Keycloak SSO brings back to login page

[mlbiche]

I am trying to implement SSO authentication through a Keycloak server. Directus (9.17.4) running locally, Keycloak (19) running remotely, the authentication from the Directus admin application does not work as expected.

Here is my Directus config related to SSO:

####################################################################################################
## General

HOST="0.0.0.0"
PORT=8055
PUBLIC_URL="http://localhost:8055"

####################################################################################################
## Database
[...]


####################################################################################################
## CORS
[...]

####################################################################################################
## Rate Limiting
[...]

####################################################################################################
## Cache
[...]

###########################################################

#########################################
## File Storage
[...]

####################################################################################################
## Security

KEY=[...]
SECRET=[...]


ACCESS_TOKEN_TTL="15m"
REFRESH_TOKEN_TTL="7d"
REFRESH_TOKEN_COOKIE_NAME="directus_refresh_token"

####################################################################################################
## Auth Providers
AUTH_PROVIDERS="keycloak"

AUTH_KEYCLOAK_DRIVER="openid"
AUTH_KEYCLOAK_CLIENT_ID="{My Client ID}"
AUTH_KEYCLOAK_CLIENT_SECRET="{My Client Secret}"
AUTH_KEYCLOAK_ISSUER_URL="https://{The Keycloak remote server}/realms/local/.well-known/openid-configuration"
AUTH_KEYCLOAK_IDENTIFIER_KEY="email"
AUTH_KEYCLOAK_ALLOW_PUBLIC_REGISTRATION="true" # Not sur if I have to enable it 🤔

REFRESH_TOKEN_COOKIE_DOMAIN="localhost:8055"
REFRESH_TOKEN_COOKIE_SECURE="true"
REFRESH_TOKEN_COOKIE_SAME_SITE="None"

####################################################################################################
## Extensions
[...]

####################################################################################################
## Email
[...]

####################################################################################################
## Admin Account
[...]

LOG_LEVEL="trace"

The Keycloak login button is displayed on http://localhost:8055/admin/login. When I click it and log in on the Keycloak authentication page (using email tmlb@pm.me), tracking the Network shows me something as this:

And in the Directus logs:

13:31:08 ✨ request completed GET 302 /auth/login/keycloak?redirect=http://localhost:8055/admin/login?continue 14ms
13:31:09 🔍 [0.624ms] select "ip_access" from "directus_roles" where "id" is null limit $1 [1]
13:31:13 🔍 [4.313ms] select "id" from "directus_users" where LOWER("external_identifier") = $1 limit $2 [tmlb@pm.me, 1]
13:31:13 🔍 [1.095ms] update "directus_users" set "auth_data" = $1 where "id" in ($2) [{"refreshToken":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJjZDNlM2M4Mi0xODA3LTRhYjItOWI1ZC0zMmE1MzBlYjEzNzgifQ.eyJleHAiOjE2NjU3NDg4NjksImlhdCI6MTY2NTc0NzA2OSwianRpIjoiNzIzY2U3ODUtZTA3MC00N2QyLTk2N2UtNTAyNjVmMTU0ZjkxIiwiaXNzIjoiaHR0cHM6Ly9yZWNldHRlLmNvbm5lY3QuaW5jbHVzaW9uLmJldGEuZ291di5mci9yZWFsbXMvbG9jYWwiLCJhdWQiOiJodHRwczovL3JlY2V0dGUuY29ubmVjdC5pbmNsdXNpb24uYmV0YS5nb3V2LmZyL3JlYWxtcy9sb2NhbCIsInN1YiI6IjA2MmQ2NWJjLTAxYzItNGU1Yi05MTBmLTQwNzU1YjNlNTExMSIsInR5cCI6IlJlZnJlc2giLCJhenAiOiJsb2NhbF9pbmNsdXNpb25fY29ubmVjdCIsInNlc3Npb25fc3RhdGUiOiIyMzVhM2ZlYi1hYzg4LTQyZmEtYWJkNy1iZWI1NjY3Y2ZhYTMiLCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIGVtYWlsIiwic2lkIjoiMjM1YTNmZWItYWM4OC00MmZhLWFiZDctYmViNTY2N2NmYWEzIn0.rTIV2McXV0DG0GcxhI_FQZsS5RIKYAxtgMyxAsJ0zdo"}, 6668d01a-7e7a-41e6-b420-8db9bb4cf677]
13:31:13 🔍 [1.134ms] select "u"."id", "u"."first_name", "u"."last_name", "u"."email", "u"."password", "u"."status", "u"."role", "r"."admin_access", "r"."app_access", "u"."tfa_secret", "u"."provider", "u"."external_identifier", "u"."auth_data" from "directus_users" as "u" left join "directus_roles" as "r" on "u"."role" = "r"."id" where "u"."id" = $1 limit $2 [6668d01a-7e7a-41e6-b420-8db9bb4cf677, 1]
13:31:13 🔍 [0.504ms] select "directus_settings"."auth_login_attempts", "directus_settings"."id" from "directus_settings" order by "directus_settings"."id" asc limit $1 [1]
13:31:14 🔍 [0.541ms] update "directus_users" set "auth_data" = $1 where "id" in ($2) [{"refreshToken":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJjZDNlM2M4Mi0xODA3LTRhYjItOWI1ZC0zMmE1MzBlYjEzNzgifQ.eyJleHAiOjE2NjU3NDg4NzQsImlhdCI6MTY2NTc0NzA3NCwianRpIjoiMzNlYTQyZDQtNGUyMi00ZDZhLWEzNGMtMWUwYWIyYmMzMTZiIiwiaXNzIjoiaHR0cHM6Ly9yZWNldHRlLmNvbm5lY3QuaW5jbHVzaW9uLmJldGEuZ291di5mci9yZWFsbXMvbG9jYWwiLCJhdWQiOiJodHRwczovL3JlY2V0dGUuY29ubmVjdC5pbmNsdXNpb24uYmV0YS5nb3V2LmZyL3JlYWxtcy9sb2NhbCIsInN1YiI6IjA2MmQ2NWJjLTAxYzItNGU1Yi05MTBmLTQwNzU1YjNlNTExMSIsInR5cCI6IlJlZnJlc2giLCJhenAiOiJsb2NhbF9pbmNsdXNpb25fY29ubmVjdCIsInNlc3Npb25fc3RhdGUiOiIyMzVhM2ZlYi1hYzg4LTQyZmEtYWJkNy1iZWI1NjY3Y2ZhYTMiLCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIGVtYWlsIiwic2lkIjoiMjM1YTNmZWItYWM4OC00MmZhLWFiZDctYmViNTY2N2NmYWEzIn0.7_HEamARKj715PettQ5Kh-h9xF6gJwPChuNcOR6gGFU"}, 6668d01a-7e7a-41e6-b420-8db9bb4cf677]
13:31:14 🔍 [1.337ms] insert into "directus_sessions" ("expires", "ip", "origin", "token", "user", "user_agent") values ($1, $2, DEFAULT, $3, $4, $5) [Fri Oct 21 2022 13:31:14 GMT+0200 (heure d’été d’Europe centrale), 127.0.0.1, mCZTGBxfVMldCdTgFnkZqZ3P96tXPOTKvFx_PZ94jvm46I64QpZX2z1Gi9MwLtKO, 6668d01a-7e7a-41e6-b420-8db9bb4cf677, Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:105.0) Gecko/20100101 Firefox/105.0]
13:31:14 🔍 [0.547ms] delete from "directus_sessions" where "expires" < $1 [Fri Oct 14 2022 13:31:14 GMT+0200 (heure d’été d’Europe centrale)]
13:31:14 🔍 [0.719ms] insert into "directus_activity" ("action", "collection", "ip", "item", "origin", "timestamp", "user", "user_agent") values ($1, $2, $3, $4, DEFAULT, $5, $6, $7) returning "id" [login, directus_users, 127.0.0.1, 6668d01a-7e7a-41e6-b420-8db9bb4cf677, Fri Oct 14 2022 13:31:14 GMT+0200 (heure d’été d’Europe centrale), 6668d01a-7e7a-41e6-b420-8db9bb4cf677, Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:105.0) Gecko/20100101 Firefox/105.0]
13:31:14 🔍 [0.708ms] update "directus_users" set "last_access" = $1 where "id" = $2 [Fri Oct 14 2022 13:31:14 GMT+0200 (heure d’été d’Europe centrale), 6668d01a-7e7a-41e6-b420-8db9bb4cf677]
13:31:14 ✨ request completed GET 302 /auth/login/keycloak/callback?state=CsaY8ttkkWckqKnfF9qeAHZbpa9eTXC4kIFr1nbPaoU&session_state=235a3feb-ac88-42fa-abd7-beb5667cfaa3&code=17124219-d21f-482c-bcc5-360d65493310.235a3feb-ac88-42fa-abd7-beb5667cfaa3.c6998633-009d-4ae3-9a07-a89cfbd1a3d9 4.9s
13:31:14 ✨ request completed GET 200 /admin/login?continue 1ms

At the end, I end up on the Directus login page as if nothing happened, except the continue query param in the URL.

From what I understand from the OIDC protocol, Directus should ask the Keycloak server for the token by calling https://{The Keycloak remote server}/realms/local/protocol/openid-connect/token but it doesn't appear in the network.

Am I missing something ? Thank you 🤙

[mlbiche]

Finally, get it working. I am now able to log in through Keycloak SSO from the Directus login page by removing from the config:

REFRESH_TOKEN_COOKIE_DOMAIN="localhost:8055"
REFRESH_TOKEN_COOKIE_SECURE="true"
REFRESH_TOKEN_COOKIE_SAME_SITE="None"

But as I need seamless SSO, I have to find out what's wrong with these REFRESH_TOKEN_COOKIE configs.

[aidenfoxx]

I believe "SameSite=Lax" should work cross-port for our authentication flow (since we only use GET requests). That wouldn't require you to use the "Secure" flag. But I've not tested it.

[mlbiche]

Just tried it out with

REFRESH_TOKEN_COOKIE_SECURE=false
REFRESH_TOKEN_COOKIE_SAME_SITE="lax"
REFRESH_TOKEN_COOKIE_DOMAIN="http://localhost:8055"

I get an Invalid user credentials on the refresh when brought back to the login page.

EDIT: The issue comes from REFRESH_TOKEN_COOKIE_DOMAIN="http://localhost:8055". Without providing it, I can log in successfully from Directus login page

EDIT2: It also works for seamless SSO from the web client 🎉

[aidenfoxx]

Woop, woop! 🥳

[mlbiche]

Do you give me the go to update the documentation ? I may have time to spend on it until the end of the week 👍

[aidenfoxx]

The general SSO configuration options page is here https://docs.directus.io/self-hosted/config-options.html#sso-oauth2-and-openid and the seamless SSO page is here https://docs.directus.io/self-hosted/sso.html. Both can be edited by selecting the "Edit this page on GitHub" link in the bottom left of each page.

Contributions to the docs are super valuable and always appreciated! ❤️

[useEffects]

same issue, tried everything but no use

[useEffects]

#21682