OpenID-Connect configuration problem

[patrik_fm]

Hello,

we just installed Proxmox 7.0-9 and tried to connect it with our Keycloack authentification server.
But we have problems with sign in. Redirect to Login screen works fine, we have setted redirect correct uri based on first redirect url to Keycloak.

After login at CODE_TO_TOKEN phase we receive this error in proxmox syslog console

Jul  8 15:29:09 proxmox01 pvedaemon[226983]: openid authentication failure; rhost=::ffff:[redacted] msg=Failed to verify ID token: Signature verification failed

Configuration looks like this:

root@proxmox01:/etc/pve# cat domains.cfg
pam: pam
        comment Linux PAM standard authentication

openid: [redacted]
        client-id proxmox01.[redacted]
        issuer-url http://id.[redacted]/auth/realms/[redacted]
        autocreate 1
        client-key [redacted]
        default 1
        username-claim username

pve: pve
        comment Proxmox VE authentication server

And client configuration in KeyCloak is like this:

Client ID: proxmox01.[redacted]
Name: empty
Description: empty
Enabled: ON
Always Display in Console: OFF
Consent Required: ON
Display Client On Consent Screen: OFF
Login Theme: empty
Client Protocol: openid-connect
Access Type: confidential
Standard Flow Enabled: ON
Implicit Flow Enabled: ON
Direct Access Grants Enabled: ON
Service Accounts Enabled: OFF
OAuth 2.0 Device Authorization Grant Enabled: OFF
Authorization Enabled: OFF
Root URL: empty
Valid Redirect URIs: https://proxmox01.[redacted]:8006
Base URL: empty
Admin URL: empty
Web Origins: empty
Backchannel Logout URL: empty
Backchannel Logout Session Required: OFF
Backchannel Logout Revoke Offline Sessions: OFF
Full Scope Allowed: ON

In mappers we have added username Token mapper:

Protocol: openid-connect
ID: [redacted]
Name: username
Mapper Type: User Property
Property: username
Token Claim Name: username
Claim JSON Type: String
Add to ID token: ON
Add to access token: ON
Add to userinfo: ON

Thanks in advance
Patrik

 

[t.lamprecht]

Hi,

Anything in the keycloak logs during this?

Also, just to be sure, the client.key under the KeyKloak Clients -> proxmox01.[redacted] -> Credential matches and is set to "Client Id and Secret"?

As your configuration looks all OK to me from a glance, the biggest difference to my (working) KeyCloak client is, that I'm using secure HTTPS only, and that I have "Implicit Flow" disabled - but the latter really should not matter at all.

 

[patrik_fm]

Hi,

thanks for reply, today i went to test it and find some debug logs from keycloak. But some magic happened because it started to work. I've made no changes in configuration. But i think that keycloak instance was restarted during that time.

Thanks and best regards,
Patrik

 

[t.lamprecht]

Which Version of Proxmox and Keycloak will work perfectly?

I didn't encounter any KeyCloak version that does not work with any Proxmox VE version since OIDC support got added in PVE 7.0 (released in July 2021). Then I used KeyCloak 13.0.1 and upgraded to 16.1.1 about a year ago - I might check out the 20.0 versions soonish, but tbh. I don't see why they should break, after all we only use the standardized OIDC protocol to interface with KC.

I use for Keycloak http, is it a problem or should work also with http?

In general, it should work over HTTP, but note that modern browsers don't like (automatic) redirections from TLS secured HTTPS (like the PVE web interface is) to plain text HTTP, so that might cause issues.

Besides that, I don't think that OIDC, or any authentication that is, makes sense over unencrypted HTTP. Even if OIDC uses shared secrets to encrypt the exchange, not sure if that alone protects from all sorts of attacks like replay ones - I mean it has been a bit since I checked OIDC out more closely, but adding TLS to HTTP nowadays is simply too easy to not do it.

For example, I set up getting Let's Encrypt certs via a DNS challenge setup for my LAN only exposed KeyCloak instance - works great and gets renewed automatically.