Keycloak configuration results in InvalidAlgorithmError('The specified alg value is not allowed')

[enspritz]

Describe the issue

We've configured a Docker-based Weblate 4.1.1-3 instance to connect with Keycloak 11.0.2 according to the procedure described in python-social-auth keycloak.py.

Initiating a user login workflow from Weblate's web UI by clicking the "keycloak" button on the Weblate's login form redirects us to Keycloak as intended. After successful authentication in Keycloak, the browser is redirected back to weblate during a long pause, resulting in the browser coming to a stand-still at a "Server Error".
The admin email account receives two emails detailing the error, the first with nice HTML formatting and a stack trace, the second in plaintext with less detail.

Looking at the point of failure in stack trace:

        if algorithms is not None and alg not in algorithms:
            raise InvalidAlgorithmError('The specified alg value is not allowed')

the local vars indicate alg is RS256 but algorithms is empty.

Any assistance is greatly appreciated!

Debug info

The browser stops at url:

https://weblate.site.jp/accounts/complete/keycloak/?redirect_state=XU9cOv0bq21ohmkhMlr9fpapDfcGq3rA&state=XU9cOv0bq21ohmkhMlr9fpapDfcGq3rA&session_state=4f27dadc-3c5e-4660-940b-1c244133e724&code=07b1024c-2879-4f58-a1d9-27aa2974fdda.4f27dadc-3c5e-4660-940b-1c244133e724.4be541f1-d930-45f7-8e37-42b4993cdb3d

The HTML formatted error email begins:

Request Method: | GET
https://weblate.site.jp/accounts/complete/keycloak/?redirect_state=XU9cOv0bq21ohmkhMlr9fpapDfcGq3rA&state=XU9cOv0bq21ohmkhMlr9fpapDfcGq3rA&session_state=4f27dadc-3c5e-4660-940b-1c244133e724&code=07b1024c-2879-4f58-a1d9-27aa2974fdda.4f27dadc-3c5e-4660-940b-1c244133e724.4be541f1-d930-45f7-8e37-42b4993cdb3d
3.0.8
InvalidAlgorithmError
The specified alg value is not allowed
/usr/local/lib/python3.7/dist-packages/jwt/api_jws.py in _verify_signature, line 216
/usr/bin/uwsgi-core
3.7.3
['/usr/local/lib/python3.7/dist-packages/git/ext/gitdb',  '/',  '/usr/local/lib/python3.7/dist-packages/',  '.',  '',  '/usr/lib/python37.zip',  '/usr/lib/python3.7',  '/usr/lib/python3.7/lib-dynload',  '/usr/local/lib/python3.7/dist-packages',  '/app/data/python',  '/usr/lib/python3/dist-packages',  '/usr/local/lib/python3.7/dist-packages/gitdb/ext/smmap']

Stack trace from docker logs weblate:

nginx stdout | 172.17.0.19 - - [09/Sep/2020:08:47:03 +0000] "POST /accounts/login/keycloak/?next=/ HTTP/1.0" 302 0 "https://weblate.site.jp/" "Mozilla/5.0 "
uwsgi stderr | ERROR Internal Server Error: /accounts/complete/keycloak/
uwsgi stderr | Traceback (most recent call last):
uwsgi stderr |   File "/usr/local/lib/python3.7/dist-packages/django/core/handlers/exception.py", line 34, in inner
uwsgi stderr |     response = get_response(request)
uwsgi stderr |   File "/usr/local/lib/python3.7/dist-packages/django/core/handlers/base.py", line 115, in _get_response
uwsgi stderr |     response = self.process_exception_by_middleware(e, request)
uwsgi stderr |   File "/usr/local/lib/python3.7/dist-packages/django/core/handlers/base.py", line 113, in _get_response
uwsgi stderr |     response = wrapped_callback(request, *callback_args, **callback_kwargs)
uwsgi stderr |   File "/usr/local/lib/python3.7/dist-packages/django/views/decorators/csrf.py", line 54, in wrapped_view
uwsgi stderr |     return view_func(*args, **kwargs)
uwsgi stderr |   File "/usr/local/lib/python3.7/dist-packages/django/views/decorators/cache.py", line 44, in _wrapped_view_func
uwsgi stderr |     response = view_func(request, *args, **kwargs)
uwsgi stderr |   File "/usr/local/lib/python3.7/dist-packages/weblate/accounts/views.py", line 1047, in social_complete
uwsgi stderr |     return complete(request, backend)
uwsgi stderr |   File "/usr/local/lib/python3.7/dist-packages/django/views/decorators/cache.py", line 44, in _wrapped_view_func
uwsgi stderr |     response = view_func(request, *args, **kwargs)
uwsgi stderr |   File "/usr/local/lib/python3.7/dist-packages/django/views/decorators/csrf.py", line 54, in wrapped_view
uwsgi stderr |     return view_func(*args, **kwargs)
uwsgi stderr |   File "/usr/local/lib/python3.7/dist-packages/social_django/utils.py", line 49, in wrapper
uwsgi stderr |     return func(request, backend, *args, **kwargs)
uwsgi stderr |   File "/usr/local/lib/python3.7/dist-packages/social_django/views.py", line 33, in complete
uwsgi stderr |     *args, **kwargs)
uwsgi stderr |   File "/usr/local/lib/python3.7/dist-packages/social_core/actions.py", line 45, in do_complete
uwsgi stderr |     user = backend.complete(user=user, *args, **kwargs)
uwsgi stderr |   File "/usr/local/lib/python3.7/dist-packages/social_core/backends/base.py", line 40, in complete
uwsgi stderr |     return self.auth_complete(*args, **kwargs)
uwsgi stderr |   File "/usr/local/lib/python3.7/dist-packages/social_core/utils.py", line 251, in wrapper
uwsgi stderr |     return func(*args, **kwargs)
uwsgi stderr |   File "/usr/local/lib/python3.7/dist-packages/social_core/backends/oauth.py", line 405, in auth_complete
uwsgi stderr |     *args, **kwargs)
uwsgi stderr |   File "/usr/local/lib/python3.7/dist-packages/social_core/utils.py", line 251, in wrapper
uwsgi stderr |     return func(*args, **kwargs)
uwsgi stderr |   File "/usr/local/lib/python3.7/dist-packages/social_core/backends/oauth.py", line 410, in do_auth
uwsgi stderr |     data = self.user_data(access_token, *args, **kwargs)
uwsgi stderr |   File "/usr/local/lib/python3.7/dist-packages/social_core/backends/keycloak.py", line 120, in user_data
uwsgi stderr |     audience=self.audience(),
uwsgi stderr |   File "/usr/local/lib/python3.7/dist-packages/jwt/api_jwt.py", line 92, in decode
uwsgi stderr |     jwt, key=key, algorithms=algorithms, options=options, **kwargs
uwsgi stderr |   File "/usr/local/lib/python3.7/dist-packages/jwt/api_jws.py", line 156, in decode
uwsgi stderr |     key, algorithms)
uwsgi stderr |   File "/usr/local/lib/python3.7/dist-packages/jwt/api_jws.py", line 216, in _verify_signature
uwsgi stderr |     raise InvalidAlgorithmError('The specified alg value is not allowed')
uwsgi stderr | jwt.exceptions.InvalidAlgorithmError: The specified alg value is not allowed
uwsgi stderr | [pid: 737|app: 0|req: 38/56] 172.17.0.19 () {52 vars in 1454 bytes} [Wed Sep  9 08:47:25 2020] GET /accounts/complete/keycloak/?redirect_state=NI9wQznwmlAR4s2sgsJe1p6t0lyDTc1b&state=NI9wQznwmlAR4s2sgsJe1p6t0lyDTc1b&session_state=052fb138-32ff-4bf4-8576-17c579318f54&code=e527a9eb-7e3b-4d5b-a4fc-5a6525c9c70b.052fb138-32ff-4bf4-8576-17c579318f54.4be541f1-d930-45f7-8e37-42b4993cdb3d => generated 9532 bytes in 20323 msecs (HTTP/1.0 500) 9 headers in 499 bytes (2 switches on core 0)
nginx stdout | 172.17.0.19 - - [09/Sep/2020:08:47:46 +0000] "GET /accounts/complete/keycloak/?redirect_state=NI9wQznwmlAR4s2sgsJe1p6t0lyDTc1b&state=NI9wQznwmlAR4s2sgsJe1p6t0lyDTc1b&session_state=052fb138-32ff-4bf4-8576-17c579318f54&code=e527a9eb-7e3b-4d5b-a4fc-5a6525c9c70b.052fb138-32ff-4bf4-8576-17c579318f54.4be541f1-d930-45f7-8e37-42b4993cdb3d HTTP/1.0" 500 9532 "-" "Mozilla/5.0"

Local vars of last stack trace element, copy&paste from the same email:

Variable	Value
alg	'RS256'
algorithms	''
header	{'alg': 'RS256', 'kid': 'g42pshvEEbADXq1m2g7MdZTVwFCowX3KGWIAHv-E4kM', 'typ': 'JWT'}
key	('-----BEGIN PUBLIC KEY-----\n' 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1erPDupNdgDdu3YJEqQY+jWvOtVG+2Q6HwSLqCY6HL7Em3DoIjV7pxE2lBFl0lzLeyBudd769nc7vA1s6n/r3xzlhSEZybUXkCh8SKGpouTarOyab5E3DRybO6ssV2xNH2zG7L5HvoaPgd7r0k8ckxf3E5spe1iv99yzU1V6HRDQsWahSG9TPe5l3ZXhatfYVL8u6gXOSL7Qf/MJCxR3geq/oiqn+gV/ptZKhlX5sRa8UgpukL0XM86W+ZMfPrOwThcjH7fp4SsdLn4+zMMEeEkqVj6kPmulg8QZHQ5IsZy4yJj2VfVF3B+cW0JLqG0KkLfj1K8gLyXvgacLnECi5QIDAQAB\n' '-----END PUBLIC KEY-----')
payload	(b'{"exp":1599648327,"iat":1599648027,"auth_time":1599647700,"jti":"8b27c36d-e3' b'8c-4381-a1f0-0a5394f9250b","iss":"https://keycloak.site.jp/auth/realms/main' b'-id","aud":"account","sub":"93ba43b3-c378-40bc-a196-ebaae7e9a49a","typ":"Bea' b'rer","azp":"weblate","session_state":"4f27dadc-3c5e-4660-940b-1c244133e724",' b'"acr":"0","realm_access":{"roles":["offline_access","uma_authorization"]},"r' b'esource_access":{"account":{"roles":["manage-account","manage-account-links"' b',"view-profile"]}},"scope":"profile email","email_verified":true,"name":"me ' b'Me","preferred_username":"me","given_name":"me","family_name":"me","email":"' b'me@site.jp"}')
self	<jwt.api_jwt.PyJWT object at 0x7ff48797be10>
signature	(b'3\xeb\x0e\xd2$[\xe1\xf3R\x10<\x08\x86\xa3\x85\xc4~\xb3\x80\xc2\xcf|\xea<' b':\xa9\x07dOX\x9bWe(\xa07Fh\x05X<\x17m\xbe\xc82^\x8dA\xa8\x83\xe7Q\xe3\x0eS' b'\xc7}z\x8c\x04\xa4@\xb1\x01&r1\x9e\xd5\t\xb1\xc3\xf8\xc8\x1a\\xfb\xaa\xb4' b'\xa5\xf3\x0eQ\xee\x8e\xa3\xe2i\x96W\xf5\xab3\x05\xc4\x1ev\xf0#\xa6\xe2n3' b'\x8ax\x085$A\x1d\x0c\x7f\xe3\x9e>\t&\xa1\xf6\x8d\xfc`\xf4$\x163\' b'\x93\xd1|\xb2I\xac~\xca>f\ \xd7\xd7\xb3\xe0\x19I+D\x1byI\x8d\xd4\x16|\xd6' b'\xff\xf3\x9a\x9c\x16aP\x080\x0b\xb3=K\x80\xf0G\xbaxm\xae\x13\xe7\xd6)Wm4\x11' b'G[\xfe\xf5OYA5\x8c#\xa5ABW)J\xbf\x8e\xfa\x0c\x8c[\xac\x00\x10\x9c\xde\x1a' b'9\x17 \xba\xb4k\x02\x10\x1e\xeb\xc7\x9e,W\xbeY.J\xb4\xe5Z\xa5a4\xad\xd8(?' b'\xe2\x18\xeaR\xce\xc9JQ4\x16\xa3o\xfe\x804\xc1')
signing_input	(b'eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJnNDJwc2h2RUViQURYcTFtMmc3' b'TWRaVFZ3RkNvd1gzS0dXSUFIdi1FNGtNIn0.eyJleHAiOjE1OTk2NDgzMjcsImlhdCI6MTU5OTY0' b'ODAyNywiYXV0aF90aW1lIjoxNTk5NjQ3NzAwLCJqdGkiOiI4YjI3YzM2ZC1lMzhjLTQzODEtYTFm' b'MC0wYTUzOTRmOTI1MGIiLCJpc3MiOiJodHRwczovL2lkLnZpdmlkLWluYy5uZXQvYXV0aC9yZWFs' b'bXMvdml2aWQtaWQiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiOTNiYTQzYjMtYzM3OC00MGJjLWEx' b'OTYtZWJhYWU3ZTlhNDlhIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoid2VibGF0ZSIsInNlc3Npb25f' b'c3RhdGUiOiI0ZjI3ZGFkYy0zYzVlLTQ2NjAtOTQwYi0xYzI0NDEzM2U3MjQiLCJhY3IiOiIwIiwi' b'cmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRp' b'b24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2Nv' b'dW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6InBy' b'b2ZpbGUgZW1haWwiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwibmFtZSI6InR5IFR5IiwicHJlZmVy' b'cmVkX3VzZXJuYW1lIjoidHkiLCJnaXZlbl9uYW1lIjoidHkiLCJmYW1pbHlfbmFtZSI6IlR5Iiwi' b'ZW1haWwiOiJ0eUB2aXZpZC1pbmMubmV0In0')

Cleaning the vars up a little:

header = {
 'alg': 'RS256',
 'kid': 'g42pshvEEbADXq1m2g7MdZTVwFCowX3KGWIAHv-E4kM',
 'typ': 'JWT'
}

payload = {
 "aud":"account",
 "exp":1599641550,
 "iss":"https://keycloak.site.jp/auth/realms/main",
 "sub":"93ba43b3-c378-40bc-a196-ebaae7e9a49a",
 "acr":"1",
 "auth_time":1599641245,
 "azp":"weblate",
 "email":"me@site.jp",
 "email_verified":true,
 "family_name":"Me",
 "given_name":"me",
 "iat":1599641250,
 "jti":"08cd473e-fe8e-45d2-87eb-97368e72ba23",
 "name":"me Me",
 "preferred_username":"me",
 "realm_access":{
   "roles": ["offline_access","uma_authorization"]
 },
 "resource_access":{
   "account":{
     "roles": ["manage-account","manage-account-links","view-profile"]
   }
 },
 "scope":"profile email",
 "session_state":"052fb138-32ff-4bf4-8576-17c579318f54",
 "typ":"Bearer"

-- Some data like user identities have been changed to protect personal info, invalidating signatures.

[github-actions]

This issue looks like a support question. We try to answer these reasonably fast, but in case you are looking for faster resolution, please consider purchasing support subscription and make Weblate stronger.

[nijel]

Add following to Docker environment to fix this:

WEBLATE_SOCIAL_AUTH_KEYCLOAK_ALGORITHM: RS256

[github-actions]

Thank you for your report, the issue you have reported has just been fixed.

• In case you see a problem with the fix, please comment on this issue.
• In case you see a similar problem, please open a separate issue.
• If you are happy with the outcome, consider supporting Weblate by donating.