Vikunja openID Keycloak Error 405

Support
1

Hi to everyone, I’m new to vikunja and start setting everithing up with Podman on Alpine Linux.
The setup work fine, but I cant authenticate with my Keyclock instance.
I already use Keyclock without problem with wiki.js.

I followed the vikunja example OpenID example configurations, but that configuration does not work properly, with KEyclock showing the following error

image
image907×487 40.1 KB

So I’ve tried to change the redirect in Keyclock with https://vikunja.my.domain/auth/openid/keycloak
and now I’ve got tho errors a 400 and an 405

2025-08-26T19:09:18Z: WEB       ▶ 151.95.176.70  GET 200 /api/v1/info 119.531µs - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
2025-08-26T19:09:19Z: ERROR     ▶ 0f2 oauth2: "HTTP 405 Method Not Allowed"
2025-08-26T19:09:19Z: WEB       ▶ 151.95.176.70  POST 400 /api/v1/auth/openid/keycloak/callback 424.660608ms - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36

With the web page saying Could not authenticate against third party.

My Vikunja version is Vikunja version v0.24.6
My Keyclok version is 26.3.2

Someone can help me solving this strange problem?

2

Hi @wperw1,

could you please post your Vikunja configuration + Keycloak configuration?

3

Sure,
my configuration is really basic, because I would like to enable pices one by one to be sure everithing is configured correctly

This is my vikunja config (FQDN, realm and secret obfuscated)

service:
  publicurl: "https://vikunja.FQDN.my/"

auth:
   openid:
     enabled: true
     providers:
       -
        name: Keycloak
        authurl: https://auth.FQDN.my/realms/<MYREALM>
        logouturl: https://auth.FQDN.my/realms/<MYREALM>/protocol/openid-connect/logout
        clientid: vikunja
        clientsecret: <SECRET>

This is the keycloack configuration

{
  "clientId": "vikunja",
  "name": "Vikunja",
  "description": "",
  "rootUrl": "https://vikunja.FQDN.my/",
  "adminUrl": "",
  "baseUrl": "https://vikunja.FQDN.my/",
  "surrogateAuthRequired": false,
  "enabled": true,
  "alwaysDisplayInConsole": false,
  "clientAuthenticatorType": "client-secret",
  "secret": "<SECRET>",
  "redirectUris": [
    "https://vikunja.FQDN.my/auth/openid/keycloak"
  ],
  "webOrigins": [
    ""
  ],
  "notBefore": 0,
  "bearerOnly": false,
  "consentRequired": false,
  "standardFlowEnabled": true,
  "implicitFlowEnabled": false,
  "directAccessGrantsEnabled": false,
  "serviceAccountsEnabled": true,
  "publicClient": false,
  "frontchannelLogout": true,
  "protocol": "openid-connect",
  "attributes": {
    "realm_client": "false",
    "oidc.ciba.grant.enabled": "false",
    "client.secret.creation.time": "1755800071",
    "backchannel.logout.session.required": "true",
    "standard.token.exchange.enabled": "false",
    "frontchannel.logout.session.required": "true",
    "oauth2.device.authorization.grant.enabled": "false",
    "display.on.consent.screen": "false",
    "backchannel.logout.revoke.offline.tokens": "false"
  },
  "authenticationFlowBindingOverrides": {},
  "fullScopeAllowed": true,
  "nodeReRegistrationTimeout": -1,
  "defaultClientScopes": [
    "web-origins",
    "service_account",
    "acr",
    "roles",
    "profile",
    "basic",
    "email"
  ],
  "optionalClientScopes": [
    "address",
    "phone",
    "offline_access",
    "organization",
    "microprofile-jwt"
  ],
  "access": {
    "view": true,
    "configure": true,
    "manage": true
  }
}

Hope this can help

4

Just spotted that Keycloak is capitalized in your Vikunja config and not capitalized in your redirect URL.

5

(post deleted by author)

6

Thankyou for spotting that difference, just corrected the vikunja file, but nothing.
The server show the same log.
Maybe can be an incompatibility with the latest version of kecloak?

This is my new vikunja config file

service:
  publicurl: "https://vikunja.FQDN.my/"

auth:
   openid:
     enabled: true
     providers:
       -
        name: keycloak
        authurl: https://auth.FQDN.my/realms/<MYREALM>
        logouturl: https://auth.FQDN.my/realms/<MYREALM>/protocol/openid-connect/logout
        clientid: vikunja
        clientsecret: <SECRET>
7

I add also the result of the …

{
  "version": "v0.24.6",
  "frontend_url": "https://vikunja.FQDN.my/",
  "motd": "",
  "link_sharing_enabled": true,
  "max_file_size": "20MB",
  "registration_enabled": true,
  "available_migrators": [
    "vikunja-file",
    "ticktick"
  ],
  "task_attachments_enabled": true,
  "enabled_background_providers": [
    "upload"
  ],
  "totp_enabled": true,
  "legal": {
    "imprint_url": "",
    "privacy_policy_url": ""
  },
  "caldav_enabled": true,
  "auth": {
    "local": {
      "enabled": true
    },
    "openid_connect": {
      "enabled": true,
      "providers": [
        {
          "name": "keycloak",
          "key": "keycloak",
          "auth_url": "https://auth.FQDN.my/realms/<MYREALM>/protocol/openid-connect/auth",
          "logout_url": "https://auth.FQDN.my/realms/<MYREALM>/protocol/openid-connect/logout",
          "client_id": "vikunja",
          "scope": "openid profile email"
        }
      ]
    }
  },
  "email_reminders_enabled": true,
  "user_deletion_enabled": true,
  "task_comments_enabled": true,
  "demo_mode_enabled": false,
  "webhooks_enabled": true,
  "public_teams_enabled": false
}
8

Hey, thanks for providing the additional output. Personally I’m also using Vikunja v0.24.6 (same version as you) with Keycloak, working just fine. Just for reference, my auth config:

auth:
  local:
    enabled: disable
  openid:
    enabled: true
    redirecturl: https://{{vikunja_external_url}}/auth/openid/
    providers:
      - name: My Login
        authurl: https://sso.fqdn/auth/realms/REALM
        logouturl: https://sso.fqdn/auth/realms/REALM/protocol/openid-connect/logout
        clientid: vikunja
        clientsecret: "{{vault_vikunja_kc_client_secret}}"
        scope: openid email profile vikunja_scope

The Keycloak config I use in this case is to set the redirect URL to https://{{vikunja_external_url}}/auth/openid/mylogin. Can you check the browser URL in Keycloak during the “We are sorry” screen and check which redirect URL Vikunja is passing to Keycloak?