Keycloak error when log in

Termindiego25 · February 9, 2024, 4:37pm

Some days ago I tried to set Keycloak to test the OpenID integration and after solving a config mistake it was working fine (here you are the topic created to the problem I had).

This morning I turned on my laptop and the integration was no longer working. It gives me the following error:

From yesterday to this morning there only were two changes: updating the server API to v4.5.0 and changing Keycloak’s admin password. Healthcheck is correct without any errors and no related errors were found on Passbolt or Keycloak logs.

Also, I checked that all configurations were correct in Passbolt form (also tried to update the client secret just in case changing the admin password was changed something related) but if I try to update, when I click the login button to test the configuration it gives me “Not found error”.

What could happen? Teh configuration is the same as the last topic

Termindiego25 · February 9, 2024, 4:53pm

This is Keycloak docker log since the last restart and the last attempt to save the form or log in to the extension:

2024-02-09 16:38:40,986 INFO  [io.quarkus] (Shutdown thread) Keycloak stopped in 0.024s
2024-02-09 16:38:42,726 INFO  [org.keycloak.common.Profile] (main) Preview features enabled: admin-fine-grained-authz
2024-02-09 16:38:43,023 INFO  [org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider] (main) Hostname settings: Base URL: <unset>, Hostname: <request>, Strict HTTPS: false, Path: <request>, Strict BackChannel: false, Admin URL: <unset>, Admin: <request>, Port: -1, Proxied: false
2024-02-09 16:38:44,256 WARN  [io.quarkus.agroal.runtime.DataSources] (main) Datasource <default> enables XA but transaction recovery is not enabled. Please enable transaction recovery by setting quarkus.transaction-manager.enable-recovery=true, otherwise data may be lost if the application is terminated abruptly
2024-02-09 16:38:44,579 WARN  [org.infinispan.PERSISTENCE] (keycloak-cache-init) ISPN000554: jboss-marshalling is deprecated and planned for removal
2024-02-09 16:38:44,636 WARN  [org.infinispan.CONFIG] (keycloak-cache-init) ISPN000569: Unable to persist Infinispan internal caches as no global state enabled
2024-02-09 16:38:44,697 INFO  [org.infinispan.CONTAINER] (keycloak-cache-init) ISPN000556: Starting user marshaller 'org.infinispan.jboss.marshalling.core.JBossUserMarshaller'
2024-02-09 16:38:45,529 INFO  [org.keycloak.connections.infinispan.DefaultInfinispanConnectionProviderFactory] (main) Node name: node_795047, Site name: null
2024-02-09 16:38:45,532 INFO  [org.keycloak.broker.provider.AbstractIdentityProviderMapper] (main) Registering class org.keycloak.broker.provider.mappersync.ConfigSyncEventListener
2024-02-09 16:38:46,242 INFO  [io.quarkus] (main) Keycloak 23.0.6 on JVM (powered by Quarkus 3.2.10.Final) started in 4.016s. Listening on: http://0.0.0.0:8080 and https://0.0.0.0:8443
2024-02-09 16:38:46,242 INFO  [io.quarkus] (main) Profile dev activated. 
2024-02-09 16:38:46,243 INFO  [io.quarkus] (main) Installed features: [agroal, cdi, hibernate-orm, jdbc-h2, jdbc-mariadb, jdbc-mssql, jdbc-mysql, jdbc-oracle, jdbc-postgresql, keycloak, logging-gelf, micrometer, narayana-jta, reactive-routes, resteasy-reactive, resteasy-reactive-jackson, smallrye-context-propagation, smallrye-health, vertx]
2024-02-09 16:38:46,291 WARN  [org.keycloak.quarkus.runtime.KeycloakMain] (main) Running the server in development mode. DO NOT use this configuration in production.

I tried to add ‘debug’ => true to my Passbolt config file in my self-hosted installation to get more information on the logs but if I add it then the server does not respond

Steph · February 9, 2024, 6:17pm

Hey @Termindiego25

The logs of keycloak doesn’t show much unfortunately. Normally, IIRC, the logs should show the request made to keycloak.

Do you know if you can ping keycloak from your passbolt instance ? I’m thinking that the API cannot reach your keycloak server (maybe an IP address changed or something similar)

Termindiego25 · February 9, 2024, 6:35pm

Yes, I can ping the address from the server where Passbolt is installed and it responds with the correct IP.
Also, I can access the URLs provided on the form and open the Keycloak admin panel to configure and so on.
I thought the same about the IP and tried to reboot all the machines but didn’t work

Steph · February 9, 2024, 8:22pm

Thinking about it a second time, the « not found » happens when the sever sends a response back. So, yes, they can communicate.

However the not found came usually when hitting the /.well-known/openid-configuration.

Just to eliminate some possibilities. Are you able to reach your keycloak server on the openid-configuration ?

The URL should be the keycloak URL you’ve set in your SSO configuration (with the realls) followed by the openid-configuration path you’ve configured.

So it looks like something like https://keycloak.passbolt.local:8443/realms/Passbolt/.well-known/openid-configuration

Termindiego25 · February 9, 2024, 10:10pm

Matching the link of the realm and the openid configuration path provided on the form I can reach the website and it shows the content as expected.
Also tried from my mobile without wifi just in case my browser was caching the content and I can reach it too

Steph · February 10, 2024, 8:02am

Everything seems okay so far. What do you have in your Passbolt error logs and access logs also ?

And if you try to sign in via SSO, your keycloak logs show nothing being added at all?

Termindiego25 · February 10, 2024, 8:38am

The command docker logs keycloak_server shows the same posted above, without changes.
passbolt_access or passbolt_error from Apache server don’t show anything every time I try to log in via SSO. There are some entries from yesterday but they are not related to Keycloak or the attempts to connect.
Also, passbolt.log from the cron job shows some errors too but they are not related to Keycloak.

I added a line with the current date to the logs to separate what was on the file and what happened today after rebooting the server and trying to log in with SSO or change the config form. These are the contents of the files from this line:

keycloak logs

Sat 10 Feb 2024 09:27:45 AM CET
2024-02-10 08:28:00,671 INFO  [io.quarkus] (Shutdown thread) Keycloak stopped in 0.038s
2024-02-10 08:28:50,851 INFO  [org.keycloak.common.Profile] (main) Preview features enabled: admin-fine-grained-authz
2024-02-10 08:28:51,235 INFO  [org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider] (main) Hostname settings: Base URL: <unset>, Hostname: <request>, Strict HTTPS: false, Path: <request>, Strict BackChannel: false, Admin URL: <unset>, Admin: <request>, Port: -1, Proxied: false
2024-02-10 08:28:52,701 WARN  [io.quarkus.agroal.runtime.DataSources] (main) Datasource <default> enables XA but transaction recovery is not enabled. Please enable transaction recovery by setting quarkus.transaction-manager.enable-recovery=true, otherwise data may be lost if the application is terminated abruptly
2024-02-10 08:28:53,061 WARN  [org.infinispan.PERSISTENCE] (keycloak-cache-init) ISPN000554: jboss-marshalling is deprecated and planned for removal
2024-02-10 08:28:53,107 WARN  [org.infinispan.CONFIG] (keycloak-cache-init) ISPN000569: Unable to persist Infinispan internal caches as no global state enabled
2024-02-10 08:28:53,169 INFO  [org.infinispan.CONTAINER] (keycloak-cache-init) ISPN000556: Starting user marshaller 'org.infinispan.jboss.marshalling.core.JBossUserMarshaller'
2024-02-10 08:28:54,050 INFO  [org.keycloak.connections.infinispan.DefaultInfinispanConnectionProviderFactory] (main) Node name: node_203816, Site name: null
2024-02-10 08:28:54,054 INFO  [org.keycloak.broker.provider.AbstractIdentityProviderMapper] (main) Registering class org.keycloak.broker.provider.mappersync.ConfigSyncEventListener
2024-02-10 08:28:54,742 INFO  [io.quarkus] (main) Keycloak 23.0.6 on JVM (powered by Quarkus 3.2.10.Final) started in 4.429s. Listening on: http://0.0.0.0:8080 and https://0.0.0.0:8443
2024-02-10 08:28:54,742 INFO  [io.quarkus] (main) Profile dev activated. 
2024-02-10 08:28:54,742 INFO  [io.quarkus] (main) Installed features: [agroal, cdi, hibernate-orm, jdbc-h2, jdbc-mariadb, jdbc-mssql, jdbc-mysql, jdbc-oracle, jdbc-postgresql, keycloak, logging-gelf, micrometer, narayana-jta, reactive-routes, resteasy-reactive, resteasy-reactive-jackson, smallrye-context-propagation, smallrye-health, vertx]
2024-02-10 08:28:54,788 WARN  [org.keycloak.quarkus.runtime.KeycloakMain] (main) Running the server in development mode. DO NOT use this configuration in production.

Passbolt error logs

Sat 10 Feb 2024 09:27:39 AM CET

Passbolt access logs

Sat 10 Feb 2024 09:27:42 AM CET

Passbolt cron job logs

Sat 10 Feb 2024 09:27:29 AM CET

Nothing is printed to Passbolt logs and Keycloak has the same content related to every boot. I can give you the URL in a private message if you want to check the content showed by Keycloak or test what is happening

remy · February 12, 2024, 8:19am

Yes, sent you an DM so we can see what’s happening together in a call.

Termindiego25 · February 12, 2024, 3:05pm

We found the problem.
I have not the PASSBOLT_PLUGINS_SSO_PROVIDER_OAUHT2_ENABLED var set to true.

We don’t know if it changed to false in the default.php on the new release or if I changed it in the past and was overridden, but setting it again solved it.
I paste the variable in the passbolt.php to enable it and avoid overriding:

return [
    'App' => [
        ...
        'plugins' => [
            'sso' => [
                'providers' => [
                    'oauth2' => [
                        'enabled' => true
                    ],
                ],
            ],
        ],
    ],
];