client_id not being send when authenticating with OAuth2

wug-ge commented 9 months ago

Describe the bug

Hi, I'm trying to implement OAuth2 with Keycloak. However, the client_id set in my config.py is not being sent to Keycloak's Auth Endpoint.

This causes Keycloak to return a HTML error (instead of JSON) causing PGAdmin to run into the following Error: {"success":0,"errormsg":"Expecting value: line 1 column 1 (char 0)","info":"","result":null,"data":null}

In Keycloak I'm getting the following Error: Parameter 'client_id' not present or present multiple times in the HTTP request parameters LOGIN_ERROR: realmId=[redacted], clientId=null, userId=null, ipAddress=[redacted], error=invalid_request

I tried debugging the issue and found that the following x-www-urlencoded body is being sent to Keycloak's Auth Endpoint: 'grant_type=authorization_code&redirect_uri=https://[redacted]%2Foauth2%2Fauthorize&code=[redacted]

I guess there should be a client_id in it?

To Reproduce

Steps to reproduce the behavior:

I've followed this tutorial and it causes the issue with the newest version of PgAdmin and Keycloak: https://www.olavgg.com/show/how-to-configure-pgadmin-4-with-oauth2-and-keycloak

Expected behavior

Do OAuh Login without Error or provide more Details what went wrong, not a "JSONDecodeError"

Error message

2023-12-24 13:19:42,209: ERROR pgadmin: Expecting value: line 1 column 1 (char 0) pgadmin-ui-1 | Traceback (most recent call last): pgadmin-ui-1 | File "/venv/lib/python3.11/site-packages/requests/models.py", line 972, in json pgadmin-ui-1 | return complexjson.loads(self.text, **kwargs) pgadmin-ui-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ pgadmin-ui-1 | File "/usr/lib/python3.11/json/__init__.py", line 346, in loads pgadmin-ui-1 | return _default_decoder.decode(s) pgadmin-ui-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^ pgadmin-ui-1 | File "/usr/lib/python3.11/json/decoder.py", line 337, in decode pgadmin-ui-1 | obj, end = self.raw_decode(s, idx=_w(s, 0).end()) pgadmin-ui-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ pgadmin-ui-1 | File "/usr/lib/python3.11/json/decoder.py", line 355, in raw_decode pgadmin-ui-1 | raise JSONDecodeError("Expecting value", s, err.value) from None pgadmin-ui-1 | json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0) pgadmin-ui-1 | pgadmin-ui-1 | During handling of the above exception, another exception occurred: pgadmin-ui-1 | pgadmin-ui-1 | Traceback (most recent call last): pgadmin-ui-1 | File "/venv/lib/python3.11/site-packages/flask/app.py", line 1484, in full_dispatch_request pgadmin-ui-1 | rv = self.dispatch_request() pgadmin-ui-1 | ^^^^^^^^^^^^^^^^^^^^^^^ pgadmin-ui-1 | File "/venv/lib/python3.11/site-packages/flask/app.py", line 1469, in dispatch_request pgadmin-ui-1 | return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args) pgadmin-ui-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ pgadmin-ui-1 | File "/pgadmin4/pgadmin/authenticate/oauth2.py", line 56, in oauth_authorize pgadmin-ui-1 | status, msg = auth_obj.login() pgadmin-ui-1 | ^^^^^^^^^^^^^^^^ pgadmin-ui-1 | File "/pgadmin4/pgadmin/authenticate/__init__.py", line 301, in login pgadmin-ui-1 | status, msg = self.source.login(self.form) pgadmin-ui-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ pgadmin-ui-1 | File "/pgadmin4/pgadmin/authenticate/oauth2.py", line 126, in login pgadmin-ui-1 | profile = self.get_user_profile() pgadmin-ui-1 | ^^^^^^^^^^^^^^^^^^^^^^^ pgadmin-ui-1 | File "/pgadmin4/pgadmin/authenticate/oauth2.py", line 201, in get_user_profile pgadmin-ui-1 | self.oauth2_current_client].authorize_access_token() pgadmin-ui-1 | ^^^^^^^^^^^^^^^^^^^^^^^^ pgadmin-ui-1 | File "/venv/lib/python3.11/site-packages/authlib/integrations/flask_client/apps.py", line 101, in authorize_access_token pgadmin-ui-1 | token = self.fetch_access_token(**params, **kwargs) pgadmin-ui-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ pgadmin-ui-1 | File "/venv/lib/python3.11/site-packages/authlib/integrations/base_client/sync_app.py", line 342, in fetch_access_token pgadmin-ui-1 | token = client.fetch_token(token_endpoint, **params) pgadmin-ui-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ pgadmin-ui-1 | File "/venv/lib/python3.11/site-packages/authlib/oauth2/client.py", line 209, in fetch_token pgadmin-ui-1 | return self._fetch_token( pgadmin-ui-1 | ^^^^^^^^^^^^^^^^^^ pgadmin-ui-1 | File "/venv/lib/python3.11/site-packages/authlib/oauth2/client.py", line 369, in _fetch_token pgadmin-ui-1 | return self.parse_response_token(resp) pgadmin-ui-1 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ pgadmin-ui-1 | File "/venv/lib/python3.11/site-packages/authlib/oauth2/client.py", line 340, in parse_response_token pgadmin-ui-1 | token = resp.json() pgadmin-ui-1 | ^^^^^^^^^^^ pgadmin-ui-1 | File "/venv/lib/python3.11/site-packages/requests/models.py", line 976, in json pgadmin-ui-1 | raise RequestsJSONDecodeError(e.msg, e.doc, e.pos) pgadmin-ui-1 | requests.exceptions.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

I'm running PgAdmin inside Docker.

jmbarreiro1 commented 8 months ago

Hello,

I have a similar problem, with OKTA it works fine but with Keycloak, I can't configure PGAdmin correctly.

I'm running PgAdmin in Openshift.

In our case the client id exists

Regards

yogeshmahajan-1903 commented 8 months ago

@wug-ge Can you please share your config.py settings? Also what is pgAdmin 4 version?.

jmbarreiro1 commented 8 months ago

Hi,

First of all, happy new year! In my case, I have this configuration

SERVER_MODE = True AUTHENTICATION_SOURCES = ['oauth2', 'internal'] OAUTH2_AUTO_CREATE_USER = True MASTER_PASSWORD_REQUIRED = True DEBUG = True OAUTH2_CONFIG = [ { 'OAUTH2_NAME': 'keycloak', 'OAUTH2_DISPLAY_NAME': 'KEYCLOAK', 'OAUTH2_CLIENT_ID': 'pgadmin', 'OAUTH2_CLIENT_SECRET': 'xxxxx', 'OAUTH2_TOKEN_URL': 'http://keycloak.xxxx.xxxx:8080/realms/iam/protocol/openid-connect/token', 'OAUTH2_AUTHORIZATION_URL': 'http://keycloak.xxxx.xxx:8080/realms/iam/protocol/openid-connect/auth', 'OAUTH2_API_BASE_URL': 'http://keycloak.xxxxx.xxxx:8080/realms/iam', 'OAUTH2_USERINFO_ENDPOINT': 'http://keycloak.xxxx.xxxx:8080/realms/iam/protocol/openid-connect/userinfo', 'OAUTH2_ICON': 'fa-google', 'OAUTH2_BUTTON_COLOR': '#0000ff', 'OAUTH2_SCOPE': 'openid email profile', 'OAUTH2_SSL_CERT_VERIFICATION': 'False', 'OAUTH2_ADDITIONAL_CLAIMS': { 'groups': ["administrators"], } } ]

It is not possible create a mapper to change preferred_username to username, I think this is my problem but I don't sure. I tried this configuration with the last version

Thanks a lot!!

yogeshmahajan-1903 commented 8 months ago

@jmbarreiro1 I am not able to reproduce the issue. I have tried with SSL and Non-SSL enabled Keycloak. Can you please add lines below in config_local.py -

import logging
FILE_LOG_LEVEL = logging.DEBUG
CONSOLE_LOG_LEVEL = logging.DEBUG

And get the pgadmin logs?

jmbarreiro1 commented 8 months ago

Hi,

We are using pgadmin in Openshift, I modified the configuration and the all logs are

postfix/postlog: starting the Postfix mail system [2024-01-02 12:48:41 +0000] [1] [INFO] Starting gunicorn 20.1.0

[2024-01-02 12:48:41 +0000] [1] [INFO] Using worker: gthread [2024-01-02 12:48:41 +0000] [88] [INFO] Booting worker with pid: 88 2024-01-02 12:48:44,519: INFO pgadmin: ######################################################## 2024-01-02 12:48:44,519: INFO pgadmin: Starting pgAdmin 4 v8.1... 2024-01-02 12:48:44,519: INFO pgadmin: ######################################################## 2024-01-02 12:48:44,519: DEBUG pgadmin: Python syspath: ['/pgadmin4', '/venv/bin', '/pgadmin4', '/usr/lib/python311.zip', '/usr/lib/python3.11', '/usr/lib/python3.11/lib-dynload', '/venv/lib/python3.11/site-packages', '/usr/lib/python3.11/site-packages'] 2024-01-02 12:48:45,728: INFO pgadmin: Registering blueprint module: <AboutModule 'about'> 2024-01-02 12:48:45,730: INFO pgadmin: Registering blueprint module: <AuthenticateModule 'authenticate'> 2024-01-02 12:48:45,730: INFO pgadmin: Registering blueprint module: <BrowserModule 'browser'> 2024-01-02 12:48:47,164: INFO pgadmin: Registering blueprint module: <DashboardModule 'dashboard'> 2024-01-02 12:48:47,177: INFO pgadmin: Registering blueprint module: <DashboardModule 'dashboard'> 2024-01-02 12:48:47,177: INFO pgadmin: Registering blueprint module: <HelpModule 'help'> 2024-01-02 12:48:47,177: INFO pgadmin: Registering blueprint module: <MiscModule 'misc'> 2024-01-02 12:48:48,476: INFO pgadmin: Registering blueprint module: <PreferencesModule 'preferences'> 2024-01-02 12:48:48,479: INFO pgadmin: Registering blueprint module: <PgAdminModule 'redirects'> 2024-01-02 12:48:48,480: INFO pgadmin: Registering blueprint module: <SettingsModule 'settings'> 2024-01-02 12:48:48,484: INFO pgadmin: Registering blueprint module: <ToolsModule 'tools'> 2024-01-02 12:48:49,386: DEBUG pgadmin: Config server mode: True 2024-01-02 12:48:49,387: DEBUG pgadmin: Not running under the desktop runtime, port: 5050 ::ffff:10.128.2.1 - - [02/Jan/2024:12:49:34 +0000] "GET /misc/ping HTTP/1.1" 200 4 "-" "kube-probe/1.25" ::ffff:10.128.2.1 - - [02/Jan/2024:12:49:34 +0000] "GET /misc/ping HTTP/1.1" 200 4 "-" "kube-probe/1.25" 10.248.227.9 - - [02/Jan/2024:12:49:35 +0000] "GET / HTTP/1.1" 302 217 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:120.0) Gecko/20100101 Firefox/120.0" 10.248.227.9 - - [02/Jan/2024:12:49:35 +0000] "GET /login?next=%2F HTTP/1.1" 200 6524 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:120.0) Gecko/20100101 Firefox/120.0" 10.248.227.9 - - [02/Jan/2024:12:49:35 +0000] "GET /browser/js/endpoints.js?ver=80100 HTTP/1.1" 200 18491 "https://pgadmin4.apps.xxx.xxxx.xxx/login?next=%2F" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:120.0) Gecko/20100101 Firefox/120.0" 10.248.227.9 - - [02/Jan/2024:12:49:36 +0000] "GET /tools/translations.js?ver=80100 HTTP/1.1" 200 321 "https://pgadmin4.apps.xxxx.xxxxx.xx/login?next=%2F" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:120.0) Gecko/20100101 Firefox/120.0" 2024-01-02 12:49:37,685: DEBUG pgadmin: Authentication initiated via source: oauth2 2024-01-02 12:49:37,686: DEBUG pgadmin: Authentication initiated via source: oauth2 is failed. 10.248.227.9 - - [02/Jan/2024:12:49:37 +0000] "POST /authenticate/login HTTP/1.1" 302 819 "https://pgadmin4.apps.xxxxx.xxxx.xxx/login?next=%2F" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:120.0) Gecko/20100101 Firefox/120.0" 2024-01-02 12:49:47,867: ERROR pgadmin: Expecting value: line 1 column 10.248.227.9 - - [02/Jan/2024:12:49:47 +0000] "GET /oauth2/authorize?state=WiEiZw2b0KaGY8T9NHtCjQc6p5QyDy&session_state=fba96987-00e4-44d7-800a-c8192885a193&iss=http%3A%2F%2Fkeycloak.xxxx.xxx%3A8080%2Frealms%2Fiam&code=e75a1d2a-1a7d-4fca-8c00-e84540366b0e.fba96987-00e4-44d7-800a-c8192885a193.ec389ead-d683-4f45-a63a-d93f0814efaf HTTP/1.1" 500 104 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:120.0) Gecko/20100101 Firefox/120.0"

Related to https and http. At this moment, we are using https in pgadmin and http in keycloak, only for testing.

As you can see we don't have more details. Can you share with us your configuration?

Regards, Jose

yogeshmahajan-1903 commented 8 months ago

@jmbarreiro1 I am not able to reproduce the issue. It seems there is some difference in Keycloak configuration. Do you have user federation configured with Keycloak? You may want to check this bug reported to Keycloak.

Config_local.py

AUTHENTICATION_SOURCES = ['oauth2', 'internal']
OAUTH2_AUTO_CREATE_USER = True
MASTER_PASSWORD_REQUIRED = True
DEBUG = True
OAUTH2_CONFIG = [
    {
        'OAUTH2_NAME': 'keycloakaws-non-sssl',
        'OAUTH2_DISPLAY_NAME': 'Keycloak AWS Non-SSL',
        'OAUTH2_CLIENT_ID': 'pgadmin-docker',
        'OAUTH2_CLIENT_SECRET': 'xxxxxxxxxx',
        'OAUTH2_TOKEN_URL': 'http://<ip>:8080/realms/< realm >/protocol/openid-connect/token',
        'OAUTH2_AUTHORIZATION_URL': 'http://<ip>:8080/realms/< realm >/protocol/openid-connect/auth',
        'OAUTH2_USERINFO_ENDPOINT': 'http://<ip>:8080/realms/<realm>/protocol/openid-connect/userinfo',
        'OAUTH2_API_BASE_URL': 'http://<ip>:8080/realms/<relam>',
        'OAUTH2_SCOPE': 'openid email profile',
        'OAUTH2_USERNAME_CLAIM': None,
        'OAUTH2_ICON': None,
        'OAUTH2_BUTTON_COLOR': None,
        'OAUTH2_SERVER_METADATA_URL': 'http://<ip>:8080/realms/< realm >/.well-known/openid-configuration',
        'OAUTH2_SSL_CERT_VERIFICATION': False,
        'OAUTH2_ADDITIONAL_CLAIMS': {
            'groups': ["offline_access"],
        }
    }
]

docker config -

version: "3.8"

services:
  pgadmin:
    container_name: dev-pgadmin4
    restart: always
    image: dpage/pgadmin4:8.1
    ports:
      - "9000:80/tcp"
    environment:
      PGADMIN_DEFAULT_EMAIL: user@edb12.com
      PGADMIN_DEFAULT_PASSWORD: xxxxx
      PGADMIN_CONFIG_CONSOLE_LOG_LEVEL: 10
    volumes:
      - pgadmin-data:/var/lib/pgadmin
      - ./config/pgadmin_config_local.py:/pgadmin4/config_local.py:rw

volumes:
  pgadmin-data:
    name: 'pgadmin-data_local_config_file'

jmbarreiro1 commented 8 months ago

Hello @Yogesh Mahajan ,

First of all, thank you for your help. If I use your configuration with the entry

'OAUTH2_SERVER_METADATA_URL': 'http://:8080/realms/< realm

/.well-known/openid-configuration',

I received this error

::ffff:10.128.2.1 - - [03/Jan/2024:07:11:24 +0000] "GET /misc/ping HTTP/1.1" 200 4 "-" "kube-probe/1.25" 10.248.227.10 - - [03/Jan/2024:07:11:40 +0000] "GET /browser/ HTTP/1.1" 302 237 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:120.0) Gecko/20100101 Firefox/120.0" 10.248.227.10 - - [03/Jan/2024:07:11:41 +0000] "GET /login?next=%2Fbrowser%2F HTTP/1.1" 200 6729 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:120.0) Gecko/20100101 Firefox/120.0" 10.248.227.10 - - [03/Jan/2024:07:11:41 +0000] "GET /static/js/generated/style.css?ver=80100 HTTP/1.1" 200 0 "https://pgadmin4.apps.xxxx.xxxx.xxxx/login?next=%2Fbrowser%2F" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:120.0) Gecko/20100101 Firefox/120.0" 10.248.227.10 - - [03/Jan/2024:07:11:41 +0000] "GET /static/vendor/require/require.js?ver=80100 HTTP/1.1" 200 0 "https://pgadmin4.apps.dplttest10c.dplttest10c.dplt/login?next=%2Fbrowser%2F" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:120.0) Gecko/20100101 Firefox/120.0" 10.248.227.10 - - [03/Jan/2024:07:11:41 +0000] "GET /static/js/generated/pgadmin.css?ver=80100 HTTP/1.1" 200 0 "https://pgadmin4.apps.dplttest10c.dplttest10c.dplt/login?next=%2Fbrowser%2F" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:120.0) Gecko/20100101 Firefox/120.0" 10.248.227.10 - - [03/Jan/2024:07:11:41 +0000] "GET /static/js/generated/pgadmin.style.css?ver=80100 HTTP/1.1" 200 0 "https://pgadmin4.apps.dplttest10c.dplttest10c.dplt/login?next=%2Fbrowser%2F" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:120.0) Gecko/20100101 Firefox/120.0" 10.248.227.10 - - [03/Jan/2024:07:11:41 +0000] "GET /static/js/generated/vendor.react.js?ver=80100 HTTP/1.1" 200 0 "https://pgadmin4.apps.dplttest10c.dplttest10c.dplt/login?next=%2Fbrowser%2F" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:120.0) Gecko/20100101 Firefox/120.0" 10.248.227.10 - - [03/Jan/2024:07:11:41 +0000] "GET /static/js/generated/vendor.main.js?ver=80100 HTTP/1.1" 200 0 "https://pgadmin4.apps.dplttest10c.dplttest10c.dplt/login?next=%2Fbrowser%2F" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:120.0) Gecko/20100101 Firefox/120.0" 10.248.227.10 - - [03/Jan/2024:07:11:41 +0000] "GET /static/js/generated/vendor.others.js?ver=80100 HTTP/1.1" 200 0 "https://pgadmin4.apps.dplttest10c.dplttest10c.dplt/login?next=%2Fbrowser%2F" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:120.0) Gecko/20100101 Firefox/120.0" 10.248.227.10 - - [03/Jan/2024:07:11:41 +0000] "GET /static/js/generated/vendor.sqleditor.js?ver=80100 HTTP/1.1" 200 0 "https://pgadmin4.apps.dplttest10c.dplttest10c.dplt/login?next=%2Fbrowser%2F" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:120.0) Gecko/20100101 Firefox/120.0" 10.248.227.10 - - [03/Jan/2024:07:11:41 +0000] "GET /static/js/generated/pgadmin_commons.js?ver=80100 HTTP/1.1" 200 0 "https://pgadmin4.apps.dplttest10c.dplttest10c.dplt/login?next=%2Fbrowser%2F" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:120.0) Gecko/20100101 Firefox/120.0" 10.248.227.10 - - [03/Jan/2024:07:11:43 +0000] "GET /favicon.ico?ver=80100 HTTP/1.1" 302 245 "https://pgadmin4.apps.dplttest10c.dplttest10c.dplt/login?next=%2Fbrowser%2F" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:120.0) Gecko/20100101 Firefox/120.0" 10.248.227.10 - - [03/Jan/2024:07:11:43 +0000] "GET /static/js/generated/fonts/Roboto-Regular..ttf HTTP/1.1" 200 0 "https://pgadmin4.apps.dplttest10c.dplttest10c.dplt/static/js/generated/pgadmin.style.css?ver=80100" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:120.0) Gecko/20100101 Firefox/120.0" 10.248.227.10 - - [03/Jan/2024:07:11:43 +0000] "GET /static/js/generated/security.pages.js?ver=80100 HTTP/1.1" 200 0 "https://pgadmin4.apps.dplttest10c.dplttest10c.dplt/login?next=%2Fbrowser%2F" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:120.0) Gecko/20100101 Firefox/120.0" 10.248.227.10 - - [03/Jan/2024:07:11:43 +0000] "GET /static/favicon.ico?ver=80100 HTTP/1.1" 200 0 "https://pgadmin4.apps.dplttest10c.dplttest10c.dplt/login?next=%2Fbrowser%2F" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:120.0) Gecko/20100101 Firefox/120.0" 10.248.227.10 - - [03/Jan/2024:07:11:44 +0000] "GET /browser/js/endpoints.js?ver=80100 HTTP/1.1" 200 18491 "https://pgadmin4.apps.dplttest10c.dplttest10c.dplt/login?next=%2Fbrowser%2F" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:120.0) Gecko/20100101 Firefox/120.0" 10.248.227.10 - - [03/Jan/2024:07:11:44 +0000] "GET /tools/translations.js?ver=80100 HTTP/1.1" 200 321 "https://pgadmin4.apps.dplttest10c.dplttest10c.dplt/login?next=%2Fbrowser%2F" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:120.0) Gecko/20100101 Firefox/120.0" 10.248.227.10 - - [03/Jan/2024:07:11:44 +0000] "GET /static/js/generated/fonts/fa-brands-400..woff2 HTTP/1.1" 200 0 "https://pgadmin4.apps.dplttest10c.dplttest10c.dplt/static/js/generated/style.css?ver=80100" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:120.0) Gecko/20100101 Firefox/120.0" 10.248.227.10 - - [03/Jan/2024:07:11:47 +0000] "GET /static/js/generated/pgadmin.js.map HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:120.0) Gecko/20100101 Firefox/120.0" 10.248.227.10 - - [03/Jan/2024:07:11:47 +0000] "GET /static/js/generated/style.js.map HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:120.0) Gecko/20100101 Firefox/120.0" 2024-01-03 07:11:49,473: DEBUG pgadmin: Authentication initiated via source: oauth2 2024-01-03 07:11:49,496: ERROR pgadmin: 403 Client Error: Forbidden for url: http://keycloak.xxxx.xxxx:8080/realms/iam/.well-know/openid-configuration Traceback (most recent call last): File "/venv/lib/python3.11/site-packages/flask/app.py", line 1484, in full_dispatch_request rv = self.dispatch_request() ^^^^^^^^^^^^^^^^^^^^^^^ File "/venv/lib/python3.11/site-packages/flask/app.py", line 1469, in dispatch_request return self.ensure_sync(self.view_functions[rule.endpoint])(view_args) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/pgadmin4/pgadmin/authenticate/init.py", line 102, in login return _login() ^^^^^^^^ File "/pgadmin4/pgadmin/authenticate/init.py", line 167, in _login status, msg = auth_obj.authenticate() ^^^^^^^^^^^^^^^^^^^^^^^ File "/pgadmin4/pgadmin/authenticate/init.py", line 286, in authenticate status, msg = source.authenticate(self.form) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/pgadmin4/pgadmin/authenticate/oauth2.py", line 221, in authenticate self.oauth2_current_client].authorize_redirect(redirect_url) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/venv/lib/python3.11/site-packages/authlib/integrations/flask_client/apps.py", line 43, in authorize_redirect rv = self.create_authorization_url(redirect_uri, kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/venv/lib/python3.11/site-packages/authlib/integrations/base_client/sync_app.py", line 309, in create_authorization_url metadata = self.load_server_metadata() ^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/venv/lib/python3.11/site-packages/authlib/integrations/base_client/sync_app.py", line 295, in load_server_metadata resp.raise_for_status() File "/venv/lib/python3.11/site-packages/requests/models.py", line 1021, in raise_for_status raise HTTPError(http_error_msg, response=self) requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: http://keycloak.xxxx.xxxx:8080/realms/iam/.well-know/openid-configuration 10.248.227.10 - - [03/Jan/2024:07:11:49 +0000] "POST /authenticate/login HTTP/1.1" 500 180 "https://pgadmin4.apps.xxxx.xxxxx.xxx/login?next=%2Fbrowser%2F" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:120.0) Gecko/20100101 Firefox/120.0" ::ffff:10.128.2.1 - - [03/Jan/2024:07:12:24 +0000] "GET /misc/ping HTTP/1.1" 200 4 "-" "kube-probe/1.25"

If I use this configuration

OAUTH2_CONFIG = [ { 'OAUTH2_NAME': 'keycloak', 'OAUTH2_DISPLAY_NAME': 'KEYCLOAK', 'OAUTH2_CLIENT_ID': 'pgadmin', 'OAUTH2_CLIENT_SECRET': 'xxxxxx', 'OAUTH2_TOKEN_URL': 'http://keycloak.xxxx.xxxx:8080/realms/iam/protocol/openid-connect/token', 'OAUTH2_AUTHORIZATION_URL': 'http://keycloak.xxx.xxxx:8080/realms/iam/protocol/openid-connect/auth', 'OAUTH2_USERINFO_ENDPOINT': 'http://keycloak.xxxxx.xxxx:8080/realms/iam/protocol/openid-connect/userinfo', 'OAUTH2_API_BASE_URL': 'http://keycloak.xxxx.xxxx:8080/realms/iam', 'OAUTH2_SCOPE': 'openid email profile', 'OAUTH2_USERNAME_CLAIM': None, 'OAUTH2_ICON': 'fa-google', 'OAUTH2_BUTTON_COLOR': '#0000ff', 'OAUTH2_SSL_CERT_VERIFICATION': 'False', 'OAUTH2_ADDITIONAL_CLAIMS': { 'groups': ["offline_access"], } } ]

I received the error you can see below

File "/venv/lib/python3.11/site-packages/flask/app.py", line 1484, in full_dispatch_request 65rv = self.dispatch_request() 66^^^^^^^^^^^^^^^^^^^^^^^ 67File "/venv/lib/python3.11/site-packages/flask/app.py", line 1469, in dispatch_request 68return self.ensure_sync(self.view_functions[rule.endpoint])(view_args) 69^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 70File "/pgadmin4/pgadmin/authenticate/oauth2.py", line 56, in oauth_authorize 71status, msg = auth_obj.login() 72^^^^^^^^^^^^^^^^ 73File "/pgadmin4/pgadmin/authenticate/init.py", line 301, in login 74status, msg = self.source.login(self.form) 75^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 76File "/pgadmin4/pgadmin/authenticate/oauth2.py", line 126, in login 77profile = self.get_user_profile() 78^^^^^^^^^^^^^^^^^^^^^^^ 79File "/pgadmin4/pgadmin/authenticate/oauth2.py", line 201, in get_user_profile 80self.oauth2_current_client].authorize_access_token() 81^^^^^^^^^^^^^^^^^^^^^^^^ 82File "/venv/lib/python3.11/site-packages/authlib/integrations/flask_client/apps.py", line 101, in authorize_access_token 83token = self.fetch_access_token(params, kwargs) 84^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 85File "/venv/lib/python3.11/site-packages/authlib/integrations/base_client/sync_app.py", line 342, in fetch_access_token 86token = client.fetch_token(token_endpoint, params) 87^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 88File "/venv/lib/python3.11/site-packages/authlib/oauth2/client.py", line 207, in fetch_token 89return self._fetch_token( 90^^^^^^^^^^^^^^^^^^ 91File "/venv/lib/python3.11/site-packages/authlib/oauth2/client.py", line 364, in _fetch_token 92return self.parse_response_token(resp) 93^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 94File "/venv/lib/python3.11/site-packages/authlib/oauth2/client.py", line 338, in parse_response_token 95token = resp.json() 96^^^^^^^^^^^ 97File "/venv/lib/python3.11/site-packages/requests/models.py", line 975, in json 98raise RequestsJSONDecodeError(e.msg, e.doc, e.pos) 99requests.exceptions.JSONDecodeError: Expecting value: line 1 column 1 (char 0) 10010.248.227.10 - - [03/Jan/2024:07:16:54 +0000] "GET /oauth2/authorize?state=jGWXN7spkjwLKjCjQKSbwUNrhD9K0T&session_state=e5bfec3b-25e2-49bf-b1e6-090ccf8eac59&iss=http%3A%2F%2Fkeycloak.dplttest10c.dplt%3A8080%2Frealms%2Fiam&code=837ad513-09af-4450-813b-562f6f7ef844.e5bfec3b-25e2-49bf-b1e6-090ccf8eac59.ec389ead-d683-4f45-a63a-d93f0814efaf HTTP/1.1" 500 104 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:120.0) Gecko/20100101 Firefox/120.0

Attached is a file with the client configuration in keycloak.

We have more applications using keycloak without problems, this's weird.

Best regards, Jose

On Wed, Jan 3, 2024 at 5:02 AM Yogesh Mahajan @.***> wrote:

@jmbarreiro1 I am not able to reproduce the issue. It seems there is some difference in Keycloak configuration. Do you have user federation configured with Keycloak? You may want to check this bug reported to Keycloak.

Config_local.py

AUTHENTICATION_SOURCES = ['oauth2', 'internal'] OAUTH2_AUTO_CREATE_USER = True MASTER_PASSWORD_REQUIRED = True DEBUG = True OAUTH2_CONFIG = [ { 'OAUTH2_NAME': 'keycloakaws-non-sssl', 'OAUTH2_DISPLAY_NAME': 'Keycloak AWS Non-SSL', 'OAUTH2_CLIENT_ID': 'pgadmin-docker', 'OAUTH2_CLIENT_SECRET': 'xxxxxxxxxx', 'OAUTH2_TOKEN_URL': 'http://:8080/realms/< realm >/protocol/openid-connect/token', 'OAUTH2_AUTHORIZATION_URL': 'http://:8080/realms/< realm >/protocol/openid-connect/auth', 'OAUTH2_USERINFO_ENDPOINT': 'http://:8080/realms//protocol/openid-connect/userinfo', 'OAUTH2_API_BASE_URL': 'http://:8080/realms/', 'OAUTH2_SCOPE': 'openid email profile', 'OAUTH2_USERNAME_CLAIM': None, 'OAUTH2_ICON': None, 'OAUTH2_BUTTON_COLOR': None, 'OAUTH2_SERVER_METADATA_URL': 'http://:8080/realms/< realm >/.well-known/openid-configuration', 'OAUTH2_SSL_CERT_VERIFICATION': False, 'OAUTH2_ADDITIONAL_CLAIMS': { 'groups': ["offline_access"], } } ]

docker config -

version: "3.8"

services: pgadmin: container_name: dev-pgadmin4 restart: always image: dpage/pgadmin4:8.1 ports:

"9000:80/tcp" environment: PGADMIN_DEFAULT_EMAIL: @.*** PGADMIN_DEFAULT_PASSWORD: xxxxx PGADMIN_CONFIG_CONSOLE_LOG_LEVEL: 10 volumes:

pgadmin-data:/var/lib/pgadmin

./config/pgadmin_config_local.py:/pgadmin4/config_local.py:rw

volumes: pgadmin-data: name: 'pgadmin-data_local_config_file'

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: @.***>

jmbarreiro1 commented 8 months ago

Hi @yogeshmahajan-1903 ,

Sorry, I forgot to mention that we don't use federation yet.

Best regards, Jose

yogeshmahajan-1903 commented 8 months ago

@jmbarreiro1 I guess you forgot to attach client configuration in keycloak.

jmbarreiro1 commented 8 months ago

Hi @Yogesh Mahajan

Sorry :)

On Wed, Jan 3, 2024 at 8:49 AM Yogesh Mahajan @.***> wrote:

@jmbarreiro1 I guess you forgot to attach client configuration in keycloak.

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: @.***>

jmbarreiro1 commented 8 months ago

pgadmin-client-keycloak.json

jmbarreiro1 commented 8 months ago

Hi,

I have more details. The issue is related with the protocol, using https I receved a different error

"HTTPSConnectionPool(host='keycloak.xxxx.xxx', port=8443): Max retries exceeded with url: /realms/iam/.well-known/openid-configuration (Caused by ProxyError('Cannot connect to proxy.', OSError('Tunnel connection failed: 403 Forbidden')))"

The full log

2024-01-03 10:44:45,819: DEBUG pgadmin: Authentication initiated via source: oauth2 2024-01-03 10:44:45,843: ERROR pgadmin: HTTPSConnectionPool(host='keycloak.xxxx.xxx', port=8443): Max retries exceeded with url: /realms/iam/.well-known/openid-configuration (Caused by ProxyError('Cannot connect to proxy.', OSError('Tunnel connection failed: 403 Forbidden'))) Traceback (most recent call last): File "/venv/lib/python3.11/site-packages/urllib3/connectionpool.py", line 711, in urlopen self._prepare_proxy(conn) File "/venv/lib/python3.11/site-packages/urllib3/connectionpool.py", line 1007, in _prepare_proxy conn.connect() File "/venv/lib/python3.11/site-packages/urllib3/connection.py", line 374, in connect self._tunnel() File "/usr/lib/python3.11/http/client.py", line 926, in _tunnel raise OSError(f"Tunnel connection failed: {code} {message.strip()}") OSError: Tunnel connection failed: 403 Forbidden

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "/venv/lib/python3.11/site-packages/requests/adapters.py", line 486, in send resp = conn.urlopen( ^^^^^^^^^^^^^ File "/venv/lib/python3.11/site-packages/urllib3/connectionpool.py", line 798, in urlopen retries = retries.increment( ^^^^^^^^^^^^^^^^^^ File "/venv/lib/python3.11/site-packages/urllib3/util/retry.py", line 592, in increment raise MaxRetryError(_pool, url, error or ResponseError(cause)) urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='keycloak.xxxx.xxx', port=8443): Max retries exceeded with url: /realms/iam/.well-known/openid-configuration (Caused by ProxyError('Cannot connect to proxy.', OSError('Tunnel connection failed: 403 Forbidden')))

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "/venv/lib/python3.11/site-packages/flask/app.py", line 1823, in full_dispatch_request rv = self.dispatch_request() ^^^^^^^^^^^^^^^^^^^^^^^ File "/venv/lib/python3.11/site-packages/flask/app.py", line 1799, in dispatch_request return self.ensure_sync(self.view_functions[rule.endpoint])(view_args) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/pgadmin4/pgadmin/authenticate/init.py", line 102, in login return _login() ^^^^^^^^ File "/pgadmin4/pgadmin/authenticate/init.py", line 167, in _login status, msg = auth_obj.authenticate() ^^^^^^^^^^^^^^^^^^^^^^^ File "/pgadmin4/pgadmin/authenticate/init.py", line 286, in authenticate status, msg = source.authenticate(self.form) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/pgadmin4/pgadmin/authenticate/oauth2.py", line 207, in authenticate self.oauth2_current_client].authorize_redirect(redirect_url) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/venv/lib/python3.11/site-packages/authlib/integrations/flask_client/apps.py", line 43, in authorize_redirect rv = self.create_authorization_url(redirect_uri, kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/venv/lib/python3.11/site-packages/authlib/integrations/base_client/sync_app.py", line 309, in create_authorization_url metadata = self.load_server_metadata() ^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/venv/lib/python3.11/site-packages/authlib/integrations/base_client/sync_app.py", line 294, in load_server_metadata resp = session.request('GET', self._server_metadata_url, withhold_token=True) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/venv/lib/python3.11/site-packages/authlib/integrations/requests_client/oauth2_session.py", line 109, in request return super(OAuth2Session, self).request( ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/venv/lib/python3.11/site-packages/requests/sessions.py", line 589, in request resp = self.send(prep, send_kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/venv/lib/python3.11/site-packages/requests/sessions.py", line 703, in send r = adapter.send(request, kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/venv/lib/python3.11/site-packages/requests/adapters.py", line 513, in send raise ProxyError(e, request=request) requests.exceptions.ProxyError: HTTPSConnectionPool(host='keycloak.xxxx.xxx', port=8443): Max retries exceeded with url: /realms/iam/.well-known/openid-configuration (Caused by ProxyError('Cannot connect to proxy.', OSError('Tunnel connection failed: 403 Forbidden'))) 10.248.227.10 - - [03/Jan/2024:10:44:45 +0000] "POST /authenticate/login HTTP/1.1" 500 307 "https://pgadmin4.apps.xxxx.xxxx.xxx/login?next=%2F" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:120.0) Gecko/20100101 Firefox/120.0" ::ffff:10.128.2.1 - - [03/Jan/2024:10:45:36 +0000] "GET /misc/ping HTTP/1.1" 200 4 "-" "kube-probe/1.25" ::ffff:10.128.2.1 - - [03/Jan/2024:10:45:36 +0000] "GET /misc/ping HTTP/1.1" 200 4 "-" "kube-probe/1.25"

The current configuration is

{ 'OAUTH2_NAME': 'keycloak', 'OAUTH2_DISPLAY_NAME': 'KEYCLOAK', 'OAUTH2_CLIENT_ID': 'pgadmin', 'OAUTH2_CLIENT_SECRET': 'xxxx', 'OAUTH2_TOKEN_URL': 'https://keycloak.xxx.xxxx:8443/realms/iam/protocol/openid-connect/token', 'OAUTH2_AUTHORIZATION_URL': 'https://keycloak.xxx.xxx:8443/realms/iam/protocol/openid-connect/auth', 'OAUTH2_USERINFO_ENDPOINT': 'https://keycloak.xxxx.xxx:8443/realms/iam/protocol/openid-connect/userinfo', 'OAUTH2_API_BASE_URL': 'https://keycloak.xxx.xxx:8443/realms/iam', 'OAUTH2_SCOPE': 'openid email profile', 'OAUTH2_USERNAME_CLAIM': None, 'OAUTH2_ICON': 'fa-google', 'OAUTH2_BUTTON_COLOR': '#0000ff', 'OAUTH2_SERVER_METADATA_URL': 'https://keycloak.xxx.xxxx:8443/realms/iam/.well-known/openid-configuration', 'OAUTH2_SSL_CERT_VERIFICATION': 'False', 'OAUTH2_ADDITIONAL_CLAIMS': { 'groups': ["offline_access"], } }

The certificate is available in the path

name: REQUEST_CA_BUNDLE value: /etc/ssl/certs/ca-certificates.crt

I added this certificate authority using a secret in kubernetes.

Best regards,

yogeshmahajan-1903 commented 8 months ago

@jmbarreiro1 Will you mind sharing docker-config for Keycloak? I checked client config which looks similar mine one. Also can you please share logs from Keycloak container? Let me know if we can connect over zoom session and share your availability . I will send an invite to you personally.

jmbarreiro1 commented 8 months ago

Hi @yogeshmahajan-1903

Thank you for your help. Keycloak in our environment is deployed in a virtual machine. We are discussing if it's possible to deploy it in kubernetes, for several reasons.

I attach a yaml file with the pgadmin deployment.

deploymentyaml.txt

In the server of keycloak we don't have any error, as you can see below

2023-12-28 11:28:06,755 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-0) JtaTransactionWrapper commit 2023-12-28 11:28:06,755 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-0) JtaTransactionWrapper end 2023-12-28 11:28:11,754 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-0) new JtaTransactionWrapper 2023-12-28 11:28:11,754 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-0) was existing? false 2023-12-28 11:28:11,754 DEBUG [org.keycloak.models.sessions.infinispan.changes.sessions.PersisterLastSessionRefreshStore] (Timer-0) Updating 0 userSessions with lastSessionRefresh: 1703762831 2023-12-28 11:28:11,754 DEBUG [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-0) Executed scheduled task AbstractLastSessionRefreshStoreFactory$$Lambda$1301/0x00000008017ee100 2023-12-28 11:28:11,754 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-0) JtaTransactionWrapper commit 2023-12-28 11:28:11,754 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-0) JtaTransactionWrapper end 2023-12-28 11:28:16,754 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-0) new JtaTransactionWrapper 2023-12-28 11:28:16,754 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-0) was existing? false 2023-12-28 11:28:16,754 DEBUG [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-0) Executed scheduled task AbstractLastSessionRefreshStoreFactory$$Lambda$1301/0x00000008017ee100 2023-12-28 11:28:16,754 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-0) JtaTransactionWrapper commit 2023-12-28 11:28:16,755 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-0) JtaTransactionWrapper end

It's a pleasure for me to share my screen to show you the issue. I have time at 10 AM or 16 PM Spanish time. If you agree I can schedule a meeting.

Thanks!!!

Best regards, Jose

yogeshmahajan-1903 commented 8 months ago

@jmbarreiro1 Attached pgAdmin deployment shows image used is "image: 'nexus-factory.dplt.dev:443/dpage/pgadmin4:6.21'" I am not sure if this is causing the issue.' We can connect 10:30 AM Spanish time.

jmbarreiro1 commented 8 months ago

This Nexus isn't a problem, we don't have access to internet to download the image. The nexus is a proxy to docker hub, and others repositories.

Do you share with me another time to schedule this meeting?

Thanks a lot

On Thu, Jan 4, 2024, 4:54 AM Yogesh Mahajan @.***> wrote:

@jmbarreiro1 https://github.com/jmbarreiro1 Attached pgAdmin deployment shows image used is "image: ' nexus-factory.dplt.dev:443/dpage/pgadmin4:6.21'" I am not sure if this is causing the issue.' We can connect 10:30 AM Spanish time.

— Reply to this email directly, view it on GitHub https://github.com/pgadmin-org/pgadmin4/issues/7083#issuecomment-1876274296, or unsubscribe https://github.com/notifications/unsubscribe-auth/AWALTTJHNYYGLKJPYBF4IC3YMYRZFAVCNFSM6AAAAABBBRFE7CVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNZWGI3TIMRZGY . You are receiving this because you were mentioned.Message ID: @.***>

EvertonSA commented 8 months ago

'OAUTH2_ADDITIONAL_CLAIMS': { 'groups': ["administrators"], }

did you try without

'OAUTH2_ADDITIONAL_CLAIMS': { 'groups': ["administrators"], }

jmbarreiro1 commented 8 months ago

Hi,

The issue is resolved. This configuration is working fine

iAUTHENTICATION_SOURCES = ['oauth2', 'internal'] OAUTH2_AUTO_CREATE_USER = True OAUTH2_CONFIG = [ { 'OAUTH2_NAME': 'keycloak', 'OAUTH2_DISPLAY_NAME': 'KEYCLOAK', 'OAUTH2_CLIENT_ID': 'pgadmin', 'OAUTH2_CLIENT_SECRET': 'xxxx', 'OAUTH2_TOKEN_URL': 'https://keycloak.xxxx.xxxx:8443/realms/iam/protocol/openid-connect/token', 'OAUTH2_AUTHORIZATION_URL': 'https://xxx.xxxx.xxx:8443/realms/iam/protocol/openid-connect/auth', 'OAUTH2_USERINFO_ENDPOINT': 'https://keycloak.xxxx.xxx:8443/realms/iam/protocol/openid-connect/userinfo', 'OAUTH2_API_BASE_URL': 'https://keycloak.xxxx.xxx:8443/realms/iam', 'OAUTH2_SCOPE': 'openid email profile', 'OAUTH2_USERNAME_CLAIM': None, 'OAUTH2_ICON': 'fa-google', 'OAUTH2_BUTTON_COLOR': '#0000ff', 'OAUTH2_SERVER_METADATA_URL': 'https://keycloak.xxx.xxx:8443/realms/iam/.well-known/openid-configuration', 'OAUTH2_SSL_CERT_VERIFICATION': False, 'OAUTH2_ADDITIONAL_CLAIMS': { 'groups': ["administrators"], } } ]

the main problem was a proxy. Thanks @yogeshmahajan-1903 for your time, your patience and your help.

Best regards, Jose

yogeshmahajan-1903 commented 8 months ago

Forbidden error comes when Realm setting has Require SSL set to ALL / External Request.

However , if Require SSL setting is set to None, Then I am able to login to pgadmin. If I remove metadata url from confiuration, then I am getting error Missing Jwks uri Errror, but could not reproduce, Jsondecode error.

jmbarreiro1 commented 8 months ago

We are using "external request" in the Require SSL configuration.

I don't know which version of pgadmin you are using. We had to upgrade the version to use the latest.

On Wed, Jan 24, 2024 at 12:41 PM Yogesh Mahajan @.***> wrote:

Forbidden error comes when Realm setting has Require SSL set to ALL / External Request. Screenshot.2024-01-24.at.5.08.28.PM.png (view on web) https://github.com/pgadmin-org/pgadmin4/assets/16016019/81e2a590-62da-4aec-aaa6-bf5e15558d30

However , if Require SSL setting is set to None, Then I am able to login to pgadmin. If I remove metadata url from confiuration, then I am getting error Missing Jwks uri Errror, but could not reproduce, Jsondecode error.

— Reply to this email directly, view it on GitHub https://github.com/pgadmin-org/pgadmin4/issues/7083#issuecomment-1907960861, or unsubscribe https://github.com/notifications/unsubscribe-auth/AWALTTMMNZZKDQ7J3ZGPCTLYQDXPNAVCNFSM6AAAAABBBRFE7CVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMBXHE3DAOBWGE . You are receiving this because you were mentioned.Message ID: @.***>

akshay-joshi commented 7 months ago

This is a configuration issue, hence closing it.

pgadmin-org / pgadmin4

client_id not being send when authenticating with OAuth2 #7083