500 Error with Keycloak OAuth Consumer


I’m trying to set up SSO with Keycloak on a new Akkoma instance. Running backend version 3.10.4-1-gebfb617b, frontend version e7a558a, and Keycloak 22.0.1.

I tried following the OAuth consumer section of the configuration cheat sheet by setting OAUTH_CONSUMER_STRATEGIES="keycloak:ueberauth_keycloak_strategy" and by adding the following to my prod.secret.exs:

keycloak_url = "https://keycloak.mysite.com"

config :ueberauth, Ueberauth.Strategy.Keycloak.OAuth,
  client_id: "xxx",
  client_secret: "xxx",
  site: keycloak_url,
  authorize_url: "#{keycloak_url}/realms/public/protocol/openid-connect/auth",
  token_url: "#{keycloak_url}/realms/public/protocol/openid-connect/token",
  userinfo_url: "#{keycloak_url}/realms/public/protocol/openid-connect/userinfo",
  token_method: :post

config :ueberauth, Ueberauth,
  providers: [
    keycloak: {Ueberauth.Strategy.Keycloak, [uid_field: :email]}

In the Keycloak realm named public, I created a new OpenID connect application with…

  • the Client authentication capability (“OIDC set to confidential access type”),
  • the root url and web origin set to https://akkoma.mysite.com,
  • the valid redirect uri set to https://akkoma.mysite.com/oauth/keycloak/callback.

I couldn’t find the OAuth login button, so instead I went directly to https://akkoma.mysite.com/oauth/keycloak in my browser. This redirected me to the Keycloak login page, and then back to the redirect URI with some parameters about a bad scope and bad callback url. I (possibly incorrectly) amended the Ueberauth configuration to set these parameters directly:

config :ueberauth, Ueberauth,
  providers: [
       [uid_field: :email, default_scope: "openid", callback_url: "https://akkoma.mysite.com/oauth/keycloak/callback"]}

Now whenever I try to log in, I get a blank response on the callback page with a 500 status code.

Looking at the traffic going to the Keycloak server, I can see that the request to the token endpoint is okay and returns the access/refresh token, and that is followed by another successful request to the userinfo endpoint.

In the Akkoma logs:

 19:00:24.569 [warning] Description: 'Server authenticity is not verified since certificate path validation is not enabled'
      Reason: 'The option {verify, verify_peer} and one of the options \'cacertfile\' or \'cacerts\' are required to enable this.'

 19:00:24.647 request_id=F4CM8IaSLHIBlCkAAEAC [error] Internal server error: %Jason.DecodeError{position: 0, token: nil, data: "abcdefg"}

 19:00:24.648 [error] #PID<0.3246.0> running Pleroma.Web.Endpoint (connection #PID<0.3245.0>, stream id 1) terminated

 Server: akkoma.mysite.com:80 (http)
 Request: GET /oauth/keycloak/callback?state=abcdef&session_state=XXXX-XXXX-XXXX-XXXX&code=XXXX-XXXX-XXXX-XXXX
 ** (exit) an exception was raised:
     ** (Protocol.UndefinedError) protocol Phoenix.HTML.Safe not implemented for %{errors: %{detail: "Internal server error"}} of type Map. This protocol is implemented for the following type(s): Atom, BitString, Date, DateTime, Decimal, Float, Integer, List, NaiveDateTime, Phoenix.HTML.Form, Phoenix.LiveComponent.CID, Phoenix.LiveView.Component, Phoenix.LiveView.Comprehension, Phoenix.LiveView.JS, Phoenix.LiveView.Rendered, Time, Tuple, URI
         (phoenix_html 3.3.1) lib/phoenix_html/safe.ex:1: Phoenix.HTML.Safe.impl_for!/1
         (phoenix_html 3.3.1) lib/phoenix_html/safe.ex:15: Phoenix.HTML.Safe.to_iodata/1
         (phoenix 1.6.16) lib/phoenix/controller.ex:772: Phoenix.Controller.render_and_send/4
         (phoenix 1.6.16) lib/phoenix/endpoint/render_errors.ex:78: Phoenix.Endpoint.RenderErrors.instrument_render_and_send/5
         (phoenix 1.6.16) lib/phoenix/endpoint/render_errors.ex:64: Phoenix.Endpoint.RenderErrors.__catch__/5
         (phoenix 1.6.16) lib/phoenix/endpoint/cowboy2_handler.ex:54: Phoenix.Endpoint.Cowboy2Handler.init/4
         (cowboy 2.10.0) /opt/akkoma/deps/cowboy/src/cowboy_handler.erl:37: :cowboy_handler.execute/2
         (cowboy 2.10.0) /opt/akkoma/deps/cowboy/src/cowboy_stream_h.erl:306: :cowboy_stream_h.execute/3

It looks like there’s a warning about not using TLS (not fatal), followed by trying to parse the “state” query parameter as JSON while it looks like a random string, most certainly not JSON!

Would greatly appreciate any thoughts or advice on what I’ve misconfigured, or how I can enable more logging to figure out what is going on :slight_smile: .

I tried the same a while ago and couldn’t get it to work either, will be watching this subject to see if someone comes up with a solution.

1 Like