5

I am trying Keycloak for the first time and using Keycoak as provider with oauth2_proxy (https://github.com/oauth2-proxy/oauth2-proxy/blob/v5.1.1/providers/keycloak.go) to achieve user authentication via LDAP. I have followed all steps inside Keycloak to create a realm, create client, client id, client secret etc. Also the Keycloak API "/token" is passing. However once I pass username/password in the keycloak login screen, I get following error in oauth2_proxy:

[2020/05/30 10:15:37] [requests.go:25] 401 GET http://172.20.0.10:8080/auth/realms/master/protocol/openid-connect/userinfo {"error":"invalid_token","error_description":"Token verification failed"}

Also I am passing following parameters when bringing up oauth2_proxy docker container:

command: -upstream=static://200 -http-address=0.0.0.0:8080 -https-address=0.0.0.0:8443
      -redirect-url="https://portal.acme.com/oauth2/callback"
      -scope='test-scope' -email-domain=* -cookie-domain=* -cookie-secure=false -cookie-secret=skjgfsgfsf23524
      -cookie-samesite="none" -provider=keycloak
      -client-id='abcd-client' -client-secret='c0281257-b600-40b2-beae-68d1f2d72f02'
      --tls-cert-file=/etc/acme.com.pem
      --tls-key-file=/etc/acme.com.key
      -login-url="http://localhost:7575/auth/realms/master/protocol/openid-connect/auth"
      -redeem-url="http://172.20.0.10:8080/auth/realms/master/protocol/openid-connect/token"
      -validate-url="http://172.20.0.10:8080/auth/realms/master/protocol/openid-connect/userinfo"

Can someone please help what could be missing or going wrong? Any lead or hint will be really helpful.

mpromonet
  • 11,326
  • 43
  • 62
  • 91
Sumit Jindal
  • 363
  • 1
  • 7
  • 17

1 Answers1

4

I found the solution to this problem. This was because the issuer in the JWT token was not matching with the URL I gave when bringing up this oauth2_proxy container. To fix this, what was needed is that the docker container needed to talk to the host network and port exposed by Keycloak. This needs 2 things:

  1. Use "host.docker.internal" as host in all Keycloak APIs when bringing up oauth2_proxy so that oauth2_proxy container communicates Keycloak via host network.
  2. Map "host.docker.internal" to 127.0.0.1 in local machine/host so that the browser redirect is accessible. After this little hack, the setup works. Thanks!
Sumit Jindal
  • 363
  • 1
  • 7
  • 17
  • This may be a longshot, but would you mind sharing your docker / docker-compose config either here or in a gist? I'm having similar issues. – YTZ Jan 07 '22 at 02:12
  • I'm interessted in your setup too. Having similar problems – dickwan Feb 02 '22 at 17:18