401 Failed Login with OpenID and Keycloak


Active Member
Dec 4, 2018
I have the following realm in my cluster

openid: master
        client-id proxmox
        issuer-url https://example.com/realms/master
        autocreate 1
        client-key redacted
        default 0
        scopes email profile
        username-claim preferred_username

Linked to the main realm in Keycloak. I tried doing what another post said and set my ID token and Access token signature algorithms to RS256 from the default, but that doesn't seem to have worked.

Where is a log file that I could look at to begin to debug this login failure?
You looked here or what post did you refer to? Have you check the setting in keycloak with the correct redirect-back addresses? Normally this works (nowadays) out-of-the-box without any special settings. So don't change anything in keycloak after the install of a fresh copy.

Logfiles is a bit tricky ... depending on the source. Browser developer console, keycloak log and syslog in pve
I've tried setting even `*` as the allowed redirect.

Keycloak logs don't show anything wrong
2023-11-13 20:18:39,333 DEBUG [org.keycloak.events] (executor-thread-223) type=LOGIN, realmId=d01c67ab-8d15-4d1b-b9c9-92afe3c2d130, clientId=proxmox, userId=b8c4c2d5-f424-4bf8-9fc5-ed93983b12df, ipAddress=, auth_method=openid-connect, auth_type=code, response_type=code, redirect_uri=https://example-pve.com, consent=no_consent_required, code_id=d3a9048c-ff75-44f9-9091-46ce41e08a9c, response_mode=query, username=cclloyd, authSessionParentId=d3a9048c-ff75-44f9-9091-46ce41e08a9c, authSessionTabId=LaImPk6uVjo
2023-11-13 20:18:40,708 DEBUG [org.keycloak.events] (executor-thread-223) type=CODE_TO_TOKEN, realmId=d01c67ab-8d15-4d1b-b9c9-92afe3c2d130, clientId=proxmox, userId=b8c4c2d5-f424-4bf8-9fc5-ed93983b12df, ipAddress=, token_id=5cd318bb-4e78-4ab4-8754-b5ced43f0f86, grant_type=authorization_code, refresh_token_type=Refresh, scope='openid profile groups email', refresh_token_id=65fe11f7-2efa-4f4b-b795-e77fe7472a0c, code_id=d3a9048c-ff75-44f9-9091-46ce41e08a9c, client_auth_method=client-secret

It just always returns 401 authentication failure.


The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!