The keycloak auth config is not work

Autumn-Roy · 15 June 2023 06:45

Situaiton:
I followed the document of Authentication - Turn-key research data management repository to setup the invenioRDM,but it doesn’t work.

The config of my project is below:

The invenio.cfg:

# Invenio-Accounts-Keycloak
# ----------------
# See https://inveniordm.docs.cern.ch/customize/authentication/#keycloak
from invenio_oauthclient.contrib.keycloak import KeycloakSettingsHelper

helper = KeycloakSettingsHelper(
    title="SJTU scidata",
    description="Keycloak Authentication Service",
    base_url="https://keycloaktest.sjtu.edu.com:443",
    realm="invenio_test"
)

OAUTHCLIENT_KEYCLOAK_REALM_URL = helper.realm_url
OAUTHCLIENT_KEYCLOAK_USER_INFO_URL = helper.user_info_url
OAUTHCLIENT_KEYCLOAK_VERIFY_EXP = True  # whether to verify the expiration date of tokens
OAUTHCLIENT_KEYCLOAK_VERIFY_AUD = True  # whether to verify the audience tag for tokens
OAUTHCLIENT_KEYCLOAK_AUD = "scidata.sjtu.edu.cn"  # probably the same as the client ID

OAUTHCLIENT_REMOTE_APPS = {
    "keycloak": helper.remote_app,
}

KEYCLOAK_APP_CREDENTIALS = {
    "consumer_key": "scidata.sjtu.edu.cn",
    "consumer_secret": "3d61f612-ea56-487e-9306-5401faa6a4e7",
}

# Invenio-OAuthclient
# -------------------
# See https://github.com/inveniosoftware/invenio-oauthclient/blob/master/invenio_oauthclient/config.py

#OAUTHCLIENT_REMOTE_APPS = {}  # configure external login providers

from invenio_oauthclient.views.client import auto_redirect_login
ACCOUNTS_LOGIN_VIEW_FUNCTION = auto_redirect_login  # autoredirect to external login if enabled
OAUTHCLIENT_AUTO_REDIRECT_TO_EXTERNAL_LOGIN = True  # autoredirect to external login

The keycloak setting:

image1487×976 55 KB

image1035×212 17.7 KB

The error code:

After I login with keycloak, the invenioRDM page occurs: Internal server error;
the logs of web-ui is :

Traceback (most recent call last):
  File "/usr/lib/python3.9/urllib/request.py", line 1346, in do_open
    h.request(req.get_method(), req.selector, req.data, headers,
  File "/usr/lib/python3.9/http/client.py", line 1279, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/usr/lib/python3.9/http/client.py", line 1325, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/usr/lib/python3.9/http/client.py", line 1274, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/usr/lib/python3.9/http/client.py", line 1034, in _send_output
    self.send(msg)
  File "/usr/lib/python3.9/http/client.py", line 974, in send
    self.connect()
  File "/usr/lib/python3.9/http/client.py", line 1441, in connect
    super().connect()
  File "/usr/lib/python3.9/http/client.py", line 945, in connect
    self.sock = self._create_connection(
  File "/usr/lib/python3.9/socket.py", line 823, in create_connection
    for res in getaddrinfo(host, port, 0, SOCK_STREAM):
  File "/usr/lib/python3.9/socket.py", line 954, in getaddrinfo
    for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
socket.gaierror: [Errno -2] Name or service not known

2.When I change the Valid Redirect URIs in keycloak as https://scidata.sjtu.edu.cn. I even can’t open the keycloak sign in page. The error code is: Invalid parameter: redirect_uri

nitarocc · 27 June 2023 10:00

Hello,
sorry for the late answer. Is your https://keycloaktest.sjtu.edu.com reachable from the node running InvenioRDM?

Feel free to join our Discord chat https://inveniordm.docs.cern.ch/develop/getting-started/help/, it might easier to exchange there.

Autumn-Roy · 6 July 2023 06:41

https://keycloaktest.sjtu.edu.com is reachable from my InvenioRDM instance. By the change of redirect uri, it doesn’t show the error. But I still can’t receive any info from keycloak server, maybe there is somethind wrong in the setting of keycloak server.

Because the restrictions of region in Discord, I haven’t use it before. I will try to getting help from it, thank you.