Ondemand with dedicated keycloak server

s.harper · April 22, 2019, 11:11pm

Hey guys. I’m setting up a fresh install of Open OnDemand 1.5.5-1 here at the University of Utah on CentOS 7. I’m following the install documentation and have gotten to the point where I’m integrating my production standalone keycloak (4.8.3) server in as my auth source - It’s throwing errors in the keycloak log while I get the schema mappings to our Active Directory servers configured and then I finally get it correctly configured… and it breaks in a new way.

The URL redirects to
https://ondemand-test.chpc.utah.edu/pun/sys/dashboard
and the error in the browser window is:
“Error – invalid user name syntax: f:5f6debae-e6db-4111-bed0-ac9336c5afe5:u0064824@keycloak.chpc.utah.edu/auth/realms/ondemand
Run ‘nginx_stage --help’ to see a full list of available command line options.”

There’s no errors in the keycloak log about this. Here’s my auth_openidc.conf file:

OIDCProviderMetadataURL https://keycloak.chpc.utah.edu/auth/realms/ondemand/.well-known/openid-configuration
OIDCClientID “ondemand-test.chpc.utah.edu”
OIDCClientSecret “noSecretsForYou”
OIDCRedirectURI https://ondemand-test.chpc.utah.edu/oidc
OIDCCryptoPassphrase “secretphraseremoved”

Anything jump out at anyone? I can post over config items if necessary but it’s all pretty bog standard.

Steve Harper

s.harper · April 22, 2019, 11:27pm

Ah. Easy I had missed the lower half of the example config and still had these lines commented:

OIDCRemoteUserClaim preferred_username
OIDCPassClaimsAs environment
OIDCStripCookies mod_auth_openidc_session mod_auth_openidc_session_chunks mod_auth_openidc_session_0 mod_auth_openidc_session_1

efranz · April 23, 2019, 2:46pm

The error you saw was generated by this single line of code: https://github.com/OSC/ondemand/blob/585404aa2d91a18b2b18e02fba2670c53532cc0a/nginx_stage/lib/nginx_stage/generator_helpers.rb#L16

The username f:5f6debae-e6db-4111-bed0-ac9336c5afe5:u0064824@keycloak.chpc.utah.edu/auth/realms/ondemand didn’t match the regex. Of course in this case a solution was to add the missing OIDC directive OIDCRemoteUserClaim so that mod_auth_openidc sets REMOTE_USER to whatever is in the remote user claim header. Another approach would have been to configure Apache to use a custom mapping script that converts f:5f6debae-e6db-4111-bed0-ac9336c5afe5:u0064824@keycloak.chpc.utah.edu/auth/realms/ondemand to your_user_name.

The question I have is, what would have been a better error message to help you debug the problem yourself?

Topic		Replies	Views
OnDemand-Keycloak-IDM authentication Get Help	4	1120	May 26, 2022
OIDC redirect failing Get Help question	14	3969	May 26, 2022
Ondemand + keycloak + RHEL8 issues Get Help question	4	289	January 30, 2023
Login error with Ondemand 1.8 and Keycloak 10 Get Help question	4	953	May 26, 2022
OIDC with Keycloak filter by groups/roles Get Help question	4	752	March 9, 2024

Ondemand with dedicated keycloak server

Related Topics