v2.9.56 breaks oidc auth with keycloak #1864
Comments
|
Hi @rsch136 , thanks a lot |
|
@rsch136 configuration which works for me: "keycloak": {
"display_name":"Sign in with keycloak",
"provider_url":"http://localhost:8080/realms/master",
"client_id":"test",
"client_secret":"A0G8Awc7NTHrfllbXABbNK9kRQgQq7X9",
"redirect_url": "http://localhost:8082/api/auth/oidc/keycloak/redirect"
} |
|
I found this by the issue: https://keycloak.discourse.group/t/getting-invalid-grant-during-client-token-request-using-authorization-code/2042/4 @rsch136 |
|
This is our config: {
"web_host": "https://semaphore......de",
"oidc_providers": {
"keycloak": {
"display_name": "SSO",
"provider_url": "https://keycloak.../realms/network",
"client_id": "semaphore",
"client_secret": "{{ semaphore_keycloak_client_secret }}"
}
}
}We do not specify a redirect url here. |
|
@rsch136 where you specify redirect_url? I have following error without it: 
|
|
Actually, 2.9.56 breaks much more. After the upgrade I got meself a surprise page too. Granted I am running inside the docker.
it was caused (I am guessing here) by my attempt to downgrade to 2.9.45 . There reason of this downgrade attempt was an
SSH-AGENT is responsible for feeding passphrase when a SSH private key is pass protected. I am not using such protection for Semaphore. I created a special set of keys to and distributed them to all servers to avoid the problem. |
|
@bodzio4749 please create separate issue for your problem with details. Because I don't see whole error log. PS: SSH-AGENT used in Semaphore starts form v2.9.45. There is no changes for this in v2.9.58. |
|
@bodzio4749 do you have issue with OpenID connect? |
Which version of keycloak are you using? I remember having this kind of issue when switching between keycloak version 14 and 19. We're currently using 19.0.3. I'm not specifying any redirect url. I will deploy it later tonight with an explicit redirect url in the config. |
|
@rsch136 can we contact via Telegram? It is critical bug and I want to fix is ASAP. https://t.me/semaphoreui. Thank you |
|
FYI: 2.9.56 with Kycloak 24.0.1 is working fine, can provide any configs you need |
|
@bodzio4749 when you get that error, just re-login |
|
I've deployed it again with a redirect url and latest version but it does not fix the error. I guess it could now be a problem with our version of keycloak. Unfortunately, I will not be able to update that anytime soon.
@mhzawadi yes, please @fiftin Since I am the only one who seems to be having this problem, I would be ok with closing the issue. I can open a new one if it still doesn't work once I've updated keycloak. |
|
Please don't close the issue :) |
|
Hmm everything over v2.9.45 seems to also break oidc with authentik as IDP. |
My semaphore config below, then screen grabs of Keycloak. let me know if you need anything else 
|
|
@mhzawadi it doesn't work for 2.9.58, but works for 2.9.45? Could you provide error log? |
|
@jsievertde could you provide error log? |
|
also an issue with using Okta and using the latest docker image. happy to provide more info as needed error log: configuration: "oidc_providers": {
"okta": {
"display_name": "Sign in with Okta",
"provider_url": "https://11111111.okta.com/oauth2/default",
"client_id": "SOME_CLIENT_ID",
"client_secret": "SOME_CLIENT_SECRET",
"name_claim": "name"
}
} |
|
@pushpinders1ngh just created Okta acc. Works to me. Can't reproduced. Okta has a log. Can you share it? 
|
|
@jsievertde please share the logs. |
|
@fiftin all successful logins 
|
|
Please try v2.9.64. |
|
Unfortunately, the same result with v2.9.64. |
|
I'm also getting the same result but there is an extra error now: http: panic serving 172.18.0.4:50116: securecookie: hash key is not set I've also changed the set-up in keycloak like recommended here: #1864 (comment) |
|
@pushpinders1ngh please add |
|
@rsch136 looks like you have broken config. Please check that you have |
@fiftin we were following this docu: https://docs.semui.co/administration-guide/openid Didn't previously have any issue with cookie hashes. Do you have a link? |
|
Thank you @fiftin. Very generous of you to provide this quick solution. adding the i've in my config: |
|
@pushpinders1ngh I can't understand how it worked in 2.9.45. I tested with it and got error "invalid redirect_url". |
@phishkapsch Hm, it is really strange |
|
I have updated to 2.9.65 and all is working fine for me |
|
@fiftin sorry for the delay. I copied the relevant error from our authentik-backend: I'm just deploying the new version of ansible-semaphore to check if it is already fixed. |
|
Hi @jsievertde It is what I fixed in 2.9.64. Didn't help? |
|
Sorry @fiftin deployment is done and the service has been restarted. |
|
Adding the cookie_hash to the env fixed the issue and I can now sign in using keycloak. I updated keycloak to 24.0.0 before adding the cookie_hash but this did not change anything. It also works without adding the redirect url to the config. Thanks for the help! |
When updating from v2.9.45 to v2.9.56, our existing integration with keycloak breaks.
The error shown in the docker logs is
time="2024-03-24T17:38:23Z" level=error msg="oauth2: \"invalid_grant\" \"Code not valid\"". On the UI side, signing in with SSO just returns you to the login page but does not actually log the user in.A downgrade to 2.9.45 fixes the issue.
The text was updated successfully, but these errors were encountered: