[help]: OIDC issues

[thefiredragon]

Is there an existing issue for this?

• [X] I have searched the existing issues

Current behavior

Hey, first thanks for your maintaining, we also need oidc and want went away from atlassian because onprem will not be supported by atlassian.

I had build plane from your repo and tried to setup my keycloak oidc and run into some issues and like to ask if you could help here.

First after first setup I noticed this here:

Screenshot above is clear, it's an cookie if I'm authenticated.

When I try to authenticate over oidc i'm running into this:

Plane logs:

[api]         | 10.89.0.46:36026 - "POST /api/oidc-auth/ HTTP/1.0" 400
[proxy]       | 10.70.0.11 - - [23/Jan/2024:14:25:43 +0000] "POST /api/oidc-auth/ HTTP/1.1" 400 44 "https://plane.mydomain.net/?session_state=4dfdac27-6448-48f9-a079-f35d3158016d&iss=https%3A%2F%2Fkeycloak.mydomain.net%2Frealms%2Fplane&code=af9215b7-aee2-4e06-b98a-7f7cde868a9d.4dfdac27-6448-48f9-a079-f35d3158016d.04b1d12c-aa7d-40c0-965d-9bd82e939554" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"
[api]         | 10.89.0.46:36034 - "POST /api/oidc-auth/ HTTP/1.0" 400
[proxy]       | 10.70.0.11 - - [23/Jan/2024:14:25:43 +0000] "POST /api/oidc-auth/ HTTP/1.1" 400 44 "https://plane.mydomain.net/?session_state=4dfdac27-6448-48f9-a079-f35d3158016d&iss=https%3A%2F%2Fkeycloak.mydomain.net%2Frealms%2Fplane&code=af9215b7-aee2-4e06-b98a-7f7cde868a9d.4dfdac27-6448-48f9-a079-f35d3158016d.04b1d12c-aa7d-40c0-965d-9bd82e939554" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"
[api]         | 10.89.0.46:36038 - "POST /api/oidc-auth/ HTTP/1.0" 400
[proxy]       | 10.70.0.11 - - [23/Jan/2024:14:25:43 +0000] "POST /api/oidc-auth/ HTTP/1.1" 400 44 "https://plane.mydomain.net/?session_state=4dfdac27-6448-48f9-a079-f35d3158016d&iss=https%3A%2F%2Fkeycloak.mydomain.net%2Frealms%2Fplane&code=af9215b7-aee2-4e06-b98a-7f7cde868a9d.4dfdac27-6448-48f9-a079-f35d3158016d.04b1d12c-aa7d-40c0-965d-9bd82e939554" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"
[api]         | 10.89.0.46:36054 - "POST /api/oidc-auth/ HTTP/1.0" 400
[proxy]       | 10.70.0.11 - - [23/Jan/2024:14:25:44 +0000] "POST /api/oidc-auth/ HTTP/1.1" 400 44 "https://plane.mydomain.net/?session_state=4dfdac27-6448-48f9-a079-f35d3158016d&iss=https%3A%2F%2Fkeycloak.mydomain.net%2Frealms%2Fplane&code=af9215b7-aee2-4e06-b98a-7f7cde868a9d.4dfdac27-6448-48f9-a079-f35d3158016d.04b1d12c-aa7d-40c0-965d-9bd82e939554" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"
[proxy]       | 10.70.0.11 - - [23/Jan/2024:14:25:44 +0000] "POST /api/oidc-auth/ HTTP/1.1" 499 0 "https://plane.mydomain.net/?session_state=4dfdac27-6448-48f9-a079-f35d3158016d&iss=https%3A%2F%2Fkeycloak.mydomain.net%2Frealms%2Fplane&code=af9215b7-aee2-4e06-b98a-7f7cde868a9d.4dfdac27-6448-48f9-a079-f35d3158016d.04b1d12c-aa7d-40c0-965d-9bd82e939554" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"

Keycloak logs

Jan 23 14:28:37 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:37,225 DEBUG [io.quarkus.vertx.http.runtime.ForwardedParser] (executor-thread-3) Recalculated absoluteURI to https://keycloak.mydomain.net/realms/plane/login-actions/authenticate?session_code=4r0Jg1meG5pUSQ1MaHTszaZ7YPoZV2GrMfafjmL2wIs&execution=dc12c801-0fd1-48c7-a3ae-fa995557a8cd&client_id=plane-client&tab_id=jsdz9SYsWzM
Jan 23 14:28:37 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:37,226 DEBUG [org.keycloak.services.resources.SessionCodeChecks] (executor-thread-3) Will use client 'plane-client' in back-to-application link
Jan 23 14:28:37 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:37,226 DEBUG [org.keycloak.services.util.CookieHelper] (executor-thread-3) AUTH_SESSION_ID cookie found in the request header
Jan 23 14:28:37 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:37,227 DEBUG [org.keycloak.services.util.CookieHelper] (executor-thread-3) AUTH_SESSION_ID cookie found in the cookie field
Jan 23 14:28:37 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:37,227 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (executor-thread-3) Found AUTH_SESSION_ID cookie with value a36e3a34-6d41-413f-98a0-cea247743e9e.CG-Keycloak-27718
Jan 23 14:28:37 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:37,227 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (executor-thread-3) authenticationAction
Jan 23 14:28:37 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:37,227 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-3) processAction: dc12c801-0fd1-48c7-a3ae-fa995557a8cd
Jan 23 14:28:37 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:37,227 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (executor-thread-3) Going through the flow 'browser' for adding executions
Jan 23 14:28:37 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:37,227 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (executor-thread-3) Going through the flow 'forms' for adding executions
Jan 23 14:28:37 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:37,227 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (executor-thread-3) Selections when trying execution 'auth-username-password-form' : [ authSelection - auth-username-password-form]
Jan 23 14:28:37 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:37,227 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-3) action: auth-username-password-form
Jan 23 14:28:37 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:37,256 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-3) authenticator SUCCESS: auth-username-password-form
Jan 23 14:28:37 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:37,257 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-3) check execution: 'forms flow', requirement: 'ALTERNATIVE'
Jan 23 14:28:37 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:37,257 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-3) processFlow: forms
Jan 23 14:28:37 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:37,257 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-3) check execution: 'auth-username-password-form', requirement: 'REQUIRED'
Jan 23 14:28:37 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:37,257 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-3) execution 'auth-username-password-form' is processed
Jan 23 14:28:37 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:37,257 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-3) Flow 'forms flow' successfully finished
Jan 23 14:28:37 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:37,257 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-3) processFlow: browser
Jan 23 14:28:37 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:37,257 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-3) Authentication successful of the top flow 'browser'
Jan 23 14:28:37 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:37,260 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (executor-thread-3) Removing root authSession 'a36e3a34-6d41-413f-98a0-cea247743e9e'. Expire restart cookie: true
Jan 23 14:28:37 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:37,260 DEBUG [org.keycloak.services.util.CookieHelper] (executor-thread-3) Could not find cookie KEYCLOAK_SESSION, trying KEYCLOAK_SESSION_LEGACY
Jan 23 14:28:37 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:37,261 DEBUG [org.keycloak.services.managers.AuthenticationManager] (executor-thread-3) Create login cookie - name: KEYCLOAK_IDENTITY, path: /realms/plane/, max-age: -1
Jan 23 14:28:37 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:37,261 DEBUG [org.keycloak.services.managers.AuthenticationManager] (executor-thread-3) Expiring remember me cookie
Jan 23 14:28:37 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:37,261 DEBUG [org.keycloak.services.managers.AuthenticationManager] (executor-thread-3) Expiring cookie: KEYCLOAK_REMEMBER_ME path: /realms/plane/
Jan 23 14:28:37 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:37,262 DEBUG [org.keycloak.protocol.oidc.OIDCLoginProtocol] (executor-thread-3) redirectAccessCode: state: null
Jan 23 14:28:37 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:37,262 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-3) JtaTransactionWrapper  commit
Jan 23 14:28:37 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:37,262 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-3) JtaTransactionWrapper end
Jan 23 14:28:37 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:37,262 DEBUG [org.keycloak.events] (executor-thread-3) type=LOGIN, realmId=ecc8ebe4-e160-4b96-a0d5-b3f49eb84e06, clientId=plane-client, userId=893866a9-da30-4587-8fb4-72c35405d7ca, ipAddress=10.71.0.17, auth_method=openid-connect, auth_type=code, response_type=code, redirect_uri=https://plane.mydomain.net/, consent=no_consent_required, code_id=a36e3a34-6d41-413f-98a0-cea247743e9e, username=dan, response_mode=query, authSessionParentId=a36e3a34-6d41-413f-98a0-cea247743e9e, authSessionTabId=jsdz9SYsWzM
Jan 23 14:28:37 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:37,686 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-0) new JtaTransactionWrapper
Jan 23 14:28:37 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:37,686 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-0) was existing? false
Jan 23 14:28:37 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:37,686 DEBUG [org.keycloak.models.sessions.infinispan.changes.sessions.PersisterLastSessionRefreshStore] (Timer-0) Updating 0 userSessions with lastSessionRefresh: 1706020057
Jan 23 14:28:37 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:37,686 DEBUG [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-0) Executed scheduled task AbstractLastSessionRefreshStoreFactory$$Lambda$1591/0x00007f795fc362d0
Jan 23 14:28:37 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:37,686 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-0) JtaTransactionWrapper  commit
Jan 23 14:28:37 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:37,686 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-0) JtaTransactionWrapper end
Jan 23 14:28:38 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:38,370 DEBUG [io.netty.handler.ssl.SslHandler] (vert.x-eventloop-thread-0) [id: 0x5a9bd836, L:/10.70.0.44:443 - R:/10.70.0.51:34578] HANDSHAKEN: protocol:TLSv1.3 cipher suite:TLS_AES_256_GCM_SHA384
Jan 23 14:28:38 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:38,370 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-3) new JtaTransactionWrapper
Jan 23 14:28:38 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:38,370 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-3) was existing? false
Jan 23 14:28:38 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:38,370 DEBUG [io.quarkus.vertx.http.runtime.ForwardedParser] (executor-thread-3) Recalculated absoluteURI to https://keycloak.mydomain.net/realms/plane/protocol/openid-connect/token
Jan 23 14:28:38 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:38,371 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (executor-thread-3) AUTHENTICATE CLIENT
Jan 23 14:28:38 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:38,371 DEBUG [org.keycloak.authentication.ClientAuthenticationFlow] (executor-thread-3) client authenticator: client-secret
Jan 23 14:28:38 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:38,371 DEBUG [org.keycloak.authentication.ClientAuthenticationFlow] (executor-thread-3) client authenticator SUCCESS: client-secret
Jan 23 14:28:38 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:38,371 DEBUG [org.keycloak.authentication.ClientAuthenticationFlow] (executor-thread-3) Client plane-client authenticated by client-secret
Jan 23 14:28:38 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:38,371 DEBUG [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider] (executor-thread-3) getUserSessionWithPredicate(a36e3a34-6d41-413f-98a0-cea247743e9e): found in local cache
Jan 23 14:28:38 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:38,371 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-3) new JtaTransactionWrapper
Jan 23 14:28:38 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:38,371 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-3) was existing? true
Jan 23 14:28:38 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:38,371 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-3) JtaTransactionWrapper  commit
Jan 23 14:28:38 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:38,371 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-3) JtaTransactionWrapper end
Jan 23 14:28:38 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:38,371 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-3) JtaTransactionWrapper resuming suspended
Jan 23 14:28:38 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:38,371 WARN  [org.keycloak.events] (executor-thread-3) type=CODE_TO_TOKEN_ERROR, realmId=ecc8ebe4-e160-4b96-a0d5-b3f49eb84e06, clientId=plane-client, userId=893866a9-da30-4587-8fb4-72c35405d7ca, ipAddress=10.70.0.51, error=invalid_code, grant_type=authorization_code, code_id=a36e3a34-6d41-413f-98a0-cea247743e9e, client_auth_method=client-secret
Jan 23 14:28:38 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:38,371 DEBUG [org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext] (executor-thread-3) Restarting handler chain for exception exception: org.keycloak.services.CorsErrorResponseException: HTTP 500 Internal Server Error
Jan 23 14:28:38 CG-Keycloak kc.sh[8566]:         at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.codeToToken(TokenEndpoint.java:402)
Jan 23 14:28:38 CG-Keycloak kc.sh[8566]:         at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:207)
Jan 23 14:28:38 CG-Keycloak kc.sh[8566]:         at org.keycloak.protocol.oidc.endpoints.TokenEndpoint$quarkusrestinvoker$processGrantRequest_6408e15340992839b66447750c221d9aaa837bd7.invoke(Unknown Source)
Jan 23 14:28:38 CG-Keycloak kc.sh[8566]:         at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
Jan 23 14:28:38 CG-Keycloak kc.sh[8566]:         at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141)
Jan 23 14:28:38 CG-Keycloak kc.sh[8566]:         at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:145)
Jan 23 14:28:38 CG-Keycloak kc.sh[8566]:         at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:576)
Jan 23 14:28:38 CG-Keycloak kc.sh[8566]:         at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513)
Jan 23 14:28:38 CG-Keycloak kc.sh[8566]:         at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538)
Jan 23 14:28:38 CG-Keycloak kc.sh[8566]:         at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
Jan 23 14:28:38 CG-Keycloak kc.sh[8566]:         at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
Jan 23 14:28:38 CG-Keycloak kc.sh[8566]:         at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
Jan 23 14:28:38 CG-Keycloak kc.sh[8566]:         at java.base/java.lang.Thread.run(Thread.java:840)
Jan 23 14:28:38 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:38,371 DEBUG [org.keycloak.services.resources.Cors] (executor-thread-3) Added CORS headers to response
Jan 23 14:28:38 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:38,371 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-3) JtaTransactionWrapper  commit
Jan 23 14:28:38 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:38,371 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-3) JtaTransactionWrapper end
Jan 23 14:28:38 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:38,718 DEBUG [io.netty.handler.ssl.SslHandler] (vert.x-eventloop-thread-1) [id: 0xd07113e5, L:/10.70.0.44:443 - R:/10.70.0.51:34590] HANDSHAKEN: protocol:TLSv1.3 cipher suite:TLS_AES_256_GCM_SHA384
Jan 23 14:28:38 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:38,721 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-3) new JtaTransactionWrapper
Jan 23 14:28:38 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:38,721 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-3) was existing? false
Jan 23 14:28:38 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:38,721 DEBUG [io.quarkus.vertx.http.runtime.ForwardedParser] (executor-thread-3) Recalculated absoluteURI to https://keycloak.mydomain.net/realms/plane/protocol/openid-connect/token
Jan 23 14:28:38 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:38,722 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (executor-thread-3) AUTHENTICATE CLIENT
Jan 23 14:28:38 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:38,722 DEBUG [org.keycloak.authentication.ClientAuthenticationFlow] (executor-thread-3) client authenticator: client-secret
Jan 23 14:28:38 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:38,722 DEBUG [org.keycloak.authentication.ClientAuthenticationFlow] (executor-thread-3) client authenticator SUCCESS: client-secret
Jan 23 14:28:38 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:38,722 DEBUG [org.keycloak.authentication.ClientAuthenticationFlow] (executor-thread-3) Client plane-client authenticated by client-secret
Jan 23 14:28:38 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:38,722 DEBUG [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider] (executor-thread-3) getUserSessionWithPredicate(a36e3a34-6d41-413f-98a0-cea247743e9e): found in local cache
Jan 23 14:28:38 CG-Keycloak kc.sh[8566]: 2024-01-23 14:28:38,722 WARN  [org.keycloak.protocol.oidc.utils.OAuth2CodeParser] (executor-thread-3) Code 'd4bdb1a4-297e-4421-9a96-650aa925e751' already used for userSession 'a36e3a34-6d41-413f-98a0-cea247743e9e' and client '04b1d12c-aa7d-40c0-965d-9bd82e939554'.

already used for userSession

My last question would be if you had tested your implementation with keycloak? If yes, could you provide a test configuration for keycloak? I'm not an expert with keycloak but tested authentication_code with postman and there it's working. Best regards and greethings David

Steps to reproduce

-

Browser

Google Chrome

Version

Self-hosted

[thefiredragon]

@torbenraab Personally I dislike to spam, but I'd like to ask which oidc provider do you use and if you tested keycloak? Helpful would be be a client sample for the authorisation_code flow from oidc provider. Greetthings

[torbenraab]

Hey @thefiredragon, At my company we use it in combination with Authentik. Keycloak was tested before. I think I know where the error is from. I will update you shortly after some investigation.

[thefiredragon]

Last change to OIDC_DISCOVERY wont work correclty, current dev sync breaks the build, too, so I tried detached commit ac2262ea

P.S I switched to authentik and will try it.

[api]         | Instance already registered
Traceback (most recent call last):
  File "/code/manage.py", line 17, in <module>
    execute_from_command_line(sys.argv)
  File "/usr/local/lib/python3.11/site-packages/django/core/management/__init__.py", line 442, in execute_from_command_line
    utility.execute()
  File "/usr/local/lib/python3.11/site-packages/django/core/management/__init__.py", line 436, in execute
    self.fetch_command(subcommand).run_from_argv(self.argv)
  File "/usr/local/lib/python3.11/site-packages/django/core/management/base.py", line 412, in run_from_argv
    self.execute(*args, **cmd_options)
  File "/usr/local/lib/python3.11/site-packages/django/core/management/base.py", line 458, in execute
    output = self.handle(*args, **options)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/code/plane/license/management/commands/configure_instance.py", line 171, in handle
    ) = get_endpoint_information(item.get("value"))
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/code/plane/app/views/oidc.py", line 48, in get_endpoint_information
    if not discovery_url.includes("/.well-known/openid-configuration"):
           ^^^^^^^^^^^^^^^^^^^^^^
AttributeError: 'str' object has no attribute 'includes'

[thefiredragon]

So I checked out ffc05414 which was working before. Authentik works with plane. Here I have a last question, how I can access god-mod when direct sso forward is activated?

Workaround: created same user with same e-mail at authentik.

[torbenraab]

The issue with the current commit is already known. I will look into the topic today as I had a lot of work to do this week.

I will look into the god-mode registration shortly. Thanks for your update and testing!

[thefiredragon]

Okay thank you, perhaps its better to merge OIDC to preview branch, this should be more stable instead of dev branch

[torbenraab]

Yeah I just looked into it and will do a merge into the preview branch so we can quickly update the master as the 0.15 is going to be released. The develop branch is also quite annoyingly upgraded with force pushes and such things

[torbenraab]

Split in issues #9 and #10

[torbenraab]

Just to be clear. When I setup a new instance than the main screen says "Instance not ready", so you go to the "/god-mode" URL and have to setup an account. I would recommend to use the email that your OIDC Provider provides for your login and after everything is set up you login automatically via OIDC and that's basically it.

I will document everything as soon as #12 is ready.

[torbenraab]

Just updated the readme and included the current images of the preview branch. I will close this issue for now and we can discuss the details in the issues I separated from this.

[thefiredragon]

@torbenraab thank you for your investigation, is odic_discovery fixed on preview branch ? Best regards from Krefeld

[torbenraab]

Yeah it is fixed

[thefiredragon]

Okay, I'll try it tomorrow 😊😊😊