harbor-helm icon indicating copy to clipboard operation
harbor-helm copied to clipboard
verified publisher icon goharbor

OIDC Integration with Keycloak fails with 'unauthorized_client' error despite correct credentials

Open vjsandu opened this issue 7 months ago • 1 comments

Description

I'm experiencing persistent "unauthorized_client" errors when trying to configure Harbor with Keycloak for OIDC authentication. Despite confirming the client credentials are correct through direct testing with the token endpoint, Harbor continues to fail with:

{"errors":[{"code":"BAD_REQUEST","message":"oauth2: \"unauthorized_client\" \"Invalid client or Invalid client credentials\""}]}

Environment

  • Harbor version: 1.17.0 (Helm chart)
  • Keycloak version: 23.0.6
  • Kubernetes version: 1.32
  • Deployment method: Helm chart via FluxCD

Steps to reproduce

  1. Configured Keycloak client with:

    • Client ID: harbor
    • Client authentication enabled
    • Standard flow enabled
    • Valid client secret generated
    • Valid redirect URI configured

  2. Configured Harbor with OIDC authentication using the CONFIG_OVERWRITE_JSON method:

    core:
  extraEnvVars:
    - name: CONFIG_OVERWRITE_JSON
      value: |
        {
          "auth_mode": "oidc_auth",
          "oidc_name": "My Keycloak",
          "oidc_endpoint": "https://sso-dev.example.com/realms/example",
          "oidc_client_id": "harbor", 
          "oidc_client_secret": "[REDACTED]",
          "oidc_scope": "openid,profile,email,offline_access,roles",
          "oidc_verify_cert": "true",
          "oidc_auto_onboard": "true",
          "oidc_user_claim": "preferred_username"
        }

  3. Verified client credentials are correct by successfully retrieving tokens via curl:

curl -X POST \
  https://sso-dev.example.com/realms/example/protocol/openid-connect/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=client_credentials" \
  -d "client_id=harbor" \
  -d "client_secret=[REDACTED]

Result: Successfully returns token

  1. Attempted OIDC login in Harbor UI which redirects to Keycloak, but fails upon redirect back to Harbor

Troubleshooting steps already taken

  1. Verified client ID and secret are correct via direct token endpoint testing
  2. Regenerated client secret multiple times
  3. Confirmed client authentication settings in Keycloak (confidential access type, client auth enabled)
  4. Restarted Harbor core pod after configuration changes
  5. Verified Keycloak logs show "invalid_client_credentials" errors during authorization code flow but not during client_credentials flow
  6. Tested with both "username" and "preferred_username" user claim settings

Additional logs

From Keycloak: [org.keycloak.events] type="CODE_TO_TOKEN_ERROR", realmId="xxx", clientId="harbor", userId="null", ipAddress="x.x.x.x", error="invalid_client_credentials", grant_type="authorization_code"

Expected behavior

Harbor should successfully authenticate with Keycloak via OIDC and allow users to log in.

vjsandu avatar May 19 '25 11:05 vjsandu

@vjsandu Have you tried NOT to use "CONFIG_OVERWRITE_JSON"? i.e. If you setup Harbor without this env var, and configure OIDC via Harbor's UI, will everything work?

reasonerjt avatar May 26 '25 09:05 reasonerjt

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

github-actions[bot] avatar Jul 26 '25 09:07 github-actions[bot]

This issue was closed because it has been stalled for 30 days with no activity. If this issue is still relevant, please re-open a new issue.

github-actions[bot] avatar Aug 25 '25 09:08 github-actions[bot]