[OIDC] 404 for the /login page

[eHonnef]

Hello,

I'm using the docker-compose file.

I setup the OIDC for readflow, but when I try to access the public (even the local) address, it will redirect to the /login page, in which will return a 404.

I checked my NGINX config, but it seems to be redirecting properly because I set the authentication method as "mock" and I could access it.

Also I can see the 404 error inside the container:

2:15PM INF GET /login duration=0 remote-addr=<REDACTED> req-id=<REDACTED_?> size=19 status=404 user-agent="Mozilla/5.0 (X11; Linux x86_64; rv:122.0) Gecko/20100101 Firefox/122.0"

By the logs, it seems that the OIDC was properly identified:

2:14PM INF using authentication issuer=https://<KEYCLOAK_REALM> method=oidc

And well, it doesn't even try to redirect to keycloak.

Thanks so far :)

[ncarlier]

Last commit should fix this. Thanks for the report.

[eHonnef]

Hello, I'm not sure if the fix worked :(

I tried recently, even generated a new docker image from master. I observed 2 behaviors:

1. You are already logged in with your OIDC provider, then, you navigate to your readflow instance, then I receive the following error (or after a couple of f5):

I double checked my configuration files, but it looks like there are two different OIDC possible configurations in this file:

one under [authn] and one under [ui] and the one under [ui] doesn't have the possibility to add the client_secret.

On my keycloak, it looks like it doesn't give the client key:

2024-03-16 12:00:47,603 WARN  [org.keycloak.events] (executor-thread-149) type="CODE_TO_TOKEN_ERROR", realmId="redacted", clientId="redacted", userId="null", ipAddress="redacted", error="invalid_client_credentials", grant_type="authorization_code"

Also, if I try to change the OIDC client to one that doesn't require the client_secret, it also doesn't work.

2. If I freshly login, I still get a 404

11:58AM INF GET /login duration=0 remote-addr=redacted req-id=redacted size=19 status=404 user-agent="Mozilla/5.0 (X11; Linux x86_64; rv:123.0) Gecko/20100101 Firefox/123.0"

[ncarlier]

You have 2 OIDC configurations:

• on the backend side: You set the OIDC issuer in order to be able to validate the Access Token. The client credential configuration (id and secret) is only needed if the access token is opaque (aka not a JWT). If you are using Keycloak it's a JWT. Therefore and you don't have to configure the client credentials.
• on the frontend side: you only have to set the OIDC client_id because the WebApp is a Single Page Application (HTML+JS). Regarding Keycloak, you have only have to create a public client with proper redirect URLs (https://[your readflow base URL]/login).

I wondering if the /login redirection properly handled by the WebApp... because if the WebApp is not yet installed (by the service worker) the redirection will be sent to the server side and fail with this 404. I have to test this.

[ncarlier]

Last commit serve the UI as a SPA (Single Page Application) and should handle properly the /login redirection .