HELP! OpenID Connect Keycloak-XNAT HTTPS error
312 views
Skip to first unread message
Matteo Riva
Nov 16, 2022, 5:18:28 AM11/16/22
to Keycloak User
Hello everyone,
This time I am really desperate! Can you help me please?
Here I explain the issue and I guess it is an HTTPS problem, since with HTTP I had the same setting, but all was working properly.
When I try to login from this page (Figure 1)
And I insert the credentials, I get this (Figure 2):
KEYCLOAK SIDE (XNAT BUTTON, Figure 1):
</div>
<p></p>
<div class="row-xnat-redcap" style="display:flex">
<a href="https://xnaturl.it/openid-login?providerId=xnat-keycloak-client">
<img src="https://www.xnat.org/images/XNAT-logo-980.png" style="height:85px; width:210px;" id="xnat" class="button1" align="left" />
</a>
<p></p>
<div class="row-xnat-redcap" style="display:flex">
<a href="https://xnaturl.it/openid-login?providerId=xnat-keycloak-client">
<img src="https://www.xnat.org/images/XNAT-logo-980.png" style="height:85px; width:210px;" id="xnat" class="button1" align="left" />
</a>
KEYCLOAK SIDE (ADMIN):
XNAT SIDE (OPENID CONNECT PLUGIN, Figure 2)
auth.method=openid
type=openid
provider.id=xnat-keycloak-client
visible=true
auto.enabled=false
auto.verified=false
name=OpenID Authentication Provider
disableUsernamePasswordLogin=false
enabled=xnat-keycloak-client
siteUrl=https://xnaturl.it
preEstablishedRedirUri=/openid-login
openid.xnat-keycloak-client.clientId=xnat-keycloak-client
openid.xnat-keycloak-client.clientSecret=*********************************
openid.xnat-keycloak-client.accessTokenUri=https://keycloakurl.it/auth/realms/redcap-xnat-keycloak/protocol/openid-connect/token
openid.xnat-keycloak-client.userAuthUri=https://keycloakurl.it/auth/realms/redcap-xnat-keycloak/protocol/openid-connect/auth
openid.xnat-keycloak-client.userInfoUri=https://keycloakurl.it/auth/realms/redcap-xnat-keycloak/protocol/openid-connect/userinfo
openid.xnat-keycloak-client.pkceEnabled=false
openid.xnat-keycloak-client.scopes=openid,profile,offline_access,address,email,phone,roles,microprofile-jwt,web-origins
openid.xnat-keycloak-client.link=<p>To sign-in using your Keycloak credentials, please click on the button below.</p><p><a href="/openid-login?providerId=xnat-keycloak-client"><img src="/images/keycloak.png" style="max-width: 200px;" /></a></p>
openid.xnat-keycloak-client.shouldFilterEmailDomains=false
openid.xnat-keycloak-client.forceUserCreate=true
openid.xnat-keycloak-client.userAutoEnabled=false
openid.xnat-keycloak-client.userAutoVerified=false
openid.xnat-keycloak-client.emailProperty=email
openid.xnat-keycloak-client.givenNameProperty=given_name
openid.xnat-keycloak-client.familyNameProperty=family_name
type=openid
provider.id=xnat-keycloak-client
visible=true
auto.enabled=false
auto.verified=false
name=OpenID Authentication Provider
disableUsernamePasswordLogin=false
enabled=xnat-keycloak-client
siteUrl=https://xnaturl.it
preEstablishedRedirUri=/openid-login
openid.xnat-keycloak-client.clientId=xnat-keycloak-client
openid.xnat-keycloak-client.clientSecret=*********************************
openid.xnat-keycloak-client.accessTokenUri=https://keycloakurl.it/auth/realms/redcap-xnat-keycloak/protocol/openid-connect/token
openid.xnat-keycloak-client.userAuthUri=https://keycloakurl.it/auth/realms/redcap-xnat-keycloak/protocol/openid-connect/auth
openid.xnat-keycloak-client.userInfoUri=https://keycloakurl.it/auth/realms/redcap-xnat-keycloak/protocol/openid-connect/userinfo
openid.xnat-keycloak-client.pkceEnabled=false
openid.xnat-keycloak-client.scopes=openid,profile,offline_access,address,email,phone,roles,microprofile-jwt,web-origins
openid.xnat-keycloak-client.link=<p>To sign-in using your Keycloak credentials, please click on the button below.</p><p><a href="/openid-login?providerId=xnat-keycloak-client"><img src="/images/keycloak.png" style="max-width: 200px;" /></a></p>
openid.xnat-keycloak-client.shouldFilterEmailDomains=false
openid.xnat-keycloak-client.forceUserCreate=true
openid.xnat-keycloak-client.userAutoEnabled=false
openid.xnat-keycloak-client.userAutoVerified=false
openid.xnat-keycloak-client.emailProperty=email
openid.xnat-keycloak-client.givenNameProperty=given_name
openid.xnat-keycloak-client.familyNameProperty=family_name
I DO NOT REALLY KNOW WHAT IS WRONG...
Thank you so much in advance.
Cheers,
Matteo
Giovanni Albero
Nov 16, 2022, 5:43:26 AM11/16/22
to Matteo Riva, Keycloak User
Hi Matteo, do you have the chance to get a log about your login tentative?
--
Giovanni Albero
Co-Founder & CEO - SMarT
--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/f6038e15-904e-4304-a4af-46bfe8c2bd83n%40googlegroups.com.
Le informazioni, i dati e le notizie contenute nella presente comunicazione e i relativi allegati sono di natura privata e come tali possono essere riservate e sono, comunque, destinate esclusivamente ai destinatari indicati in epigrafe. La diffusione, distribuzione e/o la copiatura del documento trasmesso da parte di qualsiasi soggetto diverso dal destinatario è proibita, sia ai sensi dell’art. 616 c.p., sia ai sensi del D.Lgs. n. 196/2003. Se avete ricevuto questo messaggio per errore, vi preghiamo di distruggerlo e di darcene immediata comunicazione a pri...@smartstrategy.eu.
--
This e-mail (including attachments) is intended only for the recipient(s) named above. It may contain
confidential or privileged information and should not be read, copied or otherwise used by any other
person. If you are not the named recipient, please contact (pri...@smartstrategy.eu) and delete the e-mail
from your system. Rif. D.L. 196/2003.
Matteo Riva
Nov 16, 2022, 5:54:48 AM11/16/22
to Keycloak User
Hello Giovanni,
Thank you so much for your reply!
Sorry, do you mean the a log file?
Giovanni Albero
Nov 16, 2022, 5:55:41 AM11/16/22
to Matteo Riva, Keycloak User
yes, I do
--
Giovanni Albero
Co-Founder & CEO - SMarT
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/b9d214f5-5b94-45de-9490-725af6d137cen%40googlegroups.com.
Matteo Riva
Nov 16, 2022, 6:09:51 AM11/16/22
to Keycloak User
This is the tail of my access.log file (from /data/xnat/home/logs directory). If you need something else, let me know please!
2022-11-16 10:13:43,604 - admin 193.206.147.25 GET http://xnatdemenze.istituto-besta.it/REST/projects?XNAT_CSRF=0fdbb4f4-49a2-4f39-abf4-d9dcbad1b7c5&format=json&sortBy=secondary_ID×tamp=1668593624067&creatableTypes=true&data-type=xnat:petSessionData&rnd=1668593624067 "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0"
2022-11-16 10:13:43,617 - admin 193.206.147.25 GET http://xnatdemenze.istituto-besta.it/xapi/siteConfig/buildInfo "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0"
2022-11-16 10:13:43,621 - admin 193.206.147.25 GET http://xnatdemenze.istituto-besta.it/xapi/xnatTask/checkNodeConfigurationStatus?_=1668593623761 "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0"
2022-11-16 10:13:43,767 - admin 193.206.147.25 GET http://xnatdemenze.istituto-besta.it/REST/projects/ca_granda_ospedale/experiments?XNAT_CSRF=0fdbb4f4-49a2-4f39-abf4-d9dcbad1b7c5&format=json×tamp=1668593624187&rnd=1668593624187 "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0"
2022-11-16 10:13:43,770 - admin 193.206.147.25 GET http://xnatdemenze.istituto-besta.it/REST/projects/ca_granda_ospedale/subjects?XNAT_CSRF=0fdbb4f4-49a2-4f39-abf4-d9dcbad1b7c5&format=json×tamp=1668593624187&rnd=1668593624187 "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0"
2022-11-16 10:27:58,261 - guest 10.100.28.27 GET http://xnatdemenze.istituto-besta.it/xapi/siteConfig/buildInfo "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
2022-11-16 10:28:24,304 - guest 10.100.28.27 GET http://xnatdemenze.istituto-besta.it/xapi/siteConfig/buildInfo "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
2022-11-16 10:32:06,912 - guest 10.100.28.27 GET http://xnatdemenze.istituto-besta.it/xapi/siteConfig/buildInfo "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
2022-11-16 11:49:56,772 - guest 10.100.28.27 GET http://xnatdemenze.istituto-besta.it/xapi/siteConfig/buildInfo "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
2022-11-16 12:00:13,235 - guest 10.100.28.27 GET http://xnatdemenze.istituto-besta.it/xapi/siteConfig/buildInfo "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
2022-11-16 10:13:43,617 - admin 193.206.147.25 GET http://xnatdemenze.istituto-besta.it/xapi/siteConfig/buildInfo "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0"
2022-11-16 10:13:43,621 - admin 193.206.147.25 GET http://xnatdemenze.istituto-besta.it/xapi/xnatTask/checkNodeConfigurationStatus?_=1668593623761 "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0"
2022-11-16 10:13:43,767 - admin 193.206.147.25 GET http://xnatdemenze.istituto-besta.it/REST/projects/ca_granda_ospedale/experiments?XNAT_CSRF=0fdbb4f4-49a2-4f39-abf4-d9dcbad1b7c5&format=json×tamp=1668593624187&rnd=1668593624187 "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0"
2022-11-16 10:13:43,770 - admin 193.206.147.25 GET http://xnatdemenze.istituto-besta.it/REST/projects/ca_granda_ospedale/subjects?XNAT_CSRF=0fdbb4f4-49a2-4f39-abf4-d9dcbad1b7c5&format=json×tamp=1668593624187&rnd=1668593624187 "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0"
2022-11-16 10:27:58,261 - guest 10.100.28.27 GET http://xnatdemenze.istituto-besta.it/xapi/siteConfig/buildInfo "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
2022-11-16 10:28:24,304 - guest 10.100.28.27 GET http://xnatdemenze.istituto-besta.it/xapi/siteConfig/buildInfo "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
2022-11-16 10:32:06,912 - guest 10.100.28.27 GET http://xnatdemenze.istituto-besta.it/xapi/siteConfig/buildInfo "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
2022-11-16 11:49:56,772 - guest 10.100.28.27 GET http://xnatdemenze.istituto-besta.it/xapi/siteConfig/buildInfo "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
2022-11-16 12:00:13,235 - guest 10.100.28.27 GET http://xnatdemenze.istituto-besta.it/xapi/siteConfig/buildInfo "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
Giovanni Albero
Nov 16, 2022, 8:44:08 AM11/16/22
to Matteo Riva, Keycloak User
This seems like a log related to the call that you are receiving on your webserver.
But you are right, my question was not so precise, do you have access to Keycloak's log? I'd like to check it's log
--
Giovanni Albero
Co-Founder & CEO - SMarT
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/5350cac0-0eaa-4719-bb6f-8cf15256712an%40googlegroups.com.
Matteo Riva
Nov 16, 2022, 9:18:25 AM11/16/22
to Keycloak User
Here is the tail of server.log in Keycloak:
2022-11-16 10:28:02,042 WARN [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-65) REQUIRED and ALTERNATIVE elements at same level! Those alternative executions will be ignored: [auth-cookie, identity-provider-redirector]
2022-11-16 10:28:23,677 WARN [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-65) REQUIRED and ALTERNATIVE elements at same level! Those alternative executions will be ignored: [auth-cookie, identity-provider-redirector]
2022-11-16 12:10:22,342 WARN [org.keycloak.events] (default task-70) type=REFRESH_TOKEN_ERROR, realmId=master, clientId=security-admin-console, userId=null, ipAddress=172.29.2.20, error=invalid_token, grant_type=refresh_token, client_auth_method=client-secret
2022-11-16 12:18:24,538 WARN [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-70) REQUIRED and ALTERNATIVE elements at same level! Those alternative executions will be ignored: [auth-cookie, identity-provider-redirector]
2022-11-16 12:18:32,730 WARN [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-70) REQUIRED and ALTERNATIVE elements at same level! Those alternative executions will be ignored: [auth-cookie, identity-provider-redirector]
2022-11-16 12:40:30,680 WARN [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-70) REQUIRED and ALTERNATIVE elements at same level! Those alternative executions will be ignored: [auth-cookie, identity-provider-redirector]
2022-11-16 12:40:31,934 WARN [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-70) REQUIRED and ALTERNATIVE elements at same level! Those alternative executions will be ignored: [auth-cookie, identity-provider-redirector]
2022-11-16 12:40:32,098 WARN [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-70) REQUIRED and ALTERNATIVE elements at same level! Those alternative executions will be ignored: [auth-cookie, identity-provider-redirector]
2022-11-16 12:40:32,244 WARN [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-70) REQUIRED and ALTERNATIVE elements at same level! Those alternative executions will be ignored: [auth-cookie, identity-provider-redirector]
2022-11-16 12:40:39,833 WARN [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-70) REQUIRED and ALTERNATIVE elements at same level! Those alternative executions will be ignored: [auth-cookie, identity-provider-redirector]
2022-11-16 10:28:23,677 WARN [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-65) REQUIRED and ALTERNATIVE elements at same level! Those alternative executions will be ignored: [auth-cookie, identity-provider-redirector]
2022-11-16 12:10:22,342 WARN [org.keycloak.events] (default task-70) type=REFRESH_TOKEN_ERROR, realmId=master, clientId=security-admin-console, userId=null, ipAddress=172.29.2.20, error=invalid_token, grant_type=refresh_token, client_auth_method=client-secret
2022-11-16 12:18:24,538 WARN [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-70) REQUIRED and ALTERNATIVE elements at same level! Those alternative executions will be ignored: [auth-cookie, identity-provider-redirector]
2022-11-16 12:18:32,730 WARN [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-70) REQUIRED and ALTERNATIVE elements at same level! Those alternative executions will be ignored: [auth-cookie, identity-provider-redirector]
2022-11-16 12:40:30,680 WARN [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-70) REQUIRED and ALTERNATIVE elements at same level! Those alternative executions will be ignored: [auth-cookie, identity-provider-redirector]
2022-11-16 12:40:31,934 WARN [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-70) REQUIRED and ALTERNATIVE elements at same level! Those alternative executions will be ignored: [auth-cookie, identity-provider-redirector]
2022-11-16 12:40:32,098 WARN [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-70) REQUIRED and ALTERNATIVE elements at same level! Those alternative executions will be ignored: [auth-cookie, identity-provider-redirector]
2022-11-16 12:40:32,244 WARN [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-70) REQUIRED and ALTERNATIVE elements at same level! Those alternative executions will be ignored: [auth-cookie, identity-provider-redirector]
2022-11-16 12:40:39,833 WARN [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-70) REQUIRED and ALTERNATIVE elements at same level! Those alternative executions will be ignored: [auth-cookie, identity-provider-redirector]
Thank you Giovanni!
Matteo
Giovanni Albero
Nov 16, 2022, 3:29:04 PM11/16/22
to Matteo Riva, Keycloak User
I can see only a warning based on a misconfiguration of the authentication flow, do you have the same warning also locally?
--
Giovanni Albero
Co-Founder & CEO - SMarT
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/5a894379-a630-4c9b-b7f0-fea896b5e05an%40googlegroups.com.
Matteo Riva
Nov 17, 2022, 2:54:19 AM11/17/22
to Keycloak User
No, at least I do not see the same warning! What I do not understand is that when I try to login in XNAT, it does not work, while if I try to login in REDCap, it perfectly goes fine.
What I see in XNAT access.log file I see that there is an http url, while it is an https one!
So...is it a Keycloak or an XNAT issue? I do not really understand...
Reply all
Reply to author
Forward
0 new messages