Keycloak oauth setup issues

negativefeedback · 13 October 2021 18:37

I setup Vikunja with keycloak oauth backend and there seems to be an issue and I only found one other post that seemed unresolved around using this.

I have the oauth provider button and can click it and authenticate but just get dropped back into the login page. The only logs I see on the api are 200’s, I have keycloak setup to temp allow any redirects and have the base url set to Frontend /auth/openid/. any guidance would be greatly appreciated

kolaente · 13 October 2021 19:58

Are there any errors in the browser (console or other)?

negativefeedback · 13 October 2021 20:40

Before I had made changes in keycloak the only thing that would show up is “Error: Promised response from onMessage listener went out of scope” adter a minute or so after getting dropped back.

but now and im not sure why cause I think I changed things back it just constantly refreshes that page after login, no issues in browser that I can see but it refreshes quickly still dont see anything in api container

kolaente · 13 October 2021 20:58

What does your config look like? Can you share the output of /api/v1/info?

You might want to change the url in keycloak to /auth/openid/<auth key> where <auth key> is the same as the one in /api/v1/info.

negativefeedback · 13 October 2021 21:43

I appreciate the help! Hopefully this is enough info

{
  "version": "v0.18.1",
  "frontend_url": "",
  "motd": "",
  "link_sharing_enabled": true,
  "max_file_size": "20MB",
  "registration_enabled": true,
  "available_migrators": [
    "vikunja-file"
  ],
  "task_attachments_enabled": true,
  "enabled_background_providers": [
    "upload"
  ],
  "totp_enabled": true,
  "legal": {
    "imprint_url": "",
    "privacy_policy_url": ""
  },
  "caldav_enabled": true,
  "auth": {
    "local": {
      "enabled": false
    },
    "openid_connect": {
      "enabled": true,
      "redirect_url": "https://FQDN/auth.openid/",
      "providers": [
        {
          "name": "keycloak",
          "key": "keycloak",
          "auth_url": "https://FQDN/auth/realms/keycloak/protocol/openid-connect/auth",
          "client_id": "dev_vikunja_client"
        }
      ]
    }
  },
  "email_reminders_enabled": true,
  "user_deletion_enabled": true
}

service:
  interface: ":3456"
  frontendurl: "https://FQDN"
  maxitemsperpage: 50
  enablecaldav: true
  enablelinksharing: true
  enableregistration: true
  enabletaskattachments: true
  timezone: GMT
  enabletaskcomments: true



files:
  basepath: ./files
  maxsize: 20MB

migration:
  trello:
    # Wheter to enable the trello migrator or not
    enable: false
    # The client id, required for making requests to the trello api
    # You need to register your vikunja instance at https://trello.com/app-key (log in before you visit that link) to get this
    key:
    # The url where clients are redirected after they authorized Vikunja to access their trello cards.
    # This needs to match the url you entered when registering your Vikunja instance at trello.
    # This is usually the frontend url where the frontend then makes a request to /migration/trello/migrate
    # with the code obtained from the trello api.
    # Note that the vikunja frontend expects this to end on /migrate/trello.
    redirecturl: <frontend url>/migrate/trello


avatar:
  gravatarexpiration: 3600

backgrounds:
  enabled: true
  providers:
    upload:
      enabled: true
    unsplash:
      enabled: false
      accesstoken:
      applicationid:

auth:
  local:
    enabled: true
  openid:
    enabled: true
    redirecturl: https://FQDN
    providers:
      - name: keycloak
        authurl: https://FQDN/auth/realms/keycloak
        clientid: dev_vikunja_client
        clientsecret: KEY
metrics:
  enabled: true

negativefeedback · 14 October 2021 21:18

SO I nuked the keycloak client and remade solving the infinite reload issue and added the redirect url to be https://FQDN/auth/openid/ as in Vikunja | authentik but still just getting dropped back to login page after logging into keyclaok, no new logs or errors that I can see

kolaente · 15 October 2021 14:34

What did you configure in keycloak as redirect URL? It should be https://FQDN/auth/openid/keycloak

I’d reccomend to not set the redirect URL in the openid config options in Vikunja since you’ve already configured the frontend URL.

negativefeedback · 15 October 2021 15:57

So I removed the redirect url in the config.
I just wanna confirm that the screenshot below shows the correct config in keycloak, anything else in that field does not work as a redirect. also the /v1/info show redirect_url "https://FQDN/auth.openid/"

kolaente · 15 October 2021 19:55

I don’t really know that much about keycloak, not sure if I can help you with specific keycloak settings. You should be able to set a redirect url somewhere in it where it redirects users after they successfully authenticated within keycloak. That should be https://FQDN/auth/openid/keycloak.

Where does keycloak redirect you to after authenticating? Check with the browser dev tools open to see all redirects it does. It should redirect you to https://FQDN/auth/openid/keycloak with some get parameters.

Are you sure the redirect url in the api url is not https://FQDN/auth/openid/?

negativefeedback · 18 October 2021 16:06

So I figured out this issue, it was that redirect url, but I couldn’t get it to change if I undefined it, change the frontend url or change it to something crazy. Turns out when I first was getting this setup I attempted to set env for oauth settings and those didnt work except for the one that incorrectly set the redirect URL, removed that and it works! Thanks

kolaente · 19 October 2021 14:45

Glad you figured it out!