OpenID Connect login fails (with Keycloak)

[DerEnderKeks]

I'm trying to setup OIDC in Proxmox, but I can't get it to work. When I try to login with OIDC I get the error OpenID login failed, please try again authentication failure (401), in the logs of pvedaemon it says openid authentication failure; rhost=xxx msg=Failed to verify ID token: Signature verification failed.
The redirect to Keycloak seems to work just fine and I get redirected back to Proxmox without any errors. Keycloak also didn't log any errors.

Excerpt from domains.cfg

openid: xxx
        client-id proxmox
        issuer-url https://xxx/realms/xxx
        autocreate 1
        client-key xxx
        default 1
        username-claim preferred_username

I double checked that the secret matches. The client config in Keycloak is basically the default, but with the access type set to confidential.

I'm using:
Keycloak version 18.0.0
Proxmox versions:

proxmox-ve: 7.2-1 (running kernel: 5.15.35-1-pve)
pve-manager: 7.2-4 (running version: 7.2-4/ca9d43cc)
pve-kernel-5.15: 7.2-3
pve-kernel-helper: 7.2-3
pve-kernel-5.15.35-1-pve: 5.15.35-3
pve-kernel-5.15.30-2-pve: 5.15.30-3
ceph-fuse: 15.2.16-pve1
corosync: 3.1.5-pve2
criu: 3.15-1+pve-1
glusterfs-client: 9.2-1
ifupdown2: 3.1.0-1+pmx3
ksm-control-daemon: 1.4-1
libjs-extjs: 7.0.0-1
libknet1: 1.22-pve2
libproxmox-acme-perl: 1.4.2
libproxmox-backup-qemu0: 1.3.1-1
libpve-access-control: 7.2-1
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.2-2
libpve-guest-common-perl: 4.1-2
libpve-http-server-perl: 4.1-2
libpve-storage-perl: 7.2-4
libspice-server1: 0.14.3-2.1
lvm2: 2.03.11-2.1
lxc-pve: 4.0.12-1
lxcfs: 4.0.12-pve1
novnc-pve: 1.3.0-3
openvswitch-switch: 2.15.0+ds1-2+deb11u1
proxmox-backup-client: 2.2.1-1
proxmox-backup-file-restore: 2.2.1-1
proxmox-mini-journalreader: 1.3-1
proxmox-widget-toolkit: 3.5.1
pve-cluster: 7.2-1
pve-container: 4.2-1
pve-docs: 7.2-2
pve-edk2-firmware: 3.20210831-2
pve-firewall: 4.2-5
pve-firmware: 3.4-2
pve-ha-manager: 3.3-4
pve-i18n: 2.7-2
pve-qemu-kvm: 6.2.0-8
pve-xtermjs: 4.16.0-1
qemu-server: 7.2-3
smartmontools: 7.2-pve3
spiceterm: 3.2-2
swtpm: 0.7.1~bpo11+1
vncterm: 1.7-1
zfsutils-linux: 2.1.4-pve1

 

[LnxBil]

Have you solved your problem? I just set it all up and it just worked the first time I tried. Your entry with username-claim solved also the weird username (=internal id) for me

 

[DerEnderKeks]

No, unfortunately not. I tried it again right now and it still gives me the same error, even with everything updated. I even recreated the realm in PVE and in Keycloak but it won't work for some reason..
But at least I could help you! ^^

Did you do anything special? I just created the realm in Keycloak and made it confidential. My Proxmox config is still the same as above.

 

[LnxBil]

Did you do anything special? I just created the realm in Keycloak and made it confidential.

I created a client in the master realm (only simple setup) as public (client_id + client_secret). Maybe that is the difference?

 

[DerEnderKeks]

I finally found the solution: Proxmox seems to only like some of the JWT signature algorithms Keycloak supports. When I manually force the `Access token signature algorithm` and `ID token signature algorithm` to be RS256, it works.
Not sure what algorithms are actually supported, but I would really appreciate more helpful error messages (and maybe replies from the Proxmox team ).

 

[LnxBil]

Proxmox seems to only like some of the JWT signature algorithms Keycloak supports. When I manually force the `Access token signature algorithm` and `ID token signature algorithm` to be RS256, it works.

Have you changed that from the default?

 

[DerEnderKeks]

My default algorithm is set to ES256, I think I changed that at some point. Keycloaks' default for that setting appears to be RS256, which would explain why it worked for you, if you didn't change the default.

 

[LnxBil]

My default algorithm is set to ES256, I think I changed that at some point. Keycloaks' default for that setting appears to be RS256, which would explain why it worked for you, if you didn't change the default.

Yes, I did not change anything on that front. I have to say that most of the non-default stuff is not well supported in 3rd party applications. I also tried better security of 2FA, which ended up not beeing supported by the 2fa clients/programs I use, so that was also a letdown.

 

[Mikus]

I finally found the solution: Proxmox seems to only like some of the JWT signature algorithms Keycloak supports. When I manually force the `Access token signature algorithm` and `ID token signature algorithm` to be RS256, it works.
Not sure what algorithms are actually supported, but I would really appreciate more helpful error messages (and maybe replies from the Proxmox team ).

The same problem is with LemonLDAP:NG, error: Failed to verify ID token: Signature verification failed

I generated RSA keys for OpenID Connect Service and changed default ID signature algorithm to RS256 for PVE relying party, and error is gone.