unable to setup Authentication with keycloak

[doums]

Describe the bug

Hi,

With my team we are trying to setup our weblate docker container to use Keycloak as authentication system.
We followed the only documentation that exists on this subject -> https://docs.weblate.org/en/weblate-4.2.2/admin/install/docker.html?#keycloak

So far we have, in a local environment, weblate running and working.

Here is the docker-compose, relevant part:

  weblate:
    image: weblate/weblate
    container_name: weblate
    depends_on:
      - postgres
      - redis
    volumes:
      - weblate-data:/app/data
    ports:
      - 8090:8080
    networks:
      - web
    environment:
      POSTGRES_DATABASE: postgres
      POSTGRES_HOST: postgres
      POSTGRES_PASSWORD: xxxx
      POSTGRES_PORT: 5432
      POSTGRES_USER: weblate
      REDIS_HOST: redis
      REDIS_PORT: 6379
      WEBLATE_ADMIN_EMAIL: aos.admin@example.com
      WEBLATE_ADMIN_NAME: admin
      WEBLATE_ADMIN_PASSWORD: admin
      WEBLATE_ALLOWED_HOSTS: "*"
      WEBLATE_DEFAULT_FROM_EMAIL: aos@example.com
      WEBLATE_LOGLEVEL: DEBUG #dev only
      WEBLATE_REGISTRATION_OPEN: 0
      REGISTRATION_ALLOW_BACKENDS: keycloak-oauth2 #not sure of the value here
      WEBLATE_SERVER_EMAIL: aos@example.com
      SOCIAL_AUTH_KEYCLOAK_ID_KEY: email
      SOCIAL_AUTH_VERIFY_SSL: 0
      WEBLATE_SITE_DOMAIN: localhost:8090
      WEBLATE_SOCIAL_AUTH_KEYCLOAK_KEY: 'aos-translate'
      WEBLATE_SOCIAL_AUTH_KEYCLOAK_SECRET: '77d132b1-bfa7-460a-81b8-214e235a56e1'
      WEBLATE_SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY: 'xxxxxx'
      WEBLATE_SOCIAL_AUTH_KEYCLOAK_ALGORITHM: 'RS256'
      WEBLATE_SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL: 'http://localhost:8085/auth/realms/aos/protocol/openid-connect/auth'
      WEBLATE_SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL: 'http://localhost:8085/auth/realms/aos/protocol/openid-connect/token'

For keycloak side, we followed the steps described in the comment on the source file -> https://github.com/python-social-auth/social-core/blob/master/social_core/backends/keycloak.py

On the sign in form of weblate, now we have a button "keycloak". If we click on it, we are redirected to keycloak's own sign in form:

http://localhost:8085/auth/realms/aos/protocol/openid-connect/auth?client_id=aos-translate&redirect_uri=http%3A%2F%2Flocalhost%3A8090%2Faccounts%2Fcomplete%2Fkeycloak%2F%3Fredirect_state%3DIhc50guJxwVoevULfPnvxJV6Jv3fzYxW&state=Ihc50guJxwVoevULfPnvxJV6Jv3fzYxW&response_type=code

Here if we try to connect with wrong credential, keyclaok informs us about that, and we have to retry, but if we enter good one, we are redirected back to weblate -> http://localhost:8090/accounts/login/.

And here the problem happens: An error message appears in the UI

Could not authenticate, probably due to an expired token or connection error.

And we are not authenticated. There is no error in keycloak logs and in weblate logs.

Due to lack of proper documentation/guide and no explicit log, we cannot figure out what the problem is.

[nijel]

Did you check Weblate logs? Maybe it's duplicate of #4473?

[nijel]

Looking at it again, it might just some mess in the cookies as you run both services on localhost domain - they can steal or rewrite cookies from the other app.

[github-actions]

This issue looks like a support question. We try to answer these reasonably fast, but in case you are looking for faster resolution, please consider purchasing support subscription and make Weblate stronger.

[doums]

First what is the right value of this env variable please (for Keycloak) ?

REGISTRATION_ALLOW_BACKENDS: ???

[doums]

Did you check Weblate logs? Maybe it's duplicate of #4473?

There is absolutely no log emitted by the weblate container on the sign in process.
WEBLATE_SOCIAL_AUTH_KEYCLOAK_ALGORITHM: RS256 is already present in the docker-compose file.

The only log I can see is on keycloak side and happens right after clicking the "keycloak" button, while the redirection to keycloak's sign in form

WARN  [org.keycloak.services] (default task-1) KC-SERVICES0091: Request is missing scope 'openid' so it's not treated as OIDC, but just pure OAuth2 request.

EDIT: It seems some logs appear after long waiting time or after sign in through normal form (not keycloak), but not sure if the log are relevant to the keycloak sign in process.

HTTP/1.1" 200 2390 "http://localhost:8090/" "Mozilla/5.0 (X11; Linux x86_64; rv:81.0) Gecko/20100101 Firefox/81.0"
nginx stdout | 172.18.0.1 - - [06/Oct/2020:09:09:39 +0000] "GET /static/logo-32.png HTTP/1.1" 200 1192 "http://localhost:8090/" "Mozilla/5.0 (X11; Linux x86_64; rv:81.0) Gecko/20100101 Firefox/81.0"
uwsgi stderr | [pid: 715|app: 0|req: 1/2] 172.18.0.1 () {46 vars in 796 bytes} [Tue Oct  6 09:09:50 2020] GET /accounts/login/?next=/ => generated 13601 bytes in 622 msecs (HTTP/1.1 200) 10 headers in 469 bytes (2 switches on core 0)
nginx stdout | 172.18.0.1 - - [06/Oct/2020:09:09:51 +0000] "GET /accounts/login/?next=/ HTTP/1.1" 200 4708 "http://localhost:8090/" "Mozilla/5.0 (X11; Linux x86_64; rv:81.0) Gecko/20100101 Firefox/81.0"
nginx stdout | 172.18.0.1 - - [06/Oct/2020:09:09:51 +0000] "GET /static/weblate-180.png HTTP/1.1" 200 2390 "http://localhost:8090/" "Mozilla/5.0 (X11; Linux x86_64; rv:81.0) Gecko/20100101 Firefox/81.0"
celery-main stderr | [2020-10-06 09:09:54,465: INFO/MainProcess] Received task: weblate.utils.tasks.heartbeat[34c29165-3273-4503-8433-9fc3ac32adde]
uwsgi stderr | [pid: 714|app: 0|req: 1/3] 172.18.0.1 () {52 vars in 965 bytes} [Tue Oct  6 09:09:55 2020] POST /accounts/login/keycloak/?next=/ => generated 0 bytes in 540 msecs (HTTP/1.1 302) 11 headers in 759 bytes (1 switches on core 0)
nginx stdout | 172.18.0.1 - - [06/Oct/2020:09:09:56 +0000] "POST /accounts/login/keycloak/?next=/ HTTP/1.1" 302 0 "http://localhost:8090/" "Mozilla/5.0 (X11; Linux x86_64; rv:81.0) Gecko/20100101 Firefox/81.0"
uwsgi stderr | WARNING Handled exception: AuthFailed: Authentication failed: HTTPConnectionPool(host='localhost', port=8085): Max retries exceeded with url: /auth/realms/aos/protocol/openid-connect/token (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7fa13e2e6e80>: Failed to establish a new connection: [Errno 111] Connection refused'))
uwsgi stderr | [pid: 716|app: 0|req: 1/4] 172.18.0.1 () {46 vars in 1571 bytes} [Tue Oct  6 09:10:00 2020] GET /accounts/complete/keycloak/?redirect_state=2Ldmmz0faHokiliN9j5DMQP55UkpA8if&state=2Ldmmz0faHokiliN9j5DMQP55UkpA8if&session_state=3a7c9dbc-9345-460d-8645-74dac0b14d77&code=b4fd559c-eb81-44b6-98c6-cf77a1d12279.3a7c9dbc-9345-460d-8645-74dac0b14d77.7f638188-e4db-4ee3-af40-ca6dba80c85f => generated 0 bytes in 537 msecs (HTTP/1.1 302) 11 headers in 496 bytes (2 switches on core 0)
nginx stdout | 172.18.0.1 - - [06/Oct/2020:09:10:00 +0000] "GET /accounts/complete/keycloak/?redirect_state=2Ldmmz0faHokiliN9j5DMQP55UkpA8if&state=2Ldmmz0faHokiliN9j5DMQP55UkpA8if&session_state=3a7c9dbc-9345-460d-8645-74dac0b14d77&code=b4fd559c-eb81-44b6-98c6-cf77a1d12279.3a7c9dbc-9345-460d-8645-74dac0b14d77.7f638188-e4db-4ee3-af40-ca6dba80c85f HTTP/1.1" 302 0 "http://localhost:8085/auth/realms/aos/protocol/openid-connect/auth?client_id=aos-translate&redirect_uri=http%3A%2F%2Flocalhost%3A8090%2Faccounts%2Fcomplete%2Fkeycloak%2F%3Fredirect_state%3D2Ldmmz0faHokiliN9j5DMQP55UkpA8if&state=2Ldmmz0faHokiliN9j5DMQP55UkpA8if&response_type=code" "Mozilla/5.0 (X11; Linux x86_64; rv:81.0) Gecko/20100101 Firefox/81.0"
uwsgi stderr | [pid: 716|app: 0|req: 2/5] 172.18.0.1 () {44 vars in 745 bytes} [Tue Oct  6 09:10:00 2020] GET /accounts/login/ => generated 13745 bytes in 88 msecs (HTTP/1.1 200) 10 headers in 469 bytes (2 switches on core 0)

[nijel]

uwsgi stderr | WARNING Handled exception: AuthFailed: Authentication failed: HTTPConnectionPool(host='localhost', port=8085): Max retries exceeded with url: /auth/realms/aos/protocol/openid-connect/token (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7fa13e2e6e80>: Failed to establish a new connection: [Errno 111] Connection refused'))

This certainly is related, Weblate cannot connect to the keycloak server. Probably the URL should not be localhost unless you are using host networking in the Docker.

[doums]

Keycloak run on localhost as well, and on the same network:

    container_name: aos-keycloak
    depends_on:
      - mysql
    environment:
      DB_USER: xxxxxxx
      DB_PASSWORD: xxxxxx
      DB_VENDOR: mysql
      KEYCLOAK_USER: xxxxxx
      KEYCLOAK_PASSWORD: xxxxxx
      KEYCLOAK_IMPORT: /tmp/my_realm.json
    image: jboss/keycloak:10.0.1
    networks:
      - web
    ports:
      - 8085:8080
      # - 8085:8443
    volumes:
      - ./apps/aos-server-account/export:/tmp
      - ./apps/aos-server-account/themes/aos:/opt/jboss/keycloak/themes/aos
      - ./apps/aos-server-account/themes/base:/opt/jboss/keycloak/themes/base
      - ./apps/aos-server-account/deployments/recaptcha-login.jar:/opt/jboss/keycloak/standalone/deployments/recaptcha-login.jar

[nijel]

But it's not localhost for Weblate. Please read on how Docker networking works, for example on https://docs.docker.com/network/network-tutorial-standalone/

[doums]

Ok thank you.

[github-actions]

The issue you have reported seems to be resolved now.

• In case you see a similar problem, please open a separate issue.
• If you are happy with the outcome, consider supporting Weblate by donating.

[TafkaMax]

Hey

I am also experiecing issues with keycloak installation, did you use this in the end? :

     REGISTRATION_ALLOW_BACKENDS: keycloak-oauth2 #not sure of the value here

---

Have you tried to use OIDC plugin instead of the oauth2 one?

[syed-saad-zahidi]

I am facing same issue my keycloak version 23,0.6