attempting to troubleshoot OIDC redirect failed (500 error)

[ikiris]

I have proxmox 7 set up to oidc back to a working keycloak setup, and the only output i get on what should be a fairly simple config is the below along with the client getting a popup which simply state "OpenID redirect failed. Request failed (500)":

nothing shows up in either log location which is quite unfortunate as I can't even tell if the proxmox instance is even doing a callout properly.

the only reply the client gets is below: {"data":null,"status":500,"success":0,"message":"Request failed\n"} which is wholly unhelpful.

Where can I look for actual information as to what is happening here (and for the future, can y'all make these error outputs more useful)?

 

[ikiris]

Whelp, this isn't encouraging for using this product.

 

[dcsapak]

could you please post the config, as well as the part of the journal/syslog in that timeframe?

 

[ikiris]

pveum realm add <mydomain> --type openid --issuer-url https://keycloak.<mydomain>.local:8443/auth/realms/<mydomain> --client-id proxmox --username-claim username

domains.cfg:
pam: pam
        comment Linux PAM standard authentication


pve: pve
        comment Proxmox VE authentication server


openid: <snip>
        client-id proxmox
        issuer-url https://keycloak.<snip>.local:8443/auth/realms/<snip>
        autocreate 1
        client-key <snip>
        default 1
        username-claim username

I set the client secret via the ui.


here are any log entries from when attempting authentication (as explained in first post):

pveproxy/access.log:

::ffff:192.168.10.187 - - [16/07/2021:12:27:14 -0500] "POST /api2/extjs/access/openid/auth-url HTTP/1.1" 200 67

 

[ikiris]

Figured it out after instrumenting the code properly.

 

[Yarbles]

care to share your solution so others can benefit?

 

[Gabisonfire]

@Yarbles Had the same error and turned out my IDP (Authentik) was setup using certificates signed by my own CA which of course was not trusted. I had no logs showing me this could be the issue but I just guessed. I added the CA to proxmox and it worked right away.

To add a CA, you need to add your root (in PEM format, with .crt extension) to /usr/share/ca-certificates, then run "dpkg-reconfigure ca-certificates"

 

[em3034]

I had the same error. I was using keycloak with certificates from zerossl, that I generated using acme.sh. The issue is that Proxmox doesn't have the CA yet. So I had to copy the zerossl CA to /usr/share/ca-certificates and run the dpkg-reconfigure ca-certificates.
Afterwards my proxmox-keycloak integration using official certificates worked fine.
It did work when I was running keycloak in dev mode (start-dev).