Error implementing Keycloak with Speckle Signon

Dear community,

I’m integrating keycloak with speckle , when i click "login with keycloak " it’ showing the error “invalid parameter redirect uri” i have tried many redirect uri on keycloak but the same issue, is anyone have an idea and can help me, Thanks in advance

Forgive my unfamiliarity with Keycloak, but

Means you are adding that as an Authentication provider much as we have Google as an Auth provider for speckle.xyz?

As I say, I am unfamiliar with Keycloak and where you would be specifying in the client creation step.

It will need to match whatever you specify in an equivalent auth/strategy you specify for KeyCloak. Typically you’ll need to check the paths match exactly rather than relying on wildcards.

Can you share the strategy file you have made for Keycloak, or can it directly re-use the OIDC template we have in Speckle Server?

Did you match it with appropriate server config flags to enable your new strategy?

Hi jonathon,
Thanks for your respond.
Yes i’m using keycloak as authentication provider for my speckle deployed on kubernetes,
what is the exact redirect URI for speckle to be present on keycloak.

Hi again,

it seems the error disappear now aftre making some changes, but when i try to login by keycloak i get this error. can you please help me


The server team advise me that keycloak can indeed use the OpenID strategy.

Hi @ala_eddine

I found this blog post from Keycloak which states that it should integrate with the OIDC strategy: Keycloak Express Openid-client. Keycloak is deprecating their client… | by Austin Cunningham | Keycloak | Medium

The callback URL for OIDC is https://yourspeckleserver.example.org/auth/oidc/callback, replacing yourspeckleserver.example.org with your domain.

If you continue to encounter errors, please first investigate both the console output from your browser’s developer tools and the logs from the speckle-server container in your server deployment. These may provide more clues as to the root cause of the problem.

Iain

1 Like

Hi lain

Thanks for your respond,

I use the callback url you provide , but i still encouter the same error, also there’s no error appears on the consol output from the brower’s and here’s the logs from the speckle server:

Hi again

To be noted i’m using speckel-server 2.17.2

regards

i’m facing the following error when connecting keycloak with speckle, i follow all step to do the configuration, i use this redirect uri on keycloak side : https://my-keycloak/auth/oidc/callback

here’s the logs from speckle server , note i use the latest docker image:

i’m facing the following error when i integrate speckle with keycloak using OIDC strategy i’m using the docker image of speckle 2.18.1, i followed all the steps of the integration and there’s no error message in the logs of speckle-server

any help please

We’ll probably need the logs from that event. Could you capture them and send them over?
This usually happens if passport didn’t receive (or could not receive) an actual user back, and it might be a misconfiguration on your keycloak instance’s side.

dimitrie,

Here’s the logs, i’m using a keycloak instance in a local host , also i deployed speckle using Helm on k8s in the value file i put the necessary parameters to connect to keycloak.

regards

Hi @dimitrie,

can you help on this matter,

regards

Hi @ala_eddine, I actually did manage to reproduce it locally - partially - with some extra weird errors. It seemed like the locally running server was… taken over by keycloak itself when run from docker. I gave up during the weekend :sweat_smile:

What i can probably suggest: try using a different, online if possible, keycloak instance.

I’m afraid it’s a bit difficult for us to prioritise it at the minute as there’s a few other initiatives we’re looking at right now that take precedence (automate, multitenancy). I’ll keep looking at it when i have some spare time and I’ll cc @gjedlicska and @iainsproat for visibility.

1 Like

Hi @dimitrie

Thanks for your respond.

I did try using and online version of keycloak but the same error.


I did a research about this error message, and it seems related to *node with express (javascript - Node with Express session issue - Stack Overflow)**,
do you have an idea ?

regard

Hi @gjedlicska and @iainsproat

Any idea about this issue ?

regards

Hi @dimitrie,

About this issue: when login to using keycloak the server generate a session which is stored on the Redis and send back to the user in the cookies , the above log showing that the session not created after investigating, we found the redis was intialy deplyed on read only mode after changing the parameter “replica-read-only no” on the redis’s configmap and deploy it again the login using keycloak works.

regards.

1 Like

This topic was solved, but I still did some investigation.
I am sharing as reference the configuration used to make keycloak work with speckle:

  1. login into keycloak
  2. create a new Client

set the client id to whatever you want.
In the following screen you can leave the default config

In the last section ensure to set the valid redirect url as the one specified by the speckle server

  1. Create an Identity provider of type Keycloak OpenID Connect
    Ensure to set the discovery url properly
    In the image above the keycloak instance is running at http://localhost:8090.
    Set the Client ID as the Id you chose for your client and also set a secret
  2. Setup speckle environment variables
STRATEGY_OIDC=true
OIDC_NAME="keycloak test"
OIDC_DISCOVERY_URL="http://127.0.0.1:8090/realms/master/.well-known/openid-configuration"
OIDC_CLIENT_ID="my-client"
OIDC_CLIENT_SECRET="my-secret"
4 Likes