Can't login with openid (keycloak) #70

New Issue

Open

opened 2021-11-29 15:31:09 +00:00 by bdeb1337 · 6 comments

bdeb1337 commented 2021-11-29 15:31:09 +00:00

Copy Link

Hi!

While testing out vikunja, I was trying to give the desktop application a go. However when I try to login to my instance, I keep on getting the following error after completing my login:

I'm using openid to authenticate through my keycloak instance, and it's working fine in browser at the moment.

My config.yml and keycloak settings are as following:

service:
  # The URL of the frontend, used to send password reset emails.
  frontendurl: "https://vikunja.example.com"

auth:
  local:
    enabled: false
  openid:
    enabled: true
    #redirecturl: vikunja.example.com
    providers:
      - name: example.com
        authurl: https://idp.example.com/auth/realms/master
        clientid: vikunja
        clientsecret: my-keycloak-secret-pass-phrase

Not really sure how to go about debugging this further.

Thank you kindly for your time and answer.

Kind regards.

Hi! While testing out vikunja, I was trying to give the desktop application a go. However when I try to login to my instance, I keep on getting the following error after completing my login:  I'm using openid to authenticate through my keycloak instance, and it's working fine in browser at the moment. My config.yml and keycloak settings are as following: ``` service: # The URL of the frontend, used to send password reset emails. frontendurl: "https://vikunja.example.com" auth: local: enabled: false openid: enabled: true #redirecturl: vikunja.example.com providers: - name: example.com authurl: https://idp.example.com/auth/realms/master clientid: vikunja clientsecret: my-keycloak-secret-pass-phrase ```  Not really sure how to go about debugging this further. Thank you kindly for your time and answer. Kind regards.

image.png

23 KiB

image.png

51 KiB

konrad commented 2021-11-29 20:14:31 +00:00

Owner

Copy Link

Just to verify, these are the steps you're doing?

1. Open the desktop app
2. Enter the api url of your instance
3. Click on "Login with example.com"
4. Enter credentials in Keycloak
5. Get redirected to the error in the screenshot

All happening in the app shell, with no browsers etc opening in between?

Just to verify, these are the steps you're doing? 1. Open the desktop app 2. Enter the api url of your instance 3. Click on "Login with example.com" 4. Enter credentials in Keycloak 5. Get redirected to the error in the screenshot All happening in the app shell, with no browsers etc opening in between?

bdeb1337 commented 2021-11-29 20:51:18 +00:00

Author

Copy Link

Yes, that's exactly the flow of how this happens for me.

And indeed: All the redirects happen inside the application (no pop-ups or extra screens), without any external browser or anything opening.

Yes, that's exactly the flow of how this happens for me. And indeed: All the redirects happen inside the application (no pop-ups or extra screens), without any external browser or anything opening.

konrad commented 2021-11-29 20:55:06 +00:00

Owner

Copy Link

What api and desktop app version are you using?

What api and desktop app version are you using?

bdeb1337 commented 2021-11-29 21:02:05 +00:00

Author

Copy Link

docker:latest for the api, which i guess was 0.18.1 and also the desktop app 0.18.1.

docker:latest for the api, which i guess was 0.18.1 and also the desktop app 0.18.1.

konrad commented 2021-12-05 15:20:52 +00:00

Owner

Copy Link

Can confirm this is reproducable with the latest unstable as well.

Can confirm this is reproducable with the latest unstable as well.

konrad referenced this issue from vikunja/frontend 2021-12-05 15:40:41 +00:00

feat: build openid redirect url dynamically #1144

konrad commented 2021-12-05 15:45:06 +00:00

Owner

Copy Link

Looks like this is a bit tricky to solve: Because the redirect url from the third party provider is used instead of the one from the desktop app directly, you actually get redirected to the frontend running on your server, not the one running in the electron shell. Because the frontend has never seen the state at that point, you get the mentioned error.

Attempt to fix in vikunja/frontend#1144 but I still had issues with it while testing with gitlab. Using that fix you'd need to add http://127.0.0.1:45735/ to the valid redirects or allow arbitrary redirects to any host after authenticating (not sure if keycloak can do that?).

Looks like this is a bit tricky to solve: Because the redirect url from the third party provider is used instead of the one from the desktop app directly, you actually get redirected to the frontend running on your server, not the one running in the electron shell. Because the frontend has never seen the state at that point, you get the mentioned error. Attempt to fix in https://kolaente.dev/vikunja/frontend/pulls/1144 but I still had issues with it while testing with gitlab. Using that fix you'd need to add `http://127.0.0.1:45735/` to the valid redirects or allow arbitrary redirects to any host after authenticating (not sure if keycloak can do that?).

This repo is archived. You cannot comment on issues.

No Branch/Tag Specified

Branches Tags

main

v0.22.1

v0.22.0

0.21.0

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.1

v0.19.2

v0.19.0

v0.18.1

v0.18.0

v0.17.0

v0.16.0

v0.15.0

Labels

Clear labels   

blocked by upstream

  

bug

Something is not working

  

duplicate

This issue or pull request already exists

  

help wanted

Need some help

  

invalid

Something is wrong

  

kind/feature

New feature

  

kind/ux

  

question

More information is needed

  

wontfix

This won't be fixed

No Label

blocked by upstream

bug

duplicate

help wanted

invalid

kind/feature

kind/ux

question

wontfix

Milestone

Clear milestone

No items

No Milestone

Assignees

Clear assignees

No Assignees

2 Participants

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: vikunja/desktop#70

No description provided.