OIDC with Keycloak not working

[HBubli]

Hi, i cant get the oidc integration to work with my keycloak setup. There are no erros anywhere, but there isnt a login with sso button anywhere in the ui and the automatic redirect to the sso login page also doesnt seem to work. Toggling "SHOW_SSO_LOGIN_BUTTON" and "FORCE_SSO_AUTH" doesnt have any effect. Here is my compose file:

services:
  ganymede:
    container_name: ganymede
    image: ghcr.io/zibbp/ganymede:latest
    restart: unless-stopped
    depends_on:
      - ganymede-db
    environment:
      - DEBUG=false
      - TZ=Europe/Berlin # Set to your timezone
      # Data paths in container; update the mounted volume paths as well
      - VIDEOS_DIR=/data/videos
      - TEMP_DIR=/data/temp
      - LOGS_DIR=/data/logs
      - CONFIG_DIR=/data/config
      # Database settings
      - DB_HOST=ganymede-db
      - DB_PORT=5432
      - DB_USER=ganymede
      - DB_PASS=REDACTED
      - DB_NAME=ganymede-prd
      - DB_SSL=disable
      # - DB_SSL_ROOT_CERT= # path to cert in the container if DB_SSL is not disabled
      - TWITCH_CLIENT_ID=REDACTED # from your twitch application
      - TWITCH_CLIENT_SECRET=REDACTED # from your twitch application
      # Worker settings. Max number of tasks to run in parallel per type.
      - MAX_CHAT_DOWNLOAD_EXECUTIONS=3
      - MAX_CHAT_RENDER_EXECUTIONS=2
      - MAX_VIDEO_DOWNLOAD_EXECUTIONS=2
      - MAX_VIDEO_CONVERT_EXECUTIONS=3
      # Optional OAuth settings
      - OAUTH_ENABLED=true
      - OAUTH_PROVIDER_URL=https://auth.hbubli.cc/realms/hbubli.cc
      - OAUTH_CLIENT_ID=ganymede
      - OAUTH_CLIENT_SECRET=REDACTED
      - OAUTH_REDIRECT_URL=https://vod.hbubli.cc/api/v1/auth/oauth/callback # Points to the API service
      # Optional Frontend settings
      - SHOW_SSO_LOGIN_BUTTON=false
      - FORCE_SSO_AUTH=true
      - REQUIRE_LOGIN=false
    volumes:
      - /opt/ganymede/videos:/data/videos # update VIDEOS_DIR env var
      - /opt/ganymede/temp:/data/temp # update TEMP_DIR env var
      - /opt/ganymede/logs:/data/logs # queue logs
      - /opt/ganymede/config:/data/config # config and other miscellaneous files
    ports:
      - 4800:4000
    healthcheck:
      test: curl --fail http://localhost:4000/health || exit 1
      interval: 60s
      retries: 5
      start_period: 60s
      timeout: 10s
  ganymede-db:
    container_name: ganymede-db
    image: postgres:14
    volumes:
      - ./ganymede-db:/var/lib/postgresql/data
    environment:
      - POSTGRES_PASSWORD=REDACTED
      - POSTGRES_USER=ganymede
      - POSTGRES_DB=ganymede-prd
    ports:
      - 4801:5432
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "pg_isready", "-d", "{{ ganymede_db_name }}"]
      interval: 30s
      timeout: 60s
      retries: 5
      start_period: 60s

[Zibbp]

Looks like the frontend env vars weren't working properly, I've fixed that in #574. Can you try again with the :dev image tag?

[HBubli]

That fixed the issue! But now i have another error :/ Upon redirect ganymede displays

'failed to exchange token: oauth2: "invalid_grant" "Code not valid"'

in a json file and Keycloak spits out

2025-01-01 22:11:18,445 WARN  [org.keycloak.protocol.oidc.utils.OAuth2CodeParser] (executor-thread-11) Invalid format of the code

Did i miss smth? Thanks for resolving the previous issue that fast tho!

[Zibbp]

I haven't used Keycloak before so I'm not sure. I would google the Keycloak error and see if there's something specific to Keycloak that you may need to do. Else try re-creating the Keycloak app?
Maybe: https://stackoverflow.com/questions/45860313/keycloak-code-to-token-error-after-user-is-authenticated

[HBubli]

I haven't used Keycloak before so I'm not sure. I would google the Keycloak error and see if there's something specific to Keycloak that you may need to do. Else try re-creating the Keycloak app? Maybe: https://stackoverflow.com/questions/45860313/keycloak-code-to-token-error-after-user-is-authenticated

Ive seen that post but sadly nothing worked. I dont know if this is relevant but ive noticed that adding the

response_mode=form_post&

parameter to the request from ganymede gets rid the error and just results in an internal error from ganymede. Keycloak then only complains about the non existant group scope being requested, which can easily be fixed in keycloak.

[Zibbp]

It appears that Keycloak doesn't have/send the groups scope which I'm requesting, causing the error. Until I can re-evaluate how that is handled you can add a custom groups scope, and make sure it is sent in the application.