Open phac008 opened 1 month ago
On kind Deployment only - following error occurs when configuring oidc provider via cmdline: “unable to create provider: oidc: issuer did not match the issuer returned by provider” with keycloak idp
oidc_discovery_url=https://keycloak-127-0-0-1.nip.io/realms/sx-cnp-oss 2024-08-06T21:22:55.065Z [ERROR] auth.oidc.auth_oidc_28b6b006: error checking oidc discovery URL: error="error creating provider with given values: NewProvider: unable to create provider: Get \"https://keycloak-127-0-0-1.nip.io/realms/sx-cnp-oss/.well-known/openid-configuration\": dial tcp 127.0.0.1:443: connect: connection refused"
oidc_discovery_url=http://keycloak-service.keycloak.svc.cluster.local:8080/realms/sx-cnp-oss 2024-08-06T21:36:42.019Z [ERROR] auth.oidc.auth_oidc_28b6b006: error checking oidc discovery URL: error="error creating provider with given values: NewProvider: unable to create provider: oidc: issuer did not match the issuer returned by provider, expected \"http://keycloak-service.keycloak.svc.cluster.local:8080/realms/sx-cnp-oss\" got \"https://keycloak-127-0-0-1.nip.io/realms/sx-cnp-oss\""
this is because of frontend_url defined in keycloak realm (which is needed for backstage oidc plugin)
Issues: hashicorp/vault/issues/25024 https://discuss.hashicorp.com/t/unable-to-create-provider-oidc-issuer-did-not-match-the-issuer-returned-by-provider-with-keycloak-idp/61851
currently no Workaround after deployment via argo: remove frontend url from Keycloak realm add oidc config:
vault write auth/oidc/config oidc_discovery_url="https://keycloak-127-0-0-1.nip.io/realms/sx-cnp-oss" oidc_client_id="vault" oidc_client_secret="" default_role="default"
when re-add frontend url to keycloak
Missing auth_url. Please check that allowed_redirect_uris for the role include this mount path.
.... so for development backstage oidc login will not work so far...
On kind Deployment only - following error occurs when configuring oidc provider via cmdline: “unable to create provider: oidc: issuer did not match the issuer returned by provider” with keycloak idp
oidc_discovery_url=https://keycloak-127-0-0-1.nip.io/realms/sx-cnp-oss 2024-08-06T21:22:55.065Z [ERROR] auth.oidc.auth_oidc_28b6b006: error checking oidc discovery URL: error="error creating provider with given values: NewProvider: unable to create provider: Get \"https://keycloak-127-0-0-1.nip.io/realms/sx-cnp-oss/.well-known/openid-configuration\": dial tcp 127.0.0.1:443: connect: connection refused"
oidc_discovery_url=http://keycloak-service.keycloak.svc.cluster.local:8080/realms/sx-cnp-oss 2024-08-06T21:36:42.019Z [ERROR] auth.oidc.auth_oidc_28b6b006: error checking oidc discovery URL: error="error creating provider with given values: NewProvider: unable to create provider: oidc: issuer did not match the issuer returned by provider, expected \"http://keycloak-service.keycloak.svc.cluster.local:8080/realms/sx-cnp-oss\" got \"https://keycloak-127-0-0-1.nip.io/realms/sx-cnp-oss\""
this is because of frontend_url defined in keycloak realm (which is needed for backstage oidc plugin)
Issues: hashicorp/vault/issues/25024 https://discuss.hashicorp.com/t/unable-to-create-provider-oidc-issuer-did-not-match-the-issuer-returned-by-provider-with-keycloak-idp/61851
currently no Workaround after deployment via argo: remove frontend url from Keycloak realm add oidc config:
when re-add frontend url to keycloak
.... so for development backstage oidc login will not work so far...