401 Failed Login with OpenID and Keycloak

C

cclloyd

Active Member
Dec 4, 2018
17
1
43
47
I have the following realm in my cluster

Code: 
openid: master
        client-id proxmox
        issuer-url https://example.com/realms/master
        autocreate 1
        client-key redacted
        default 0
        scopes email profile
        username-claim preferred_username

Linked to the main realm in Keycloak. I tried doing what another post said and set my ID token and Access token signature algorithms to RS256 from the default, but that doesn't seem to have worked.

Where is a log file that I could look at to begin to debug this login failure?
 
You looked here or what post did you refer to? Have you check the setting in keycloak with the correct redirect-back addresses? Normally this works (nowadays) out-of-the-box without any special settings. So don't change anything in keycloak after the install of a fresh copy.

Logfiles is a bit tricky ... depending on the source. Browser developer console, keycloak log and syslog in pve
 
I've tried setting even `*` as the allowed redirect.

Keycloak logs don't show anything wrong
Code: 
2023-11-13 20:18:39,333 DEBUG [org.keycloak.events] (executor-thread-223) type=LOGIN, realmId=d01c67ab-8d15-4d1b-b9c9-92afe3c2d130, clientId=proxmox, userId=b8c4c2d5-f424-4bf8-9fc5-ed93983b12df, ipAddress=10.0.0.23, auth_method=openid-connect, auth_type=code, response_type=code, redirect_uri=https://example-pve.com, consent=no_consent_required, code_id=d3a9048c-ff75-44f9-9091-46ce41e08a9c, response_mode=query, username=cclloyd, authSessionParentId=d3a9048c-ff75-44f9-9091-46ce41e08a9c, authSessionTabId=LaImPk6uVjo
2023-11-13 20:18:40,708 DEBUG [org.keycloak.events] (executor-thread-223) type=CODE_TO_TOKEN, realmId=d01c67ab-8d15-4d1b-b9c9-92afe3c2d130, clientId=proxmox, userId=b8c4c2d5-f424-4bf8-9fc5-ed93983b12df, ipAddress=10.0.1.2, token_id=5cd318bb-4e78-4ab4-8754-b5ced43f0f86, grant_type=authorization_code, refresh_token_type=Refresh, scope='openid profile groups email', refresh_token_id=65fe11f7-2efa-4f4b-b795-e77fe7472a0c, code_id=d3a9048c-ff75-44f9-9091-46ce41e08a9c, client_auth_method=client-secret
2

It just always returns 401 authentication failure.
 
In my case it was the client scopes.
In Keycloak you can set everything but the default (email & profile) to optional.
After that you should be able to log in.
 
Digging in further, I see in the pvedaemon logs
Code: 
Sep 04 20:41:04 pve1 pvedaemon[148254]: openid authentication failure; rhost=::ffff:10.0.1.39 msg=Failed to verify ID token: Invalid audiences: `proxmox` is not a trusted audience

I tried adding a mapper to the `profile` client scope to add the proxmox audience to the ID token, as well as even trying to add a new client scope `proxmox` which I added a mapper to the audience the same way. Neither option worked.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back