SSO Keycloak error HTTP 405 Method Not Allowed (Solved)

Hello all, I’ve been trying to get OIDC working with Keycloak and have been running against a wall, despite being meticolous about following the configuration examples in OpenID example configurations and Can't get openid connect to work

When running Vikunja through docker-compose, and I navigate to the login screen, I see the following error in the logs:

vikunja | 2025-02-27T19:50:57+01:00: ERROR ▶ 0e8 Error while getting openid provider Keycloak: 405 Method Not Allowed: {"error":"HTTP 405 Method Not Allowed"}

When I navigate to the login page with my browser and the network tak open, I don’t see any calls resulting in 405, making me belive that error is coming from the container itself rather than the client connecting to the web-app. I don’t have access to the logs of the keycloak instance, but I’ve configured several applications to use OIDC against my realm.

I run my configurations in a mix of env-variables in compose.yml and config.yml, attaching both below. Would be very grateful for any hints on how to solve / troubleshoot this. This is on Vikunja version v0.24.6.

Thanks in advance!

config.yml

auth:
  local:
    enabled: true
  openid:
    enabled: true
    redirecturl: https://vikunja.taila5148.ts.net/auth/openid/
    providers:
      - name: Keycloak
        authurl: https://euc1.auth.ac/auth/admin/mykeycloakrealm
        clientid: vikunja
        clientsecret: supersecret
        scope: openid email profile
        

compose.yaml

services:
  vikunja-tsc:
    container_name: vikunja-tsc
    image: tailscale/tailscale:latest
    restart: unless-stopped
    environment:
      - TS_AUTHKEY=tskey-auth-secret
      - TS_EXTRA_ARGS=--advertise-tags=tag:container
      - TS_SERVE_CONFIG=/config/serve.json
      - TS_STATE_DIR=/var/lib/tailscale
    volumes:
      - ./state:/var/lib/tailscale
      - ./config:/config # needed for funnel-config
      - /dev/net/tun:/dev/net/tun
    cap_add:
      - net_admin
      - sys_module
  vikunja:
    container_name: vikunja
    image: vikunja/vikunja:latest
    restart: unless-stopped
    environment:
      VIKUNJA_SERVICE_JWTSECRET: secretsecretsecret
      VIKUNJA_SERVICE_PUBLICURL: https://vikunja.FQDN.ts.net/

      VIKUNJA_DATABASE_PATH: /db/vikunja.db
      TZ: Europe/Paris

    volumes:
      - ./files:/app/vikunja/files
      - ./db:/db
      - ./appconfig/config.yml:/etc/vikunja/config.yml

    depends_on:
      - vikunja-tsc

Keycloak config:


{
  "clientId": "vikunja",
  "name": "",
  "description": "",
  "rootUrl": "https://vikunja.taila5148.ts.net",
  "adminUrl": "https://vikunja.taila5148.ts.net",
  "baseUrl": "",
  "surrogateAuthRequired": false,
  "enabled": true,
  "alwaysDisplayInConsole": true,
  "clientAuthenticatorType": "client-secret",
  "redirectUris": [
    "/auth/openid/keycloak"
  ],
  "webOrigins": [],
  "notBefore": 0,
  "bearerOnly": false,
  "consentRequired": false,
  "standardFlowEnabled": true,
  "implicitFlowEnabled": false,
  "directAccessGrantsEnabled": true,
  "serviceAccountsEnabled": false,
  "publicClient": false,
  "frontchannelLogout": true,
  "protocol": "openid-connect",
  "attributes": {
    "realm_client": "false",
    "oidc.ciba.grant.enabled": "false",
    "backchannel.logout.session.required": "true",
    "oauth2.device.authorization.grant.enabled": "false",
    "backchannel.logout.revoke.offline.tokens": "false",
    "login_theme": "",
    "display.on.consent.screen": "false",
    "consent.screen.text": "",
    "frontchannel.logout.url": "",
    "frontchannel.logout.session.required": "true"
  },
  "authenticationFlowBindingOverrides": {},
  "fullScopeAllowed": true,
  "nodeReRegistrationTimeout": -1,
  "defaultClientScopes": [
    "web-origins",
    "acr",
    "roles",
    "profile",
    "basic",
    "email"
  ],
  "optionalClientScopes": [
    "address",
    "phone",
    "offline_access",
    "microprofile-jwt"
  ],
  "access": {
    "view": true,
    "configure": true,
    "manage": true
  },
  "authorizationServicesEnabled": false
}

EDIT: Well this is what happens when you type the wrong endpoint ( https://euc1.auth.ac/auth/admin/mykeycloakrealm) instead of the right one ( https://euc1.auth.ac/auth/realm/mykeycloakrealm). I rubberducked myself :person_facepalming:t4:

Glad you figured it out!

The request is one that Vikunja does to fetch information about the provider. It is happening from inside the container.