Che: custom Oidc provider integration

Created on 29 Aug 2018  路  8Comments  路  Source: eclipse/che

Hello,
I tried to install che to minikube with multi user and custom customOidc . I followed these steps "https://github.com/eclipse/che/tree/master/deploy/kubernetes/helm/che" and my values.yaml like these 

cheWorkspaceHttpProxy: ""
cheWorkspaceHttpsProxy: ""
cheWorkspaceNoProxy: ""
cheImage: eclipse/che-server:nightly
cheImagePullPolicy: Always
cheKeycloakRealm: ""
cheKeycloakClientId: "che-public"
customOidcUsernameClaim: "preferred_username"
customOidcProvider: "http://192.168.99.1/identity"

global:
  cheNamespace: "che"
  multiuser: true
  cheDedicatedKeycloak: false
  ingressDomain: 192.168.99.100.nip.io
  ingressAnnotationsPrefix: "nginx."
  serverStrategy: multi-host
  tls:
    enabled: false
    useCertManager: true
    useStaging: true
    secretName: che-tls
  gitHubClientID: ""
  gitHubClientSecret: ""
  pvcClaim: "1Gi"
  cheWorkspacesNamespace: "che-workspace"
  workspaceIdleTimeout: "-1"
  log:
    loggerConfig: ""
    appenderName: "plaintext"

If you would like to see open id configuration. You can check this address. https://id.smartface.io/identity/.well-known/openid-configuration.

When I open "http://che-che.192.168.99.100.nip.io/dashboard/" , I encountered error like that "Authorization token is missed
Click here to reload page."

Console error message is
"Failed to load resource: the server responded with a status of 401 () app-4e5823ff82.js:195
Keycloak initialization failed with error: Error loading script."

When I check identity server, I didn't see any request for token, Server received only /.well-known/openid-configuration request. So I think it is not related to identity server configuration.

Reproduction Steps

I assume you have "open id server", "minikube" and "helm".

Download these files "https://github.com/eclipse/che/tree/master/deploy/kubernetes/helm/che"

Run this command.

 helm install -n custom-che --namespace che -f ./values/multi-user.yaml ./

open "http://che-che.192.168.99.100.nip.io/dashboard/"

kinquestion
Source
picture osmankibar

Most helpful comment

tls:
    enabled: false
    useCertManager: true
    useStaging: true
    secretName: che-tls

The first parameter(enable) is false under the tls config, so I assumed all settings are off related tls. when I changed yaml like following, it works . 

    enabled: false
    useCertManager: false
    useStaging: false
    secretName: che-tls

Thank you guys @eivantsov @davidfestal

picture osmankibar on 31 Aug 2018
🎉2

All 8 comments

@osmankibar

Keycloak initialization failed with error: Error loading script."

What what URL did Dashboard try to find the script?

ghost picture ghost on 29 Aug 2018

It try to load /api/keycloak/OIDCKeycloak.js. Status code is 401.

osmankibar picture osmankibar on 29 Aug 2018

Does it try to load from the right (expected) location? I mean, can you confirm such a script is available?

ghost picture ghost on 29 Aug 2018

Where is the expected location?
It try to load from http://che-che.192.168.99.100.nip.io/api/keycloak/OIDCKeycloak.js .
Dashboard location is http://che-che.192.168.99.100.nip.io/dashboard/.

If I check location of script inside of che pod in kubernetes with following command
bash-4.3# find -name "OIDCKeycloak.js"
./home/user/eclipse-che/tomcat/webapps/api/WEB-INF/classes/keycloak/OIDCKeycloak.js

Status code is 401.Before request of this script, maybe it was not provide token ? Or maybe this script send request for token.

osmankibar picture osmankibar on 29 Aug 2018

@osmankibar maybe @davidfestal can help - he's the one who spent most of the time in this code base

ghost picture ghost on 31 Aug 2018

@osmankibar what is the Che version you're using ? That seems strange that you cannot access the OIDCKeycloak.js file from the URL you mentioned. This file should be accessible without requiring authentication, since it is the authentication client library. Could you try with https (since I see you enabled tls in your yaml file): https://che-che.192.168.99.100.nip.io/api/keycloak/OIDCKeycloak.js

davidfestal picture davidfestal on 31 Aug 2018 
tls:
    enabled: false
    useCertManager: true
    useStaging: true
    secretName: che-tls

The first parameter(enable) is false under the tls config, so I assumed all settings are off related tls. when I changed yaml like following, it works . 

    enabled: false
    useCertManager: false
    useStaging: false
    secretName: che-tls

Thank you guys @eivantsov @davidfestal

osmankibar picture osmankibar on 31 Aug 2018
🎉2

Hey @osmankibar

Sorry for commenting on this dead/resolved issue, but we're having a lot of trouble setting up Che to work with our custom OP too.

Did you get this working eventually? What OP are you using?

tetchel picture tetchel on 14 Mar 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

AndrienkoAleksandr picture AndrienkoAleksandr  路  3Comments
amisevsk picture amisevsk  路  3Comments
SkorikSergey picture SkorikSergey  路  3Comments
LaneGeek picture LaneGeek  路  3Comments
dmytro-ndp picture dmytro-ndp  路  3Comments