Setup:
We have a HTTPS strapi application and keycloak is configured as an identity provider with the corresponding client id and secret from the keycloak client. Both strapi and keycloak are behind nginx.
We have a keycloak server, where the strapi is added as a client with the necessary redirect URIs configured.
Also, the provider.js and bootstrap.js is setup as suggested in the reference:
Strapi Documentation,
Issue:
Strapi throws an error when trying to access the client:
{"statusCode":400,"error":"Bad Request","message":{"message":"No access_token."},"data":{"message":"No access_token."}}
https://our.website.domain/strapi/auth/keycloak/callback?error=request-compose%3A%20timeout
In the logs, we see that the access token is not received and hence the error is thrown from strapi end. example provider.js line
Verification:
Strapi is able to use other social identity providers like GitHub to authenticate as expected.
We are able to use Postman to get the access token from keycloak by posting to https://our.website.domain/auth/realms/exampleRealmName/protocol/openid-connect/token as suggested in this comment (step1).
We are able to use the access token to get response from Strapi through Postman. https://our.website.domain/connect/IDP-Name/callback as suggested here (step 2)
Any inputs or advise on what could be the issue?
Thank you in advance.
Related
I struggle a bit to get Nextcloud to work with Google as SSO provider. I have URL target of the iPd is https://accounts.google.com/o/saml2/idp?idpid=xxxxxxx then I get
403. That’s an error.
Error: app_not_configured_for_user
So following the suggestion here, I changed the url to
https://accounts.google.com/accountchooser?continue=https://accounts.google.com/o/saml2/idp?idpid=xxxxxx
Which redirects me to the google account chooser, but then I get, after selecting my account
null. That’s an error.
Error parsing the request, No SAML message present in request That’s all we know.
Sometimes I am not asked for a user account, so then I get the following from Nextcloud
Account not provisioned.
Your account is not provisioned, access to this service is thus not possible.
What worked for me is to configure Google having these attribute mappings
While on Nextcloud I configure SAML as follows
In my Flutter app, I use the openid_client library to authorize myself with a keycloak instance and get an access token.
For testing purposes, I tried the node js server example of keycloak (https://github.com/keycloak/keycloak-quickstarts/tree/latest/service-nodejs) to verify my access token from the flutter app, but everytime I try, I get an "access denied" error.
If I try it with the javascript frontend example from keycloak (https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-nodejs-html5) it works with the same keycloak user and client.
I compared the two different tokens and the only thing I noticed is that the keycloak example has an additional "nonce" field (and the "iss" is different).
What could I have missed, which is why the token from the flutter app does not work?
I am trying to connect drupal with keycloak for login. I have added client id, client secret and Keycloak realm , getting from keycloak server.
Using modules - https://www.drupal.org/project/keycloak
Link - http://localhost/drupal/user/login
After clicked on the 'Login Keycloak button' , getting error
The website encountered an unexpected error. Please try again later.
Log Message - Symfony\Component\Routing\Exception\MissingMandatoryParametersException: Some mandatory parameters are missing ("openid_connect_client") to generate a URL for route "openid_connect.redirect_controller_redirect". in Drupal\Core\Routing\UrlGenerator->doGenerate() (line 181 of C:\xampp\htdocs\drupal\core\lib\Drupal\Core\Routing\UrlGenerator.php).
Please suggest. Thank you.
Looks like you might have not added the valid redirect uri in your local keycloak server page under Clients > Settings which I believe should be "http://localhost/drupal/openid-connect/keycloak" for your project.
And also you need to provide Keycloak base URL in your drupal "Configuration > Web Service> Open ID Connect" web page which most of the times if you are using local keycloak server is http://localhost:8080
I have set up keycloak-oidc on kong, and I have a protected API behind kong. I am able to call keycloak through kong because I added a filter /auth/*. Below is my oidc configuration for keycloak.
I configured my REALM and CLIENT_ID on keycloak as follows:
When I call the protected API with Bearer token acquired from keycloak, I am unable to reach the protcted API as Keycloak returns
{ "error": "invalid_request", "error_description": "Missing parameter: username" }
I have turned off the Standard Flow, yet I am unable to get authenticated by keyclaok and be passed on to the protected API.
Please what am I doing wrong?
First of all, I had to upgrade my kong-oidc from kong-oidc 1.0.1 to kong-oidc 1.1.0, then I simply just updated my introspection endpoint in the oidc plugin configuration as shown below, in the images I shared in the question above, the introspection endpoint field was not present and hence could not be set until after the upgrade
I am getting an error when I try to login to Keycloak by using it as a broker.1 I am using credentials from another keycloak instance to login. So far, I am redirected to the correct login page but after entering my credentials I receive an error.
I have set up Keycloack Identity Brokering on computer 1 by following the basic steps.2 I have used the generated redirection URI of the broker to register a new client on computer 2 in another Keycloak instance.3 The client configuration present on computer 2 4 is then used to fill in Authorization URL, Token URL, Client ID and Client Secret on the Identity Broker on Computer 1. 5
I may be leaving important fields missing. Pictures are attached for reference.
I have changed some settings to get the broker to work with the other Keycloak instance. I am now sending client secret as basic auth with signed verification off. I have also enabled back-channel logout. Hope this helps someone else.
I fixed this problem by regenerating the client secret on the identity provider side and using it on keycloak. The keycloak realm data import was not working very well for me apparently.
In my case I needed to empty the hosted domain field in the "Identity providers" configuration of my Google identity provider in Keycloak.
See also:
Keycloak Google identity provider error: "Identity token does not contain hosted domain parameter"