attempting to troubleshoot OIDC redirect failed (500 error)

I

ikiris

Member
Jul 11, 2021
5
2
8
40
I have proxmox 7 set up to oidc back to a working keycloak setup, and the only output i get on what should be a fairly simple config is the below along with the client getting a popup which simply state "OpenID redirect failed. Request failed (500)":

nothing shows up in either log location which is quite unfortunate as I can't even tell if the proxmox instance is even doing a callout properly.

the only reply the client gets is below: {"data":null,"status":500,"success":0,"message":"Request failed\n"} which is wholly unhelpful.

Where can I look for actual information as to what is happening here (and for the future, can y'all make these error outputs more useful)?
 
could you please post the config, as well as the part of the journal/syslog in that timeframe?
 
Code: 
pveum realm add <mydomain> --type openid --issuer-url https://keycloak.<mydomain>.local:8443/auth/realms/<mydomain> --client-id proxmox --username-claim username

Code: 
domains.cfg:
pam: pam
        comment Linux PAM standard authentication


pve: pve
        comment Proxmox VE authentication server


openid: <snip>
        client-id proxmox
        issuer-url https://keycloak.<snip>.local:8443/auth/realms/<snip>
        autocreate 1
        client-key <snip>
        default 1
        username-claim username

I set the client secret via the ui.


here are any log entries from when attempting authentication (as explained in first post):

pveproxy/access.log:

::ffff:192.168.10.187 - - [16/07/2021:12:27:14 -0500] "POST /api2/extjs/access/openid/auth-url HTTP/1.1" 200 67
 
Last edited:
@Yarbles Had the same error and turned out my IDP (Authentik) was setup using certificates signed by my own CA which of course was not trusted. I had no logs showing me this could be the issue but I just guessed. I added the CA to proxmox and it worked right away.

To add a CA, you need to add your root (in PEM format, with .crt extension) to /usr/share/ca-certificates, then run "dpkg-reconfigure ca-certificates"
 
  • Like
Reactions: Chiller and ramsnerm
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom