container
container copied to clipboard
hedgedoc
OAUTH2/OpenID-Connect fails with alpine based image
Authentication via OAUTH2/OpenID-Connect with Keycloak as IdP fails when using the Alpine based image, it succeeds with Debian based one.
The images used where quay.io/hedgedoc/hedgedoc:1.7.1-alpine and quay.io/hedgedoc/hedgedoc:1.7.1-debian respectively.
Error log:
2021-01-14T02:07:05.827Z info: 10.244.0.1 - - [14/Jan/2021:02:07:05 +0000] "GET /auth/oauth2 HTTP/1.1" 302 0 "https://codimd.<redacted>.de/" "Mozilla/5.0 (X11; Linux x86_64; rv:85.0) Gecko/20100101 Firefox/85.0"
InternalOAuthError: Failed to obtain access token
at OAuth2CustomStrategy.OAuth2Strategy._createOAuthError (/hedgedoc/node_modules/passport-oauth2/lib/strategy.js:408:17)
at /hedgedoc/node_modules/passport-oauth2/lib/strategy.js:175:45
at /hedgedoc/node_modules/oauth/lib/oauth2.js:191:18
at ClientRequest.<anonymous> (/hedgedoc/node_modules/oauth/lib/oauth2.js:162:5)
at ClientRequest.emit (events.js:314:20)
at TLSSocket.socketErrorListener (_http_client.js:427:9)
at TLSSocket.emit (events.js:314:20)
at emitErrorNT (internal/streams/destroy.js:92:8)
at emitErrorAndCloseNT (internal/streams/destroy.js:60:3)
at processTicksAndRejections (internal/process/task_queues.js:84:21)
2021-01-14T02:07:06.103Z info: 10.244.0.1 - - [14/Jan/2021:02:07:06 +0000] "GET /auth/oauth2/callback?state=hCFMfFSMhyiYlCWCFj1qSbl4&session_state=164abb2b-382b-4a35-a3ec-f477782e0ad0&code=5aa9ca5c-bbb2-4e9d-a531-bead95b37a6d.164abb2b-382b-4a35-a3ec-f477782e0ad0.5051cf56-7697-4b0e-b62a-7f5f84a10cd8 HTTP/1.1" 500 148 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:85.0) Gecko/20100101 Firefox/85.0"
I just tested it on my private setup, which is also using keycloak + oauth. worked fine with both base images. Could you share your config?
Our instance runs in Kubernetes and was migrated from hackmdio/hackmd:2.0.0. All configuration is done via env variables. The Keycloak Config appears to match https://docs.hedgedoc.org/guides/auth/keycloak/. Both HedgeDoc and Keycloak are behind a nginx reverse proxy ingress controller.
apiVersion: apps/v1
kind: Deployment
metadata:
name: codimd
namespace: codimd
labels:
app: codimd
spec:
replicas: 1
selector:
matchLabels:
app: codimd
template:
metadata:
labels:
app: codimd
spec:
containers:
- name: codimd
image: quay.io/hedgedoc/hedgedoc:1.7.1-debian
imagePullPolicy: Always
env:
- name: "CMD_DB_URL"
valueFrom:
secretKeyRef:
name: codimd-cfg
key: pg_cstr
- name: "CMD_DOMAIN"
value: "codimd.<redacted>"
- name: "CMD_USECDN"
value: "false"
- name: "CMD_PROTOCOL_USESSL"
value: "true"
- name: "CMD_EMAIL"
value: "true"
- name: "CMD_URL_ADDPORT"
value: "false"
- name: "CMD_ALLOW_EMAIL_REGISTER"
value: "false"
- name: "CMD_ALLOW_ANONYMOUS"
value: "true"
- name: "CMD_ALLOW_ANONYMOUS_EDITS"
value: "false"
- name: "CMD_OAUTH2_USER_PROFILE_URL"
value: "https://keycloak.<redacted>/auth/realms/<redacted>/protocol/openid-connect/userinfo"
- name: "CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR"
value: "preferred_username"
- name: "CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR"
value: "name"
- name: "CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR"
value: "email"
- name: "CMD_OAUTH2_TOKEN_URL"
value: "https://keycloak.<redacted>/auth/realms/<redacted>/protocol/openid-connect/token"
- name: "CMD_OAUTH2_AUTHORIZATION_URL"
value: "https://keycloak.<redacted>/auth/realms/<redacted>/protocol/openid-connect/auth"
- name: "CMD_OAUTH2_CLIENT_ID"
value: "codimd"
- name: "CMD_OAUTH2_CLIENT_SECRET"
value: "<redacted>"
- name: "CMD_OAUTH2_PROVIDERNAME"
value: "Keycloak"
- name: "CMD_SESSION_SECRET"
value: "<redacted>"
ports:
- name: http-codimd
containerPort: 3000
volumeMounts:
- name: uploads
mountPath: /home/hackmd/app/public/uploads
volumes:
- name: uploads
hostPath:
path: /srv/codimd/codimd
I'll look into those details later and try to reproduce. But for now, please check the volume mount! This is not where uploads on the hedgedoc image are stored!
This issue had no activity for quite some time. I guess the problem was resolved in the meantime. If it persists with current docker images, feel free to re-open.
