[BUG] Dashy not work with latest Keycloack 26.0.5

[logrisua]

Environment

Self-Hosted (Docker)

System

Firefox 132.0.2

Version

3.1.1

Describe the problem

Dashy not work with latest Keycloack 26.0.5.

docker compose file:

services:
  dashy:
    container_name: Dashy
    image: lissy93/dashy:latest
    volumes:
      - ./user-data:/app/user-data
    ports:
      - 4000:8080
    environment:
      - NODE_ENV=production
    restart: unless-stopped
    healthcheck:
      test: ['CMD', 'node', '/app/services/healthcheck']
      interval: 1m30s
      timeout: 10s
      retries: 3
      start_period: 40s

Dashy conf.yml

# Page meta info, like heading, footer text and nav links
pageInfo:
  title: Dashy
  description: Welcome to your new dashboard!
  navLinks:
  - title: GitHub
    path: https://github.com/Lissy93/dashy
  - title: Documentation
    path: https://dashy.to/docs

# Optional app settings and configuration
appConfig:
  theme: colorful
  auth:
    enableKeycloak: true
    keycloak:
      serverUrl: 'https://keycloak.local.com/auth/'
      realm: 'local'
      clientId: 'dashy'

# Main content - An array of sections, each containing an array of items
sections:
- name: Getting Started
  icon: fas fa-rocket
  items:
  - title: Dashy Live
    description: Development a project management links for Dashy
    icon: https://i.ibb.co/qWWpD0v/astro-dab-128.png
    url: https://live.dashy.to/
    target: newtab
  - title: GitHub
    description: Source Code, Issues and Pull Requests
    url: https://github.com/lissy93/dashy
    icon: favicon

Dashy nginx conf

server {
   listen 443 ssl;
   server_name dashy.local.com;

   ssl_certificate /etc/ssl/cert.pem;
   ssl_certificate_key /etc/ssl/key.pem;

   location / {
     proxy_pass http://127.0.0.1:4000;
     proxy_set_header X-Forwarded-User $http_authorization;
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header Host $host;
     proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
   }
}

Keycloak nginx conf

server {
   listen 443 ssl;
   server_name keycloak.local.com;

   ssl_certificate /etc/ssl/cert.pem;
   ssl_certificate_key /etc/ssl/key.pem;
   
      location / {
     proxy_pass http://127.0.0.1:8583;
     proxy_set_header Host $host;
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-Proto $scheme;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_buffer_size   128k;
     proxy_buffers   4 256k;
     proxy_busy_buffers_size   256k;
   }
}

Keycloack client settings:

When opening https://dashy.local.com it redirects to https://keycloak.local.com, where I enter my login and password, then it redirects back to https://dashy.local.com, and then the page "It looks like something's gone wrong... This is likely caused by the app source not being found at the current domain." I've tried all the settings according to what I found in the documentation, but the result is always the same. And there are no errors or suggestive information in the keycloak or Dashy logs. Authorization for more than a dozen different services works without problems through my keycloak, but I can't get Dashy to work.

Additional info

No response

Please tick the boxes

• [X] You have explained the issue clearly, and included all relevant info
• [X] You are using a supported version of Dashy
• [X] You've checked that this issue hasn't already been raised
• [X] You've checked the docs and troubleshooting guide
• [X] You agree to the code of conduct

[nOw-Ay]

@logrisua, Keycloak auth is broken and should soon be deprecated (I think). You should use the OIDC-based auth solution with which you can achieve the same result.

[signaleleven]

You should use the OIDC-based auth solution with which you can achieve the same result.

To be clear, you can configure that auth solution to use keycloak, right? Keycloak is OIDC compliant.

[nOw-Ay]

To be clear, you can configure that auth solution to use keycloak, right? Keycloak is OIDC compliant.

Exactly. Just replace the adequate fields in the documentation example and you should be good to go. Notice that the stable tag (:3.1.1) does not fully implement OIDC, you should use the :latest tag if using Docker, or the last commit if you are building Dashy yourself.

[logrisua]

Thanks guys! I was able to run it through OIDC via Keycloak. But now I can't figure out how to set up access by roles. For example, access to Dashy administration only for users with the DashyAdmin role. Or access to certain sections or pages for certain roles. Maybe someone can share an example of a working config?

[signaleleven]

Can you share your config? I gave it a try and landed exactly on the same issue than the original keycloak config.

I ended up putting oauth2-proxy in front of dashy, but I lost groups and role granularity....

[logrisua]

Here are the settings with which authorization worked for me, but I still couldn’t figure out whether roles and groups are pulled up and how to configure access.

appConfig:
  theme: colorful
  auth:
    enableOidc: true
    oidc:
      clientId: dashy
      endpoint: https://keycloak.local.com/auth/realms/local
      scope: ''
    enableGuestAccess: false

[lgwapnitsky]

holy shit, i got it working !

[tmkklivecom]

Unfortnately currently available docker image still containes dashy version 3.1.1. which doesn't support oidc. Could you release docker image in which oidc works properly.

[lgwapnitsky]

I'm running docker latest with oidc

On Thu, Jan 16, 2025, 17:34 Tomasz Karpowicz @.***> wrote:

Unfortnately currently available docker image still containes dashy version 3.1.1. which doesn't support oidc. Could you release docker image in which oidc works properly.

— Reply to this email directly, view it on GitHub https://github.com/Lissy93/dashy/issues/1747#issuecomment-2597043576, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAE6CFB2GJ2UAT4SZDFZ5UD2LAXWTAVCNFSM6AAAAABR3DVKWSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKOJXGA2DGNJXGY . You are receiving this because you commented.Message ID: @.***>

[tmkklivecom]

Thx, waiting impatiently ;)

[PedroHNunesAlves]

Hi, was facing the same issue - Was using Keycloak. Is there a way to add role mapping?

[perrfect]

Hello. Did you solve the problem with Keycloak authentication? I'm trying to use the Keycloak, but get the error: "invalid_client_credientials" When I try to use OIDC via Keycloak, I get the following message: "failed to authenticate with OIDC" and URI looks like: https://home.local/realms/home/protocol/openid-connect/auth/.well-known/openid-configuration I don't understand why it appears. .well-known. The config in user-data looks like:

auth:
  enableOidc: true
  oidc:
    client: dashy
    endpoint: https://home.local/realms/home/protocol/openid-connect/auth
    scope: ''

[PedroHNunesAlves]

Hi, i fixed using like this:

auth:
  enableOidc: true
  oidc:
    clientId: <YOUR CLIENT ID>
    endpoint: https://domain.com/realms/<YOUR-REALM-NAME>
    scope: openid email profile

[perrfect]

Hi, i fixed using like this:

auth:
  enableOidc: true
  oidc:
    clientId: <YOUR CLIENT ID>
    endpoint: https://domain.com/realms/<YOUR-REALM-NAME>
    scope: openid email profile

Thank you for your reply. Could you please show a Keycloak Client Access settings? Because I'm getting the error: Invalid parameter: redirect_uri

[dragonchaser]

It is working fine for me with keycloak 26.1 and oidc. But I can not get fine granular filters to work. For the old keycloak adapter there wars

showForKeycloakUsers:
  - roles: [ `foo-role` ]

It does not work with showForUsers using the same syntax. How do you mimic that behaviour with the OIDC adapter?

[TheRealVira]

Hi I got it working as well using oidc configs:

appConfig:
  auth:
    enableOidc: true
    oidc:
      endpoint: https://sso.abc.xyz/realms/master
      clientId: dashy
    enableGuestAccess: false

IMPORTANT make sure to check your client scopes and include the following:

• profile
• roles
• email
• groups

In my Keycloak installation I did not have any "groups" scope, so I had to add one manually:

1. Open "Client Scopes"
2. Press "Create client scope"
3. Name is "groups", description and everything else is optional
4. Hit "Save"
5. Search for your new "groups" scope
6. Navigate to "Mappers" and click on "Add mapper" -> "From predefined mappers"
7. Search for "groups" and press "Add"
8. Go back to your client -> "Client scopes" -> click "Add client scope" (set to default)
9. Search for your new "groups" scope.. add it
10. profit!

[perrfect]

Hi I got it working as well using oidc configs:

appConfig:
  auth:
    enableOidc: true
    oidc:
      endpoint: https://sso.abc.xyz/realms/master
      clientId: dashy
    enableGuestAccess: false

IMPORTANT make sure to check your client scopes and include the following:

* profile

* roles

* email

* groups

In my Keycloak installation I did not have any "groups" scope, so I had to add one manually:

1. Open "Client Scopes"

2. Press "Create client scope"

3. Name is "groups", description and everything else is optional

4. Hit "Save"

5. Search for your new "groups" scope

6. Navigate to "Mappers" and click on "Add mapper" -> "From predefined mappers"

7. Search for "groups" and press "Add"

8. Go back to your client -> "Client scopes" -> click "Add client scope" (set to default)

9. Search for your new "groups" scope.. add it

10. profit!

Hello. Thank you for your reply. Now authorization works fine, but assigning groups is not working. I've added "groups" scope, a developers group and users to the group. My dashy config:

- name: QA
  displayData:
     hideForKeycloakUsers:
     groups: ['developers']
  items:
     - title: test QA
       url: https://example-qa.com

[brandonp42]

@perrfect if you are still trying to get this to work here's what I've found while getting it working for myself. First off, the "groups" pre-defined mapper seems to expose the "realm roles" from Keycloak not the actual groups. So basically using that didn't do what I expected at all. Here's what I did instead:

1. In Keycloak, click into your Dashy client
2. Click on the "client scopes" tab
3. Click on the "dashy-dedicated" assigned client scope
4. Click "add predefined mapper" and choose "client roles" then click the add button
5. Click into the new "client roles" mapper a. For the "client id" field select Dashy b. For the "token claim name" field change it to "groups" c. Enable the "add to ID token" toggle d. Save
6. Go back to the main clients list and click into Dashy again, then click on the "roles" tab a. Create roles with the name you want the groups to show up in Dashy
7. Go to the main groups list, and for each client role you created above: a. Create a group b. Assign the users you want to it on the "members" tab c. Assign the client role to it on the "role mapping" tab

If one of your roles is meant to make you the admin for Dashy, add "adminGroup: name_of_admin_role" in conf.yml under the appConfig.auth.oidc section.

I think I got all the steps here but if I missed something hopefully this gets you close enough to figure out the rest.

[0fflineuser]

I got it working thanks to @brandonp42 , just followed his steps and it works. I am using a homelab realm and 2 roles, admin and media Here is my dashy config file auth block:

appConfig:
  <other stuff...>
  auth:
    enableOidc: true
    oidc:
      clientId: 'dashy'
      adminGroup: admin
      endpoint: 'https://<domain_name>/realms/homelab'
      scope: openid email profile
    enableGuestAccess: false

I made a partial export of my realm with groups, roles and clients, if it can help anyone :

realm-export.json