openid-connect-generic icon indicating copy to clipboard operation
openid-connect-generic copied to clipboard

Published 20 hours ago verified publisher icon oidc-wp

"invalid token" with Keycloak

Open timvdh opened this issue 1 year ago • 0 comments

I use Wordpress in K3S with Keycloak for auth. The openid connect plugin has worked for me before, but I switched to a new Keycloak realm and upgraded Keycloak and now, no matter what I try to get back to the old configuration, I receive "ERROR (invalid-token): Invalid token." from WP when trying to log in. Some observations:

  • I am almost certain that the openid connect settings on wordpress are OK (just with the new realm of course).
  • I get redirected to the Keycloak login and authentication seems to work, at least an active session appears in Keycloak.
  • I see no errors in the Keycloak log.
  • I have not checked the POST that WP uses to acquire the token (actually, I would not know where to look, it's not in the debug log of openId connect and not in the browser network log, which is probably normal).
  • I can get a token via Postman and posted it below - maybe there is something wrong with it and I don't see it.
  • Same behaviour in anonymous browser window.
  • I suspect something is wrong with my Keycloak TLS configuration. After all that is why I started changing things. I did have to "Disable SSL Verify" in openid connect to make it work in the first place, because there is a self-signed cert in may chain. However, I am back to the old configuration with "Disable SSL Verify" and still get "invalid token". When trying to get SSL enabled, I got a different curl error.
{
  "alg": "RS256",
  "typ": "JWT",
  "kid": "nrk4PPJ3BIJfd3sDgvxbBl_eeFUwzPRLOVYTyEFbliM"
}.{
  "exp": 1721745035,
  "iat": 1721744735,
  "auth_time": 1721744731,
  "jti": "c7102ae3-6042-452f-8c23-582500807312",
  "iss": "https://keycloak.upsize.de/realms/K3S",
  "aud": "account",
  "sub": "173dbe22-87d6-47a2-a63c-d1b6a2319d9c",
  "typ": "Bearer",
  "azp": "upsize",
  "session_state": "c77c5f9b-f2d1-47c8-a5f3-1fbcd0cafa6a",
  "acr": "1",
  "allowed-origins": [
    "https://upsize.de",
    "https://www.upsize.de"
  ],
  "realm_access": {
    "roles": [
      "default-roles-k3s",
      "offline_access",
      "uma_authorization"
    ]
  },
  "resource_access": {
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    }
  },
  "scope": "openid offline_access email profile",
  "sid": "c77c5f9b-f2d1-47c8-a5f3-1fbcd0cafa6a",
  "email_verified": true,
  "name": "Toni Tester",
  "preferred_username": "test",
  "given_name": "Toni",
  "family_name": "Tester",
  "email": "[email protected]"
}.[Signature]

timvdh avatar Jul 23 '24 14:07 timvdh