Hi!
I’m trying to set up SSO with Keycloak on a new Akkoma instance. Running backend version 3.10.4-1-gebfb617b
, frontend version e7a558a
, and Keycloak 22.0.1.
I tried following the OAuth consumer section of the configuration cheat sheet by setting OAUTH_CONSUMER_STRATEGIES="keycloak:ueberauth_keycloak_strategy"
and by adding the following to my prod.secret.exs
:
keycloak_url = "https://keycloak.mysite.com"
config :ueberauth, Ueberauth.Strategy.Keycloak.OAuth,
client_id: "xxx",
client_secret: "xxx",
site: keycloak_url,
authorize_url: "#{keycloak_url}/realms/public/protocol/openid-connect/auth",
token_url: "#{keycloak_url}/realms/public/protocol/openid-connect/token",
userinfo_url: "#{keycloak_url}/realms/public/protocol/openid-connect/userinfo",
token_method: :post
config :ueberauth, Ueberauth,
providers: [
keycloak: {Ueberauth.Strategy.Keycloak, [uid_field: :email]}
In the Keycloak realm named public
, I created a new OpenID connect application with…
- the Client authentication capability (“OIDC set to confidential access type”),
- the root url and web origin set to
https://akkoma.mysite.com
, - the valid redirect uri set to
https://akkoma.mysite.com/oauth/keycloak/callback
.
I couldn’t find the OAuth login button, so instead I went directly to https://akkoma.mysite.com/oauth/keycloak
in my browser. This redirected me to the Keycloak login page, and then back to the redirect URI with some parameters about a bad scope and bad callback url. I (possibly incorrectly) amended the Ueberauth configuration to set these parameters directly:
config :ueberauth, Ueberauth,
providers: [
keycloak:
{Ueberauth.Strategy.Keycloak,
[uid_field: :email, default_scope: "openid", callback_url: "https://akkoma.mysite.com/oauth/keycloak/callback"]}
]
Now whenever I try to log in, I get a blank response on the callback page with a 500 status code.
Looking at the traffic going to the Keycloak server, I can see that the request to the token endpoint is okay and returns the access/refresh token, and that is followed by another successful request to the userinfo endpoint.
In the Akkoma logs:
19:00:24.569 [warning] Description: 'Server authenticity is not verified since certificate path validation is not enabled'
Reason: 'The option {verify, verify_peer} and one of the options \'cacertfile\' or \'cacerts\' are required to enable this.'
19:00:24.647 request_id=F4CM8IaSLHIBlCkAAEAC [error] Internal server error: %Jason.DecodeError{position: 0, token: nil, data: "abcdefg"}
19:00:24.648 [error] #PID<0.3246.0> running Pleroma.Web.Endpoint (connection #PID<0.3245.0>, stream id 1) terminated
Server: akkoma.mysite.com:80 (http)
Request: GET /oauth/keycloak/callback?state=abcdef&session_state=XXXX-XXXX-XXXX-XXXX&code=XXXX-XXXX-XXXX-XXXX
** (exit) an exception was raised:
** (Protocol.UndefinedError) protocol Phoenix.HTML.Safe not implemented for %{errors: %{detail: "Internal server error"}} of type Map. This protocol is implemented for the following type(s): Atom, BitString, Date, DateTime, Decimal, Float, Integer, List, NaiveDateTime, Phoenix.HTML.Form, Phoenix.LiveComponent.CID, Phoenix.LiveView.Component, Phoenix.LiveView.Comprehension, Phoenix.LiveView.JS, Phoenix.LiveView.Rendered, Time, Tuple, URI
(phoenix_html 3.3.1) lib/phoenix_html/safe.ex:1: Phoenix.HTML.Safe.impl_for!/1
(phoenix_html 3.3.1) lib/phoenix_html/safe.ex:15: Phoenix.HTML.Safe.to_iodata/1
(phoenix 1.6.16) lib/phoenix/controller.ex:772: Phoenix.Controller.render_and_send/4
(phoenix 1.6.16) lib/phoenix/endpoint/render_errors.ex:78: Phoenix.Endpoint.RenderErrors.instrument_render_and_send/5
(phoenix 1.6.16) lib/phoenix/endpoint/render_errors.ex:64: Phoenix.Endpoint.RenderErrors.__catch__/5
(phoenix 1.6.16) lib/phoenix/endpoint/cowboy2_handler.ex:54: Phoenix.Endpoint.Cowboy2Handler.init/4
(cowboy 2.10.0) /opt/akkoma/deps/cowboy/src/cowboy_handler.erl:37: :cowboy_handler.execute/2
(cowboy 2.10.0) /opt/akkoma/deps/cowboy/src/cowboy_stream_h.erl:306: :cowboy_stream_h.execute/3
It looks like there’s a warning about not using TLS (not fatal), followed by trying to parse the “state” query parameter as JSON while it looks like a random string, most certainly not JSON!
Would greatly appreciate any thoughts or advice on what I’ve misconfigured, or how I can enable more logging to figure out what is going on .