search

plankanban / planka

The realtime kanban board for workgroups built with React and Redux.
https://planka.app
GNU Affero General Public License v3.0
7.94k stars 738 forks source link

SSO Failure, Keycloak #515

Closed daanbreur closed 1 year ago

daanbreur commented 1 year ago 
          If it is a black screen after being redirected to /OidcLogin then it's a configuration issue and you should have an error in the browser console if you open the dev tools. Usually it's the redirect url in either keycloak or the environment variable.

It is definitely working, I tested it with 3 and a half idps. Authelia, authentik and keycloak. I also done logto but stopped when it used an opaque token. Since this pr is already merged and we're resurrecting a completed pr, If you would like to create an issue or discussion then I will see if I can help out further.

Originally posted by @jeffreytyler in https://github.com/plankanban/planka/issues/491#issuecomment-1738283877

daanbreur commented 1 year ago

The browserconsole is definitely empty, also the redirect shouldnt be to /OidcLogin but to /oidclogin cause thats how the path is defined inside the sourcecode. However im getting the same blackpage with no browser or server errorlogs with both paths.

meltyshev commented 1 year ago

We need to try to reproduce this. Could you show the settings of your Keyclock (of course without private data)?

daanbreur commented 1 year ago

image image image image image

image

daanbreur commented 1 year ago

after digging deep in network logs i found 

{
    "error": "unauthorized_client",
    "error_description": "Invalid client or Invalid client credentials"
}

response coming from a request made to keycloak. are you maybe able to share your keycloak configurations so we can compare

gorrilla10101 commented 1 year ago

on the client in keycloak turn client authentication off. Planka uses authorization code flow with PKCE and logs in from the react app in the browser. So it doesn't use a client secret and that is what the error your getting is.

I believe, will confirm in just a moment, that you need one more mapper to add the audience.

I am working on getting it set back up so I can send you the configuration over as well in just a moment.

gorrilla10101 commented 1 year ago

Confirmed working with keycloak.

  1. Create a public client by turning off client authentication
  2. create a scope and mapper that adds an audience
  3. make sure username, email and name is filled out in keycloak.
  4. Make sure Web Origins is set on the client in keycloak. This configures CORS. 
OIDC_ISSUER="http://localhost:8080/realms/master"
OIDC_AUDIENCE="planka"
OIDC_CLIENT_ID="planka"
OIDC_ROLES_ATTRIBUTE='groups'
OIDC_ADMIN_ROLES="planka-admin"
OIDC_REDIRECT_URI="http://localhost:3000/OidcLogin"
OIDC_JWKS_URI="http://localhost:8080/realms/master/protocol/openid-connect/certs"
OIDC_SKIP_USER_INFO='false'
OIDC_SCOPES='openid profile email'
daanbreur commented 1 year ago

Ah ofcourse. Thank you, I completely forgot client authorization isn't required on most of my services i enabled that.

daanbreur commented 1 year ago

I might make some additional documentation to add this stuff cause more people might forget like I did