Keycloak url not getting concatenated correctly

Created on 15 March 2023, almost 2 years ago
Updated 29 March 2023, over 1 year ago

Problem/Motivation

When trying the keycloak openid auth I get the following apache error. Looking at the error it is clearly an improperly configured keycloak url

[Wed Mar 15 19:24:47.775192 2023] [proxy_fcgi:error] [pid 160737:tid 140271568262720] [client 10.220.127.13:54510] AH01071: Got error 'PHP message: Uncaught PHP Exception InvalidArgumentException: "The URI '/realms//protocol/openid-connect/auth' is invalid. You must use a valid URI scheme." at /var/www/d10/web/core/lib/Drupal/Core/Url.php line 293', referer: https://www.domain.org/user/login

I set the

  • Client ID = my client name set in keycloak
  • Client secret
  • Allowed domains = domain.org \n www.domain.org
  • Keycloak base URL = https://keycloak.xxprivxxx.org (I am not using the path based approach so not using /auth)
  • Keycloak realm = = my realm name set in keycloak

Is there a setting somewhere that is causing the incorrectly assembled url as thrown in the error message?

πŸ› Bug report
Status

Fixed

Version

2.2

Component

User interface

Created by

πŸ‡ΊπŸ‡ΈUnited States HeneryH

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @HeneryH
  • Assigned to BramDriesen
  • πŸ‡§πŸ‡ͺBelgium BramDriesen Belgium πŸ‡§πŸ‡ͺ

    Looking at this as we speak. It was also reported here.

  • πŸ‡§πŸ‡ͺBelgium BramDriesen Belgium πŸ‡§πŸ‡ͺ
  • @bramdriesen opened merge request.
  • Status changed to Needs work almost 2 years ago
  • πŸ‡§πŸ‡ͺBelgium BramDriesen Belgium πŸ‡§πŸ‡ͺ

    If you keep the two (super complex) logout functions disabled, you should be fine for now.

    I did break a bit of functionality in the KeycloakService in the process. I totally don't understand how the config loading can actually work in the way it is currently set-up. It will require quite a bit of digging to see how to properly fix this. The module also totally doesn't take into account that you can have multiple keycloak instances configured. (I think this is a thing since OpenID Connect 2.x)

  • πŸ‡§πŸ‡ͺBelgium BramDriesen Belgium πŸ‡§πŸ‡ͺ

    So to put it more into perspective. The real issue is that the current keycloak implementation is trying to read all client settings from "openid_connect.settings.keycloak" which should not even exist since there are no specific openid_connect settings defined by the keycloak module. All settings like the base URL for example live in "openid_connect.client.CLIENT_MACHINE_NAME". But there are a lot of config reads in the Keycloak service on that first settings one. To replace the logic to fetch this from the correct client based on the logged in user will be quite a challenge, because there are a LOT of config reads...

    Will keep digging.

  • πŸ‡ΊπŸ‡ΈUnited States HeneryH

    Thank you @bramdriesen.

    I have a drupal site coexisting with a Nextcloud instance for document collaboration. Trying to reduce complexity for my users who need to log into both instances.

    I have a limited subset of users and not a mission-critical operational model so I am good with experimenting or using some hacks.

    Appreciate your efforts!

  • πŸ‡§πŸ‡ͺBelgium BramDriesen Belgium πŸ‡§πŸ‡ͺ

    No problem :-) guess I'll continue again on it this evening!

    Also thanks for your testing effort!

  • πŸ‡ΊπŸ‡ΈUnited States HeneryH
  • First commit to issue fork.
  • Status changed to RTBC over 1 year ago
  • πŸ‡§πŸ‡ͺBelgium BramDriesen Belgium πŸ‡§πŸ‡ͺ

    Just tested, and the basics work! Logging in and logging out ;-)

    Will merge this so we can tag a working release with at least the most important part working! Will create follow up tickets for all the other things that we might spot.

  • Status changed to Fixed over 1 year ago
  • Issue was unassigned.
  • πŸ‡§πŸ‡ͺBelgium BramDriesen Belgium πŸ‡§πŸ‡ͺ
  • Automatically closed - issue fixed for 2 weeks with no activity.

  • What happened with this issue, its completely break keycloak module. getEndpoints method removed from KeycloakService but getCheckSessionIframeUrl and getKeycloakSignOutEndpoint method still using that. Whole module doesn't work for me.

Production build 0.71.5 2024