IdP Authentication with KeyCloak not working

[huntx]

Hi all,

I trying to configure OpenID authentication via Keycloak but I am seeing the following error.

Any idea the problem reside on which side ?

My compose.yml included the following lines for account service.

      - OPENID_CLIENT_ID=huly.domain.com
      - OPENID_CLIENT_SECRET=<random string>
      - OPENID_ISSUER=https://keycloak/kc/realms/master

When click on the "Continue with OpenID" at login page

huly-selfhost-account-1       | {"level":"info","message":"try auth via","provider":"openid","timestamp":"2024-11-05T15:53:03.591Z"}
huly-selfhost-account-1       | 
huly-selfhost-account-1       | 
huly-selfhost-account-1       |   Error: Unknown authentication strategy "oidc"
huly-selfhost-account-1       |       at attempt (/usr/src/app/bundle.js:188174:27)
huly-selfhost-account-1       |       at authenticate (/usr/src/app/bundle.js:188266:23)
huly-selfhost-account-1       |       at /usr/src/app/bundle.js:188921:11
huly-selfhost-account-1       |       at new Promise (<anonymous>)
huly-selfhost-account-1       |       at /usr/src/app/bundle.js:188920:16
huly-selfhost-account-1       |       at /usr/src/app/bundle.js:188895:11
huly-selfhost-account-1       |       at new Promise (<anonymous>)
huly-selfhost-account-1       |       at passportAuthenticate (/usr/src/app/bundle.js:188866:19)
huly-selfhost-account-1       |       at /usr/src/app/bundle.js:201983:11
huly-selfhost-account-1       |       at dispatch (/usr/src/app/bundle.js:212744:36)
huly-selfhost-account-1       | 
huly-selfhost-account-1       | 

[lexiv0re]

Hello @huntx, what version of the containers are you running on?

[huntx]

Hi @lexiv0re , I am currently running on v0.6333.

sudo docker image ls REPOSITORY TAG IMAGE ID CREATED SIZE minio/minio latest 802bb0d1848f 6 days ago 165MB mongo 7-jammy e0d7f1b1df90 11 days ago 782MB hardcoreeng/account v0.6.333 bf9eff8dccd7 2 weeks ago 1.13GB hardcoreeng/front v0.6.333 b0bf61db06a4 2 weeks ago 1.26GB hardcoreeng/collaborator v0.6.333 65de66a06e23 2 weeks ago 1.15GB hardcoreeng/transactor v0.6.333 863e7a485413 2 weeks ago 1.16GB hardcoreeng/workspace v0.6.333 73670051efcb 2 weeks ago 1.15GB hardcoreeng/rekoni-service v0.6.333 c6f6ecb20dd3 2 weeks ago 1.23GB elasticsearch 7.14.2 2abd5342ace0 3 years ago 1.04GB

[lexiv0re]

@huntx do you have any additional logs before the ones you posted? You'd be looking for these entries: Discovered issuer, Created OIDC client, Registered OIDC strategy or Failed to create OIDC client...

[zaroot]

I'm running v0.6.333 and this is how I have mine setup and it works:

   - OPENID_CLIENT_ID=${AUTH_CLIENT_ID}
   - OPENID_CLIENT_SECRET=${AUTH_CLIENT_SECRET}
   - OPENID_ISSUER=${AUTH_URL}/realms/${AUTH_REALM}

AUTH_CLIENT_ID should be the "Client ID" you've setup in KeyCloak, in my case "huly-client" AUTH_CLIENT_SECRET you get from KeyCloak after you created your "Client ID" I have a custom AUTH_URL and a custom AUTH_REALM but in your case it should work with OPENID_ISSUER=https://keycloak/realms/master if you are using the "master" realm.

Note that you also have to setup the access urls in KeyCloak > Clients ie: Root URL, Home URL and Valid redirect URIs In my case the Valid redirect URIs is different since the account service is running on a subdomain (not using the default nginx config provided by huly).

Hope this helps

[huntx]

I believe I have configured them correctly but problem still persists.

I suspect it could be due to my KeyCloak version.

[ozacod]

Same problem persists for me. I am using authentik as IDP provider.

[BelokonevAS]

huly-selfhost-account-1 | Error: Unknown authentication strategy "oidc" I've been experiencing this error when my keycloak doesn't have a valid SSL certificate.

[chadsly]

@BelokonevAS The only way I was able to get the account service to communicate with keycloak (even after ensuring that I could curl the .well-known link from within the account container) was to use NODE_TLS_REJECT_UNAUTHORIZED=0 via the container's environment variables.