Keycloak OpenID: "Failed to obtain access token" with SSL enabled

[shmart-dev]

I have enabled and set up the Keycloak option in WikiJS under Authentication.

When I set the configuration for a Keycloak HTTP address in WikiJS, the login via OpenID works.

When I set up the configuration for a Keycloak HTTPS address in WikiJS, OpenID login no longer works. Here I get the error message: "Failed to obtain access token".

In both cases WikiJS is routing me correctly to the Keycloak login page. After login, Keycloak redirects me back to the correct URL [Http/Https]. But while I am logged in at the HTTP address, I get the mentioned error message at the HTTPS address.

I have configured both Keycloak and WikiJS with the same certificate (*.mydomain.net) and is a trusted certificate.

Does anyone have an idea what this could be?

---- My WikiJS environment OS: Windows Server 2019 Standard Wiki.js version: 2.4.105 Database engine: postgresql-12.3-1 Keycloak version: 10.0.1

[shmart-dev]

In the Keycloak Logs I have this message: KC-SERVICES0091: Request is missing scope 'openid' so it's not treated as OIDC, but just pure OAuth2 request.

Maybe this helps?

[Diorso666]

I think you should first get Twitter_CONSUMER_KEY and Twitter_CONSUMER_SECRET. That is how. How to get the Twitter consumer key Then connect it to your code.

[shmart-dev]

Hi @Diorso666, why should I get an Twitter key+secret for a Keycloak configuration? Unfortunally, you are linking to a private video.

[luckyf]

Seems like I have the same problem. Please keep us up to date if you found a solution.

[MarcBollmann]

I have the same issue

[MarcBollmann]

I digged a little bit deeper and it seems that the dev of the keycloak-extension (@D4uS1) in wikijs used @exlinc/keycloak-passport. And that Library is using passportjs. Then I found the following article which in my case means I'm using an self signed certificate which probably produces the error in my setup case.

[D4uS1]

Hi @MarcBollmann,

the only thing the extension for keycloak does is calling passport js, as you mentioned before. This is done by using this keycloak-passport strategy.

I know this is not very helpful, but in my case i am using a lets encrypt certificate on the keycloak side, because in the past i got several problems using self signed certificates.

Do you think using lets encrypt or some other ca is a possible solution for you? I really can recommend this, just because it is free and browsers do not complain about an insecure certificate ;).

[MarcBollmann]

@D4uS1 Okay the difficult thing for me is that my application is running in an intranet. So let's encrypt is not an option for me. I think I have to add my self-signed-certificate of my keycloak server to my wiki.js as a trusted certificate (and vice-versa?). So I guess it should be just a configuration thing for me. I'll post a update if I make any progress.

[shmart-dev]

Hi @D4uS1,

we are not using Let's Encrypt, but we have a valid certifcate from a (public) certifacte authority - we don't use a self-signed certificate.

I can't imagine that it makes any difference whether Lets Encrypt or another CA issued the certificate, does it?

[shmart-dev]

Hi @MarcBollmann,

our wiki also runs on the intranet, we just do not use a self-signed certificate.

[D4uS1]

Hi @D4uS1,

we are not using Let's Encrypt, but we have a valid certifcate from a (public) certifacte authority - we don't use a self-signed certificate.

I can't imagine that it makes any difference whether Lets Encrypt or another CA issued the certificate, does it?

Hi @shmart-dev,

it does, if any used techbology under the hood does not accept self signed certificates for security purposes (without setting any parameters).

In this case for instance it is possible that any used library in keycloak-passport rejects the connection. But i really dont know, i just guess it.

[luckyf]

Found a solution for my problem. If you're using an self signed certificate chain which is not issued by a common public authority, you have to add the root certificate of your keycloak instance to the wikijs container.

This can be achieved with the NODE_EXTRA_CA_CERTS environment variable.

[MarcBollmann]

Maybe the parameter NODE_EXTRA_CA_CERTS should be added to the documentation?

[MarcBollmann]

@LuckyF Thank you that was the solution for me.

Summary for other people: If you use self signed certificates not issued by a common public authority. Add the root certficate of the keycloak instance to the wikijs container via the NODE_EXTRA_CA_CERTS environment variable.

Example docker-compose:

version: "3"
services:

  db:
    image: postgres:11-alpine
    environment:
      POSTGRES_DB: *****
      POSTGRES_PASSWORD: ****
      POSTGRES_USER: *****
    logging:
      driver: "none"
    restart: unless-stopped
    volumes:
      - db-data:/var/lib/postgresql/data

  wiki:
    image: requarks/wiki:2
    depends_on:
      - db
    environment:
      DB_TYPE: postgres
      DB_HOST: db
      DB_PORT: 5432
      DB_USER: ****
      DB_PASS: ****
      DB_NAME: ****
   # name of my self signed certficate in my mapped folder
      NODE_EXTRA_CA_CERTS: /certs/cert.pem
    restart: always
    ports:
      - "8082:3000"
    volumes:
    # map host folder where my certifacte is to /certs in my container
     - /etc/ssl/certs/:/certs

volumes:
  db-data:

[luckyf]

Maybe the parameter NODE_EXTRA_CA_CERTS should be added to the documentation?

I'll try to add a keycloak documentation site soon.