I'm trying to hit keycloak installed in docker container behind an nginx server. That's passing it with proxy_pass.
The query is http://example.compute.amazonaws.com/auth/realms/master/protocol/openid-connect/auth?client_id=security-admin-console&redirect_uri=http%3A%2F%2Fec2-<ip>.eu-west-2.compute.amazonaws.com%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F&state=a4b04d6b-b490-41ef-8974-f99cf210129d&response_mode=fragment&response_type=code&scope=openid&nonce=9f67c39b-2312-48cd-980f-ca08f265504d
However when I want to go through to the admin console I get a screen with "Missing parameters: client_id".
Anyone have any ideas? Logging locations etc, any assistance would be incredible.
Update:
What is logged on that request is only:
10:57:26,916 WARN [org.keycloak.events] (default task-1) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=<anotherip>, error=invalid_request
The fault was with the NGINX config that was stripping the URL params off.
Solution was to add $is_args$args to the proxy_pass url.
Related
I am new to keycloak setup hence need your help. Please let me know if you need more information.
My web app returns invalid login when valid credentials are entered. Further look into my keycloak pod logs, i can the below error...
The keycloak version: 10.0.2
[org.keycloak.events] (default task-211) type=LOGOUT_ERROR, realmId=qa-vanguard, clientId=qa-client, userId=null, ipAddress=x.x.x.x, error=invalid_token, client_auth_method=client-secret
Any pointers on how to further debug the problem.
-Raman
I'm trying to integrate keycloak with Grafana dashboards but when I'm trying to login on grafana via keycloak I'm receiving invalid redirect URL.
keycloack grafana settings
I've added the bellow config on grafana.ini
[auth.generic_oauth]
enabled = true
scopes = openid email profile
name = Keycloak
tls_skip_verify_insecure = true
allow_sign_up = true
client_id = grafana
client_secret = ba342011-3705-483c-8e04-7f95be561cd5
auth_url = http://192.168.101.223:8080/auth/realms/grafana/protocol/openid-connect/auth
token_url = http://192.168.101.223:8080/auth/realms/grafana/protocol/openid-connect/token
api_url = http://192.168.101.223:8080/auth/realms/grafana/protocol/openid-connect/userinfo
url_redirect invalid
Everytime when I am trying to login, this is redirecting to localhost:3000, but I didn't set up this on the keycloak.
I found many cases on the google but no luck for my side.
2021-11-02 12:43:06,838 WARN [org.keycloak.events] (default task-6) type=LOGIN_ERROR, realmId=grafana, clientId=grafana, userId=null, ipAddress=172.18.212.8, error=invalid_redirect_uri, redirect_uri=http://localhost:3000/login/generic_oauth
I want to mention that the Grafana and Keycloak are installed on the same server..
You have missed the doc https://grafana.com/docs/grafana/latest/auth/generic-oauth/:
You may have to set the root_url option of [server] for the callback URL to be correct. For example in case you are serving Grafana behind a proxy.
You didn't set root URL so incorrect redirect URL is generated http://localhost:3000/login/generic_oauth instead of domain/IP:port, which you have used in the browser. Fix that and it should be fine.
I have two Keycloak instances, A is an IdP for B. From the login screen of B, this works as it should.
However, I can’t get IDP Initiated SSO from A to B to work. I filled the "IDP Initiated SSO URL Name” field with a name (say “bbbbb”) in A.
When I try to navigate to: http://aaaaa/auth/realms/his/protocol/saml/clients/bbbbb
I always end up with the following logging:
22:42:02,993 DEBUG [org.keycloak.services] (default task-23) Authorization code is not valid. Code: null
22:42:02,994 WARN [org.keycloak.events] (default task-23) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=127.0.0.1, error=staleCodeMessage
22:42:02,994 ERROR [org.keycloak.services] (default task-23) staleCodeMessage
Which in itself is not surprising, because indeed, there is no Authorization code in play here, but that’s the whole idea of IDP Initiated SSO, no?
What must I do to get this to work?
Thanks in advance!
I faced the same issue, this happens if you use the same realm name in both Keycloak instances.
I am trying to test "forgot password" link in Keycloak. I get the email but when I click on the link in the email, I see error on UI as Invalid Request
In the server log, I see this
13:51:03,602 WARN [org.keycloak.events] (default task-36)
type=EXECUTE_ACTION_TOKEN_ERROR, realmId=fidesque, clientId=null,
userId=null, ipAddress=127.0.0.1, error=invalid_code, reason='Failed
to parse JWT'
Any clue what I may be missing ?
regards,
Venky
The error is gone after updating to latest version of Keycloak i.e 4.7.0
I am facing the following issue after changing Access Type to confidential for the server-side client. It was working fine with public type.
Here is my adapter setting:
<subsystem xmlns="urn:jboss:domain:keycloak:1.1">
<secure-deployment name="appWEB.war">
<realm>demo</realm>
<resource>app</resource>
<public-client>true</public-client>
<auth-server-url>http://localhost:8180/auth</auth-server-url>
<ssl-required>EXTERNAL</ssl-required>
<principal-attribute>preferred_username</principal-attribute>
<use-resource-role-mappings>true</use-resource-role-mappings>
<credential name="secret">b35f1121-93a4-4483-a70a-0048b95fd250</credential>
</secure-deployment>
</subsystem>
Here is the error found in log during login:
[Server:node-00] 17:29:06,924 ERROR
[org.keycloak.adapters.OAuthRequestAuthenticator] (default task-6)
failed to turn code into token [Server:-node-00] 17:29:06,924 ERROR
[org.keycloak.adapters.OAuthRequestAuthenticator] (default task-6)
status from server: 400 [Server:node-00] 17:29:06,924 ERROR
[org.keycloak.adapters.OAuthRequestAuthenticator]
{"error":"unauthorized_client","error_description":"Client secret not provided in request"}
Any thoughts?
Error:
Client secret not provided in request
I guess, you didn't configure client secret in your app, which is required for confidential clients.