Error implementing Keycloak with Speckle Signon

ala_eddine · 3 January 2024 15:22

Dear community,

I’m integrating keycloak with speckle , when i click "login with keycloak " it’ showing the error “invalid parameter redirect uri” i have tried many redirect uri on keycloak but the same issue, is anyone have an idea and can help me, Thanks in advance

jonathon · 5 January 2024 17:49

Forgive my unfamiliarity with Keycloak, but

Means you are adding that as an Authentication provider much as we have Google as an Auth provider for speckle.xyz?

As I say, I am unfamiliar with Keycloak and where you would be specifying in the client creation step.

It will need to match whatever you specify in an equivalent auth/strategy you specify for KeyCloak. Typically you’ll need to check the paths match exactly rather than relying on wildcards.

Can you share the strategy file you have made for Keycloak, or can it directly re-use the OIDC template we have in Speckle Server?

Did you match it with appropriate server config flags to enable your new strategy?

ala_eddine · 7 January 2024 10:19

Hi jonathon,
Thanks for your respond.
Yes i’m using keycloak as authentication provider for my speckle deployed on kubernetes,
what is the exact redirect URI for speckle to be present on keycloak.

ala_eddine · 7 January 2024 11:02

Hi again,

it seems the error disappear now aftre making some changes, but when i try to login by keycloak i get this error. can you please help me

jonathon · 7 January 2024 15:41

The server team advise me that keycloak can indeed use the OpenID strategy.

iainsproat · 7 January 2024 16:27

Hi @ala_eddine

I found this blog post from Keycloak which states that it should integrate with the OIDC strategy: Keycloak Express Openid-client. Keycloak is deprecating their client… | by Austin Cunningham | Keycloak | Medium

The callback URL for OIDC is https://yourspeckleserver.example.org/auth/oidc/callback, replacing yourspeckleserver.example.org with your domain.

If you continue to encounter errors, please first investigate both the console output from your browser’s developer tools and the logs from the speckle-server container in your server deployment. These may provide more clues as to the root cause of the problem.

Iain

ala_eddine · 8 January 2024 10:05

Hi lain

Thanks for your respond,

I use the callback url you provide , but i still encouter the same error, also there’s no error appears on the consol output from the brower’s and here’s the logs from the speckle server:

ala_eddine · 8 January 2024 12:08

Hi again

To be noted i’m using speckel-server 2.17.2

regards

ala_eddine · 18 February 2024 09:28

i’m facing the following error when connecting keycloak with speckle, i follow all step to do the configuration, i use this redirect uri on keycloak side : https://my-keycloak/auth/oidc/callback

here’s the logs from speckle server , note i use the latest docker image:

ala_eddine · 13 February 2024 12:36

i’m facing the following error when i integrate speckle with keycloak using OIDC strategy i’m using the docker image of speckle 2.18.1, i followed all the steps of the integration and there’s no error message in the logs of speckle-server

any help please

dimitrie · 13 February 2024 13:29

We’ll probably need the logs from that event. Could you capture them and send them over?
This usually happens if passport didn’t receive (or could not receive) an actual user back, and it might be a misconfiguration on your keycloak instance’s side.

github.com

specklesystems/speckle-server/blob/48440e5b7c6b2dc54181049fec67542a1ce081e5/packages/server/modules/auth/services/passportService.js#L24


      
          * (passport.authenticate() by default doesn't, so don't use it)
          * @param {import('passport').Strategy | string} strategy
          * @param {import('passport').AuthenticateOptions | undefined} [options]
          * @returns {import('express').Handler}
          */
          function passportAuthenticate(strategy, options = undefined) {
           return (req, res, next) =>
             passport.authenticate(strategy, options, (err, user, info) => {
               if (err && !(err instanceof UserInputError)) logger.error(err)
               if (!user) {
                 const errMsg = info?.message || 'Failed to authenticate, contact server admins'
                 let errPath = `/error?message=${errMsg}`
          
          
       if (err instanceof UnverifiedEmailSSOLoginError) {
                   const email = err.info()?.email || ''
                   errPath = `/error-email-verify?email=${email}`
                 }
          
          
       return useNewFrontend()
                   ? res.redirect(new URL(errPath, getFrontendOrigin()).toString())
                   : res.redirect(errPath)

ala_eddine · 13 February 2024 13:55

dimitrie,

Here’s the logs, i’m using a keycloak instance in a local host , also i deployed speckle using Helm on k8s in the value file i put the necessary parameters to connect to keycloak.

regards

ala_eddine · 19 February 2024 07:59

Hi @dimitrie,

can you help on this matter,

regards

dimitrie · 19 February 2024 09:59

Hi @ala_eddine, I actually did manage to reproduce it locally - partially - with some extra weird errors. It seemed like the locally running server was… taken over by keycloak itself when run from docker. I gave up during the weekend

What i can probably suggest: try using a different, online if possible, keycloak instance.

I’m afraid it’s a bit difficult for us to prioritise it at the minute as there’s a few other initiatives we’re looking at right now that take precedence (automate, multitenancy). I’ll keep looking at it when i have some spare time and I’ll cc @gjedlicska and @iainsproat for visibility.

ala_eddine · 19 February 2024 12:36

Hi @dimitrie

Thanks for your respond.

I did try using and online version of keycloak but the same error.

I did a research about this error message, and it seems related to *node with express (javascript - Node with Express session issue - Stack Overflow)**,
do you have an idea ?

regard

ala_eddine · 26 February 2024 11:10

Hi @gjedlicska and @iainsproat

Any idea about this issue ?

regards

ala_eddine · 31 March 2024 12:29

Hi @dimitrie,

About this issue: when login to using keycloak the server generate a session which is stored on the Redis and send back to the user in the cookies , the above log showing that the session not created after investigating, we found the redis was intialy deplyed on read only mode after changing the parameter “replica-read-only no” on the redis’s configmap and deploy it again the login using keycloak works.

regards.

Alessandro_Magionami · 6 May 2024 15:07

This topic was solved, but I still did some investigation.
I am sharing as reference the configuration used to make keycloak work with speckle:

login into keycloak
create a new Client

set the client id to whatever you want.
In the following screen you can leave the default config

In the last section ensure to set the valid redirect url as the one specified by the speckle server

Create an Identity provider of type Keycloak OpenID Connect
Ensure to set the discovery url properly
In the image above the keycloak instance is running at http://localhost:8090.
Set the Client ID as the Id you chose for your client and also set a secret
Setup speckle environment variables

STRATEGY_OIDC=true
OIDC_NAME="keycloak test"
OIDC_DISCOVERY_URL="http://127.0.0.1:8090/realms/master/.well-known/openid-configuration"
OIDC_CLIENT_ID="my-client"
OIDC_CLIENT_SECRET="my-secret"