wandb
Keycloak OIDC not supported
Release: wandb/local:0.58.1
I'm trying to configure a local instance of wandb to use Keycloak as an OIDC provider, but struggling to get it to work either through the web admin settings or by setting docker enviroment variables.
I believe it's because of the way keycloak uses 'realms' - so where most OIDC providers will use a URL of the schema https://{DOMAIN}/users/sign_in keycloak uses something like https://{DOMAIN}/realms/{REALM_NAME}/protocol/openid-connect/auth?client_id={CLIENT_ID}.
Other OIDC clients (e.g. Outline) allow more expressive docker environment variables which work with Keycloak, e.g:
OIDC_AUTH_URI=https://{DOMAIN}/realms/{REALM_NAME}/protocol/openid-connect/auth
OIDC_TOKEN_URI=https://{DOMAIN}/realms/{REALM_NAME}/protocol/openid-connect/token
OIDC_USERINFO_URI=https://{DOMAIN}/realms/{REALM_NAME}/protocol/openid-connect/userinfo
But if I try to set these for wandb, the gorilla service still tries to use the old url schema and panics as it does not exist:
{"level":"INFO","time":"2024-09-07T15:44:41.254942969Z","info":{"program":"gorilla","source":"github.com/wandb/core/services/gorilla/cmd/gorilla.go:1409","pid":1583},"data":{"dd.service":"gorilla","dd.version":"18d22e645275697ba614e1d1ea139452c4bed39f"},"message":"parsed schema","dd.trace_id":""}
panic: Get "https://{DOMAIN}/users/sign_in": stopped after 10 redirects
goroutine 1 [running]:
github.com/wandb/core/services/gorilla/cmd.(*gorillaCommander).MainCmd(0xc00188db00, {0xc00188dbe0, 0x1, 0x1})
/home/circleci/go/src/github.com/wandb/core/services/gorilla/cmd/gorilla.go:1528 +0xccb6
main.main()
/home/circleci/go/src/github.com/wandb/core/services/gorilla/cmd/megabinary/main.go:75 +0x431
Apologies if this is implemented and I am missing it in the docs, but am struggling to find anything.
Bonnie Shen commented: Hello Benjamin: Thanks for writing to us! Here's some resource to configure Keycloak as OIDC provider. Please give it a try and let us know if it works for you. Best, W&B
![exalate-issue-sync[bot] avatar](https://avatars.githubusercontent.com/in/18431?v=4 "Published by a pub.dev verified publisher"){kind=small}
Bonnie Shen commented: Request #75109 "Keycloak OIDC not supported" was closed and merged into this request. Last comment in request #75109:
exalate-issue-sync[bot] commented: Bonnie Shen commented: Hello Benjamin: Thanks for writing to us! Here's some resource to configure Keycloak as OIDC provider. Please give it a try and let us know if it works for you. Best, W&B
Bonnie Shen commented: This request was closed and merged into request #75110 "[Local (Wandb Server)] Keycloak ...".
Hi Bonnie,
Thanks for getting back to me - glad to see there are resources available to help! Sorry but I'm not seeing a link or any attachments here - could you please resend?
Thanks, Benjamin
On Mon, 9 Sept 2024 at 16:23, exalate-issue-sync[bot] < @.***> wrote:
Bonnie Shen commented: Hello Benjamin: Thanks for writing to us! Here's some resource to configure Keycloak as OIDC provider. Please give it a try and let us know if it works for you. Best, W&B
— Reply to this email directly, view it on GitHub https://github.com/wandb/server/issues/142#issuecomment-2338417750, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEPAENGZX3RSBUEFK4T5XGDZVW4NFAVCNFSM6AAAAABN2D73EWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMZYGQYTONZVGA . You are receiving this because you authored the thread.Message ID: @.***>
Hi @b-d-e ! It seemed like my link didn't get carried over from my backend. I'm attaching it here directly in the comment. Sorry for the inconvenience.
I apologize, it is currently a private repo. Let me list the instructions here in the next comment. Your patience is greatly appreciated.
Keycloak Configuration
- Create Keycloak ream
This is optional and you can use the master realm, but it's highly recommended to work with realms.
- Create and Configure Client
:warning: Replace all the values with valid values for your organization.
Next step after create the realm, is setup the client, which is the configuration to be used by the application that will authenticate with Keycloak.
The client type myst be OpenID Connect
- Create client
- Configure the client
Keep the Standard flow and the Implicit flow enabled.
- Set W&B URL's
For this configuration, the most important URL is the Valid redirect URLs.
This is the callback URL that Keycloak will call to send W&B the authentication token.
- Configure OIDC Scope
When the client type OpenID Connect is created, Keycloak already set a default OIDC scope that contain all required claims. However, some Keycloak configuration may set different claims for OIDC scopes.
For W&B, one of the most important claims is the email, so regarldess the scop you will use, ensure the claims email and profileare set to Default
- Enable PKCE
Still in the client configuration, navigate to the Advanced tab and click on Advanced Settings
Search for the drop down menu Proof key code exchange and select S256
Save the configuration.
- Add user and/or groups
Now the next step is assign users and/or groups to the newly created realm to allow users authenticate using the also newly created wandb client.
W&B Configuration
The W&B configuration will depend on how did you installed the platform. For this guide, I will cover the configuration using the W&B helm chart and the configuration via W&B Operator console.
- Helm Cart
As highlighted in the above link, you will need to add the Keycloak configuration according to the example below in the values.yaml you used to install W&B.
sso:
enabled: true
# Automatically provision a user if SSO auth succeeds
autoProvision: true
clientId: wandb
issuer: http://keycloak.home.lab/realms/wandb/
# Can be implicit or pkce
method: pkce
Once the values.yaml is configured, apply the new configuration and test it.
- Operator Console
Navigate to https://<WANDB FQDN>/console/settings/auth and input Keycloak data.
Login Screens
W&B Login
Login redirected to Keycloak for Authentication
In case the Keycloak user is also new, it may need to change the password depending how Keycloak is configured
After SSO authentication, user is created in W&B
Login is complete
Bonnie Shen commented: Hi Benjamin,
We wanted to follow up with you regarding your support request as we have not heard back from you. Please let us know if we can be of further assistance or if your issue has been resolved.
Best, Weights & Biases
Hi Bonnie. I have had a quick look (on docker, not with helm), though was hitting another issue - but I think that might be an networking problem my end.
Do you have a comprehensive list of the environment variables a docker instance ofwandb/local takes? There's this list, but that isn't exhaustive (e.g. there's some GORILLA vars that aren't in there)
Bonnie Shen commented: Hi @b-d-e,
We wanted to follow up with you regarding your support request as we have not heard back from you. Please let us know if we can be of further assistance or if your issue has been resolved.
Best, Weights & Biases
Bonnie Shen commented: Hi @b-d-e, since we have not heard back from you we are going to close this request. If you would like to re-open the conversation, please let us know!