID: '1000'
            PGID: '1000'
            TZ: 'UTC'
            LOG_LEVEL: "debug"
            # Default Recipe Settings
            RECIPE_PUBLIC: 'true'
            RECIPE_SHOW_NUTRITION: 'true'
            RECIPE_SHOW_ASSETS: 'true'
            RECIPE_LANDSCAPE_VIEW: 'true'
            RECIPE_DISABLE_COMMENTS: 'false'
            RECIPE_DISABLE_AMOUNT: 'false'
            LDAP_AUTH_ENABLED: 'false'
            # Keycloak settings
            BASE_URL: "https://mealie.{{ int_domain }}"
            OIDC_CONFIGURATION_URL: "https://keycloak.{{ int_domain }}/realms/{{ kc_realm }}/.well-known/openid-configuration"
            OIDC_ADMIN_GROUP: "/home"
            OIDC_PROVIDER_NAME: "Keycloak"
            OIDC_AUTH_ENABLED: 'true'
            OIDC_SIGNUP_ENABLED: 'true'
            OIDC_CLIENT_ID: 'mealie'
            OIDC_USER_GROUP: '/mealie'
            OIDC_ADMIN_GROUP: '/home'
            OIDC_SIGNING_ALGORITHM: 'RS256'

3.) Attempt to log in with Keycloak and observe

Please provide relevant logs

INFO 2024-07-05T13:13:51 - [172.21.0.9:41594] 200 OK "GET /null?protocol=oauth2&response_type=code&access_type&client_id=mealie&redirect_uri=https%3A%2F%2Fmealie.%2Flogin&scope=openid%20profile%20email%20groups&state=&code_challenge_method=S256&code_challenge= HTTP/1.1" INFO 2024-07-05T13:13:52 - [172.21.0.9:41608] 304 Not Modified "GET /sw.js HTTP/1.1"

No associated logs in Keycloak

Mealie Version

Nightly Build ab8c3be3677a7812d1dd7877103537afc7e38130

Deployment

Docker (Linux)

Additional Deployment Details

No response

Haennetz commented 6 days ago

I experienced the same issue. Can you post the output form <your mealie url>/api/app/about/oidc? On my instance it shows an old value I set earlier.

cmintey commented 5 days ago

The previous commenter is on the right track. The browser will cache the response from <your mealie url>/api/app/about/oidc which provides the OIDC configuration URL to the frontend. If you change the configuration URL and restart your server, you will need to wait for the cache to expire or clear browser cache for Mealie

stp14 commented 4 days ago

Yep, that appears to be it.

https://mealie.<my domain>/api/app/about/oidc returns: "https://keycloak.<my domain>/realms/mealie-realm/.well-known/openid-configuration"

When I open it in a different browser or an incognito window, it returns the realm value I was expecting. In my case, like @Haennetz, mealie-realm was an old value I'd set earlier.

boc-the-git commented 9 hours ago

This seems like it's not an issue, based on the comments. Let us know if wrong.