attempting to troubleshoot OIDC redirect failed (500 error)

ikiris

Member
Jul 11, 2021
5
2
8
40
I have proxmox 7 set up to oidc back to a working keycloak setup, and the only output i get on what should be a fairly simple config is the below along with the client getting a popup which simply state "OpenID redirect failed. Request failed (500)":

nothing shows up in either log location which is quite unfortunate as I can't even tell if the proxmox instance is even doing a callout properly.

the only reply the client gets is below: {"data":null,"status":500,"success":0,"message":"Request failed\n"} which is wholly unhelpful.

Where can I look for actual information as to what is happening here (and for the future, can y'all make these error outputs more useful)?
 
could you please post the config, as well as the part of the journal/syslog in that timeframe?
 
Code:
pveum realm add <mydomain> --type openid --issuer-url https://keycloak.<mydomain>.local:8443/auth/realms/<mydomain> --client-id proxmox --username-claim username

Code:
domains.cfg:
pam: pam
        comment Linux PAM standard authentication


pve: pve
        comment Proxmox VE authentication server


openid: <snip>
        client-id proxmox
        issuer-url https://keycloak.<snip>.local:8443/auth/realms/<snip>
        autocreate 1
        client-key <snip>
        default 1
        username-claim username

I set the client secret via the ui.


here are any log entries from when attempting authentication (as explained in first post):

pveproxy/access.log:

::ffff:192.168.10.187 - - [16/07/2021:12:27:14 -0500] "POST /api2/extjs/access/openid/auth-url HTTP/1.1" 200 67
 
Last edited:
@Yarbles Had the same error and turned out my IDP (Authentik) was setup using certificates signed by my own CA which of course was not trusted. I had no logs showing me this could be the issue but I just guessed. I added the CA to proxmox and it worked right away.

To add a CA, you need to add your root (in PEM format, with .crt extension) to /usr/share/ca-certificates, then run "dpkg-reconfigure ca-certificates"
 
I had the same error. I was using keycloak with certificates from zerossl, that I generated using acme.sh. The issue is that Proxmox doesn't have the CA yet. So I had to copy the zerossl CA to /usr/share/ca-certificates and run the dpkg-reconfigure ca-certificates.
Afterwards my proxmox-keycloak integration using official certificates worked fine.
It did work when I was running keycloak in dev mode (start-dev).