500 Error with Keycloak OAuth Consumer

matthew · 31 August 2023 19:39

Hi!

I’m trying to set up SSO with Keycloak on a new Akkoma instance. Running backend version 3.10.4-1-gebfb617b, frontend version e7a558a, and Keycloak 22.0.1.

I tried following the OAuth consumer section of the configuration cheat sheet by setting OAUTH_CONSUMER_STRATEGIES="keycloak:ueberauth_keycloak_strategy" and by adding the following to my prod.secret.exs:

keycloak_url = "https://keycloak.mysite.com"

config :ueberauth, Ueberauth.Strategy.Keycloak.OAuth,
  client_id: "xxx",
  client_secret: "xxx",
  site: keycloak_url,
  authorize_url: "#{keycloak_url}/realms/public/protocol/openid-connect/auth",
  token_url: "#{keycloak_url}/realms/public/protocol/openid-connect/token",
  userinfo_url: "#{keycloak_url}/realms/public/protocol/openid-connect/userinfo",
  token_method: :post

config :ueberauth, Ueberauth,
  providers: [
    keycloak: {Ueberauth.Strategy.Keycloak, [uid_field: :email]}

In the Keycloak realm named public, I created a new OpenID connect application with…

the Client authentication capability (“OIDC set to confidential access type”),
the root url and web origin set to https://akkoma.mysite.com,
the valid redirect uri set to https://akkoma.mysite.com/oauth/keycloak/callback.

I couldn’t find the OAuth login button, so instead I went directly to https://akkoma.mysite.com/oauth/keycloak in my browser. This redirected me to the Keycloak login page, and then back to the redirect URI with some parameters about a bad scope and bad callback url. I (possibly incorrectly) amended the Ueberauth configuration to set these parameters directly:

config :ueberauth, Ueberauth,
  providers: [
    keycloak:
      {Ueberauth.Strategy.Keycloak,
       [uid_field: :email, default_scope: "openid", callback_url: "https://akkoma.mysite.com/oauth/keycloak/callback"]}
  ]

Now whenever I try to log in, I get a blank response on the callback page with a 500 status code.

Looking at the traffic going to the Keycloak server, I can see that the request to the token endpoint is okay and returns the access/refresh token, and that is followed by another successful request to the userinfo endpoint.

In the Akkoma logs:

 19:00:24.569 [warning] Description: 'Server authenticity is not verified since certificate path validation is not enabled'
      Reason: 'The option {verify, verify_peer} and one of the options \'cacertfile\' or \'cacerts\' are required to enable this.'

 19:00:24.647 request_id=F4CM8IaSLHIBlCkAAEAC [error] Internal server error: %Jason.DecodeError{position: 0, token: nil, data: "abcdefg"}

 19:00:24.648 [error] #PID<0.3246.0> running Pleroma.Web.Endpoint (connection #PID<0.3245.0>, stream id 1) terminated

 Server: akkoma.mysite.com:80 (http)
 Request: GET /oauth/keycloak/callback?state=abcdef&session_state=XXXX-XXXX-XXXX-XXXX&code=XXXX-XXXX-XXXX-XXXX
 ** (exit) an exception was raised:
     ** (Protocol.UndefinedError) protocol Phoenix.HTML.Safe not implemented for %{errors: %{detail: "Internal server error"}} of type Map. This protocol is implemented for the following type(s): Atom, BitString, Date, DateTime, Decimal, Float, Integer, List, NaiveDateTime, Phoenix.HTML.Form, Phoenix.LiveComponent.CID, Phoenix.LiveView.Component, Phoenix.LiveView.Comprehension, Phoenix.LiveView.JS, Phoenix.LiveView.Rendered, Time, Tuple, URI
         (phoenix_html 3.3.1) lib/phoenix_html/safe.ex:1: Phoenix.HTML.Safe.impl_for!/1
         (phoenix_html 3.3.1) lib/phoenix_html/safe.ex:15: Phoenix.HTML.Safe.to_iodata/1
         (phoenix 1.6.16) lib/phoenix/controller.ex:772: Phoenix.Controller.render_and_send/4
         (phoenix 1.6.16) lib/phoenix/endpoint/render_errors.ex:78: Phoenix.Endpoint.RenderErrors.instrument_render_and_send/5
         (phoenix 1.6.16) lib/phoenix/endpoint/render_errors.ex:64: Phoenix.Endpoint.RenderErrors.__catch__/5
         (phoenix 1.6.16) lib/phoenix/endpoint/cowboy2_handler.ex:54: Phoenix.Endpoint.Cowboy2Handler.init/4
         (cowboy 2.10.0) /opt/akkoma/deps/cowboy/src/cowboy_handler.erl:37: :cowboy_handler.execute/2
         (cowboy 2.10.0) /opt/akkoma/deps/cowboy/src/cowboy_stream_h.erl:306: :cowboy_stream_h.execute/3

It looks like there’s a warning about not using TLS (not fatal), followed by trying to parse the “state” query parameter as JSON while it looks like a random string, most certainly not JSON!

Would greatly appreciate any thoughts or advice on what I’ve misconfigured, or how I can enable more logging to figure out what is going on .

tomz · 7 September 2023 16:30

I tried the same a while ago and couldn’t get it to work either, will be watching this subject to see if someone comes up with a solution.

muppeth · 8 August 2024 13:59

Trying to set this up now, and was wondering if someone did manage and could post some hints. Does anyone know if this works on pleroma and it’s an issue only on akkoma?

tomz · 8 August 2024 14:21

Well, all I can say is that I failed on Pleroma and couldn’t get it to work on Akkoma either
I don’t need this any longer but will be watching this space nevertheless.

muppeth · 8 August 2024 14:37

Thanks. Weird to see it in the docs. Thought it’s rather straight forward thing as it’s documented and all.

tomz · 8 August 2024 17:55

I guess it can work, my challenge is that I don’t know Keycloak well enough to exclude the possibility that it was this end which was misconfigured. Give it a go

muppeth · 19 September 2024 07:47

Am I right to assume Ueberauth is not compiled in OTP release?

muppeth · 19 September 2024 09:10

Getting stuck on the call back. I manage to authenticate via keycloak but after I’m redirected to https://akkoma.lan/oauth-callback but I’m not logged in. Also unlike @matthew I dont see anything in the logs.