Hello all, I’ve been trying to get OIDC working with Keycloak and have been running against a wall, despite being meticolous about following the configuration examples in OpenID example configurations and Can't get openid connect to work
When running Vikunja through docker-compose, and I navigate to the login screen, I see the following error in the logs:
vikunja | 2025-02-27T19:50:57+01:00: ERROR ▶ 0e8 Error while getting openid provider Keycloak: 405 Method Not Allowed: {"error":"HTTP 405 Method Not Allowed"}
When I navigate to the login page with my browser and the network tak open, I don’t see any calls resulting in 405, making me belive that error is coming from the container itself rather than the client connecting to the web-app. I don’t have access to the logs of the keycloak instance, but I’ve configured several applications to use OIDC against my realm.
I run my configurations in a mix of env-variables in compose.yml and config.yml, attaching both below. Would be very grateful for any hints on how to solve / troubleshoot this. This is on Vikunja version v0.24.6.
Thanks in advance!
config.yml
auth:
local:
enabled: true
openid:
enabled: true
redirecturl: https://vikunja.taila5148.ts.net/auth/openid/
providers:
- name: Keycloak
authurl: https://euc1.auth.ac/auth/admin/mykeycloakrealm
clientid: vikunja
clientsecret: supersecret
scope: openid email profile
compose.yaml
services:
vikunja-tsc:
container_name: vikunja-tsc
image: tailscale/tailscale:latest
restart: unless-stopped
environment:
- TS_AUTHKEY=tskey-auth-secret
- TS_EXTRA_ARGS=--advertise-tags=tag:container
- TS_SERVE_CONFIG=/config/serve.json
- TS_STATE_DIR=/var/lib/tailscale
volumes:
- ./state:/var/lib/tailscale
- ./config:/config # needed for funnel-config
- /dev/net/tun:/dev/net/tun
cap_add:
- net_admin
- sys_module
vikunja:
container_name: vikunja
image: vikunja/vikunja:latest
restart: unless-stopped
environment:
VIKUNJA_SERVICE_JWTSECRET: secretsecretsecret
VIKUNJA_SERVICE_PUBLICURL: https://vikunja.FQDN.ts.net/
VIKUNJA_DATABASE_PATH: /db/vikunja.db
TZ: Europe/Paris
volumes:
- ./files:/app/vikunja/files
- ./db:/db
- ./appconfig/config.yml:/etc/vikunja/config.yml
depends_on:
- vikunja-tsc
Keycloak config:
{
"clientId": "vikunja",
"name": "",
"description": "",
"rootUrl": "https://vikunja.taila5148.ts.net",
"adminUrl": "https://vikunja.taila5148.ts.net",
"baseUrl": "",
"surrogateAuthRequired": false,
"enabled": true,
"alwaysDisplayInConsole": true,
"clientAuthenticatorType": "client-secret",
"redirectUris": [
"/auth/openid/keycloak"
],
"webOrigins": [],
"notBefore": 0,
"bearerOnly": false,
"consentRequired": false,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": true,
"serviceAccountsEnabled": false,
"publicClient": false,
"frontchannelLogout": true,
"protocol": "openid-connect",
"attributes": {
"realm_client": "false",
"oidc.ciba.grant.enabled": "false",
"backchannel.logout.session.required": "true",
"oauth2.device.authorization.grant.enabled": "false",
"backchannel.logout.revoke.offline.tokens": "false",
"login_theme": "",
"display.on.consent.screen": "false",
"consent.screen.text": "",
"frontchannel.logout.url": "",
"frontchannel.logout.session.required": "true"
},
"authenticationFlowBindingOverrides": {},
"fullScopeAllowed": true,
"nodeReRegistrationTimeout": -1,
"defaultClientScopes": [
"web-origins",
"acr",
"roles",
"profile",
"basic",
"email"
],
"optionalClientScopes": [
"address",
"phone",
"offline_access",
"microprofile-jwt"
],
"access": {
"view": true,
"configure": true,
"manage": true
},
"authorizationServicesEnabled": false
}
EDIT: Well this is what happens when you type the wrong endpoint ( https://euc1.auth.ac/auth/admin/mykeycloakrealm
) instead of the right one ( https://euc1.auth.ac/auth/realm/mykeycloakrealm
). I rubberducked myself