Keycloak latest with PVE 7.4-3

[a.bavinov]

Hello community, maybe some one can help me solve this issue.
I have a PVE server with configured openID realm

~# cat /etc/pve/domains.cfg
pve: pve
        comment Proxmox VE authentication server

pam: pam
        comment Linux PAM standard authentication

openid: [redacted]
        client-id [redacted]
        issuer-url https://auth.[redacted]/auth/realms/[redacted]
        client-key [redacted]
        default 0
        username-claim username

And configured new realm and client on the keycloak v21 side:

Client ID: [redacted]
Name: [redacted]
Description: empty
Enabled: ON
Always Display in Console: OFF
Consent Required: ON
Display Client On Consent Screen: OFF
Client Protocol: openid-connect
Access Type: confidential
Standard Flow Enabled: ON
Implicit Flow Enabled: ON
Direct Access Grants Enabled: ON
Service Accounts Enabled: OFF
OAuth 2.0 Device Authorization Grant Enabled: OFF
Authorization Enabled: OFF
Root URL: empty
Valid Redirect URIs: https://[redacted]
Base URL: empty
Admin URL: empty
Web Origins: empty
Backchannel Logout URL: empty
Backchannel Logout Session Required: OFF
Backchannel Logout Revoke Offline Sessions: OFF

I create a user on the keycloak side in my realm. But when I tried to log in through this openid realm I got this error

OpenID redirect failed. Request failed (500)

By the way, when I tried to curl my openID url, I got this:
~# curl https://auth.[redacted]/auth/realms/[redacted] {"error":"RESTEASY003210: Could not find resource for full path: https://auth.[redacted]/auth/realms/[redacted]"}

Any help would be very helpful, thank you in advance)

 

[LnxBil]

Have you created the users on the PVE-side? I don't know it this is still necessary, but previously you needed to also set autocreate 1. Just for reference, two other threads on the forums about keycloak are this and this.

 

[Lukas Wagner]

Keycloak seems to have dropped the 'auth' part in the issuer URL. Maybe it works if you leave it out?

https://lists.proxmox.com/pipermail/pve-devel/2023-February/055723.html

 

[a.bavinov]

Keycloak seems to have dropped the 'auth' part in the issuer URL. Maybe it works if you leave it out?

https://lists.proxmox.com/pipermail/pve-devel/2023-February/055723.html

Yes, if I remove "/auth/" part from the issuer url I redirected to the keycloak. But got
Unexpected error when handling authentication request to identity provider. I'll investigate it further but thanks it helps

 

[a.bavinov]

Have you created the users on the PVE-side? I don't know it this is still necessary, but previously you needed to also set autocreate 1. Just for reference, two other threads on the forums about keycloak are this and this.

I enabled auto-create users when creating a realm for openID on PVE side, so I think the problem was not in that.

 

[a.bavinov]

Well, I have overcome this problem, maybe you can give me a last clue. How to make an automatic group assignment on the PVE side for a user who logged in via Keycloak and was created on the PVE side

 

[Lukas Wagner]

Well, I have overcome this problem, maybe you can give me a last clue. How to make an automatic group assignment on the PVE side for a user who logged in via Keycloak and was created on the PVE side

I'm afraid this is not possible at the moment. You'll have to assign groups/permissions manually for now.

https://bugzilla.proxmox.com/show_bug.cgi?id=3567
https://bugzilla.proxmox.com/show_bug.cgi?id=4411

 

[Sheikh Muhammed Tadeeb]

Hello community, maybe some one can help me solve this issue.
I have a PVE server with configured openID realm

~# cat /etc/pve/domains.cfg
pve: pve
        comment Proxmox VE authentication server

pam: pam
        comment Linux PAM standard authentication

openid: [redacted]
        client-id [redacted]
        issuer-url https://auth.[redacted]/auth/realms/[redacted]
        client-key [redacted]
        default 0
        username-claim username

And configured new realm and client on the keycloak v21 side:

Client ID: [redacted]
Name: [redacted]
Description: empty
Enabled: ON
Always Display in Console: OFF
Consent Required: ON
Display Client On Consent Screen: OFF
Client Protocol: openid-connect
Access Type: confidential
Standard Flow Enabled: ON
Implicit Flow Enabled: ON
Direct Access Grants Enabled: ON
Service Accounts Enabled: OFF
OAuth 2.0 Device Authorization Grant Enabled: OFF
Authorization Enabled: OFF
Root URL: empty
Valid Redirect URIs: https://[redacted]
Base URL: empty
Admin URL: empty
Web Origins: empty
Backchannel Logout URL: empty
Backchannel Logout Session Required: OFF
Backchannel Logout Revoke Offline Sessions: OFF

I create a user on the keycloak side in my realm. But when I tried to log in through this openid realm I got this error

OpenID redirect failed. Request failed (500)

By the way, when I tried to curl my openID url, I got this:
~# curl https://auth.[redacted]/auth/realms/[redacted] {"error":"RESTEASY003210: Could not find resource for full path: https://auth.[redacted]/auth/realms/[redacted]"}

Any help would be very helpful, thank you in advance)

Hello,

While inserting the Issuer URL, (at the time of Realm creation) you can just insert the port nos on which your keycloak is running. Eg: http://ip-of-keycloak-machine:keycloak-port/realms/your-realm-name.

Remember /auth part is dropped in newer version of Keycloak. Also when configuring keycloak make sure your `Valid Redirect URL` should not have ending slash, though it sounds vague, but it was giving me errors. Correct `Valid Redirect URL` eg: https://your-proxmox-ip:8006 .

Regards Muhammed : )