alfio-event/alf.io

Keycloak SSO OpenID Configuration Help

Closed this issue · 2 comments

Describe the bug
So im trying to setup OpenID so the public can "create" and login on their own accounts to save their infos as it was intended.
However i am unable to get it to work as no matter what i try i always recive a 500 error after all...
image

To Reproduce
Steps to reproduce the behavior:

  1. Went to Keycloak to setup everything (version 25.0.1):
    1.1- Created an new client (alfio) on an new realm according to the documents provided (thoes i could understand)... and the initial configuration was like this:
    image
    image
    image
    Then on the alfio scopes role mappers, i have inserted some dedicated ones as shown here
    image
    image
    image
    There is also 2 roles on the realm:
    image
    And in groups an parent group with 2 child groups:
    image

  2. After all that went to the admin web UI headed into configurations and set up the OpenID section like this:
    image
    *Dont worry about the secret as it has been reset

  3. After saving and going into an incognito tab (why not), the login actually appears but it always comes with an error... Most likely from missconfiguration that is what im trying to figure out...

Expected behavior
Users be able to login into the SSO Keycloak interface and have their profiles saved

Desktop (please complete the following information):

  • OS: Currently Running 2.0M4 on heroku
  • Browser chrome
  • Version [e.g. 22]

Additional context
If anyone have an "step by step" would be ideal as i already messed the configuration of keycloak so bad that i am already lost...
The Keycloak provider is served behind an zoraxy proxy with SSL.

public openid configuration requires a JSON configuration
see #1379 (reply in thread) for an example.

Hey again, so after viewing the thread and following (copying almost) the config i came across some challenges...
So here is the current config:
{
"domain": "sso.the.provider",
"clientId": "alfio",
"clientSecret": "secrethere",
"callbackURI": "the.alfio.domain/openid/callback",
"authenticationUrl": "/realms/therealm/protocol/openid-connect/auth",
"tokenEndpoint": "/realms/therealm/protocol/openid-connect/token",
"rolesParameter": "roles",
"alfioGroupsParameter": "org-roles",
"logoutUrl": "/realms/therealm/protocol/openid-connect/logout",
"logoutRedirectUrl": "https://the.alfio.domain/admin"
}

You might see that in the callbackURI i dont have the protocol on it, as if i put it down (https://the.alfio.domain/openid/callback) the result is an Incorrect redirectURI from keycloak. And after analysing the logs this is what i found: Sep 11 16:05:09 keycloak kc.sh[148]: 2024-09-11 16:05:09,820 WARN [org.keycloak.events] (executor-thread-112) type="LOGIN_ERROR", realmId="xxxx", realmName="therealm", clientId="alfio", userId="null", ipAddress="chillbro", error="invalid_redirect_uri", redirect_uri="https:/ticketlane.herokuapp.com/openid/callback"
So as you see in the redicrect_uri it is missing an slash and because of it the keycloak dosent accept it...
If i remove the protocol on both alfio and keycloak client config i can sucessfully login. However probably because of the incorrect redirecturi after the login it goes to an 404 page with the following url: https://the.alfio.domain/the.alfio.domain/openid/callback?state=moreids&session_state=moreofthat&iss=https%3A%2F%2Fsso.the.provider%2Frealms%2Frealm&code=token.
If i manually remove the 2nd part of the.alfio.domain that is on duplicate it sucessfully logs in and runs "almost" smooth.

The 2nd issue is when trying to logout that it shows this error: Invalid parameter: redirect_uri with the following url: https://sso.the.provider/realms/therealm/protocol/openid-connect/logout?redirect_uri=https://the.alfio.instance/admin
On the logs that shows as Sep 11 21:12:56 keycloak kc.sh[148]: 2024-09-11 21:12:56,123 WARN [org.keycloak.protocol.oidc.endpoints.LogoutEndpoint] (executor-thread-176) Parameter 'redirect_uri' no longer supported. Please use 'post_logout_redirect_uri' with 'id_token_hint' for this endpoint. Alternatively you can enable backwards compatibility option 'legacy-logout-redirect-uri' of oidc login protocol in the server configuration.
If i remove the "redirect_uri=https://the.alfio.instance/admin" i can sucessfully logout but without the redirect (ofc). As far as i moved this is what i got...