Weblate: unable to setup Authentication with keycloak
Describe the bug
Hi,
With my team we are trying to setup our weblate docker container to use Keycloak as authentication system.
We followed the only documentation that exists on this subject -> https://docs.weblate.org/en/weblate-4.2.2/admin/install/docker.html?#keycloak
So far we have, in a local environment, weblate running and working.
Here is the docker-compose, relevant part:
weblate:
image: weblate/weblate
container_name: weblate
depends_on:
- postgres
- redis
volumes:
- weblate-data:/app/data
ports:
- 8090:8080
networks:
- web
environment:
POSTGRES_DATABASE: postgres
POSTGRES_HOST: postgres
POSTGRES_PASSWORD: xxxx
POSTGRES_PORT: 5432
POSTGRES_USER: weblate
REDIS_HOST: redis
REDIS_PORT: 6379
WEBLATE_ADMIN_EMAIL: [email protected]
WEBLATE_ADMIN_NAME: admin
WEBLATE_ADMIN_PASSWORD: admin
WEBLATE_ALLOWED_HOSTS: "*"
WEBLATE_DEFAULT_FROM_EMAIL: [email protected]
WEBLATE_LOGLEVEL: DEBUG #dev only
WEBLATE_REGISTRATION_OPEN: 0
REGISTRATION_ALLOW_BACKENDS: keycloak-oauth2 #not sure of the value here
WEBLATE_SERVER_EMAIL: [email protected]
SOCIAL_AUTH_KEYCLOAK_ID_KEY: email
SOCIAL_AUTH_VERIFY_SSL: 0
WEBLATE_SITE_DOMAIN: localhost:8090
WEBLATE_SOCIAL_AUTH_KEYCLOAK_KEY: 'aos-translate'
WEBLATE_SOCIAL_AUTH_KEYCLOAK_SECRET: '77d132b1-bfa7-460a-81b8-214e235a56e1'
WEBLATE_SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY: 'xxxxxx'
WEBLATE_SOCIAL_AUTH_KEYCLOAK_ALGORITHM: 'RS256'
WEBLATE_SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL: 'http://localhost:8085/auth/realms/aos/protocol/openid-connect/auth'
WEBLATE_SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL: 'http://localhost:8085/auth/realms/aos/protocol/openid-connect/token'
For keycloak side, we followed the steps described in the comment on the source file -> https://github.com/python-social-auth/social-core/blob/master/social_core/backends/keycloak.py
On the sign in form of weblate, now we have a button "keycloak". If we click on it, we are redirected to keycloak's own sign in form:
http://localhost:8085/auth/realms/aos/protocol/openid-connect/auth?client_id=aos-translate&redirect_uri=http%3A%2F%2Flocalhost%3A8090%2Faccounts%2Fcomplete%2Fkeycloak%2F%3Fredirect_state%3DIhc50guJxwVoevULfPnvxJV6Jv3fzYxW&state=Ihc50guJxwVoevULfPnvxJV6Jv3fzYxW&response_type=code
Here if we try to connect with wrong credential, keyclaok informs us about that, and we have to retry, but if we enter good one, we are redirected back to weblate -> http://localhost:8090/accounts/login/.
And here the problem happens: An error message appears in the UI
Could not authenticate, probably due to an expired token or connection error.
And we are not authenticated. There is no error in keycloak logs and in weblate logs.
Due to lack of proper documentation/guide and no explicit log, we cannot figure out what the problem is.
doums
All 10 comments
Did you check Weblate logs? Maybe it's duplicate of https://github.com/WeblateOrg/weblate/issues/4473?
nijel
on 6 Oct 2020
Looking at it again, it might just some mess in the cookies as you run both services on localhost domain - they can steal or rewrite cookies from the other app.
nijel
on 6 Oct 2020
This issue looks like a support question. We try to answer these reasonably fast, but in case you are looking for faster resolution, please consider purchasing support subscription and make Weblate stronger.
![github-actions[bot] picture](https://avatars.githubusercontent.com/in/15368?v=4&s=40)
github-actions[bot]
on 6 Oct 2020
First what is the right value of this env variable please (for Keycloak) ?
REGISTRATION_ALLOW_BACKENDS: ???
Did you check Weblate logs? Maybe it's duplicate of #4473?
There is absolutely no log emitted by the weblate container on the sign in process.
WEBLATE_SOCIAL_AUTH_KEYCLOAK_ALGORITHM: RS256 is already present in the docker-compose file.
The only log I can see is on keycloak side and happens right after clicking the "keycloak" button, while the redirection to keycloak's sign in form
WARN [org.keycloak.services] (default task-1) KC-SERVICES0091: Request is missing scope 'openid' so it's not treated as OIDC, but just pure OAuth2 request.
EDIT: It seems some logs appear after long waiting time or after sign in through normal form (not keycloak), but not sure if the log are relevant to the keycloak sign in process.
HTTP/1.1" 200 2390 "http://localhost:8090/" "Mozilla/5.0 (X11; Linux x86_64; rv:81.0) Gecko/20100101 Firefox/81.0"
nginx stdout | 172.18.0.1 - - [06/Oct/2020:09:09:39 +0000] "GET /static/logo-32.png HTTP/1.1" 200 1192 "http://localhost:8090/" "Mozilla/5.0 (X11; Linux x86_64; rv:81.0) Gecko/20100101 Firefox/81.0"
uwsgi stderr | [pid: 715|app: 0|req: 1/2] 172.18.0.1 () {46 vars in 796 bytes} [Tue Oct 6 09:09:50 2020] GET /accounts/login/?next=/ => generated 13601 bytes in 622 msecs (HTTP/1.1 200) 10 headers in 469 bytes (2 switches on core 0)
nginx stdout | 172.18.0.1 - - [06/Oct/2020:09:09:51 +0000] "GET /accounts/login/?next=/ HTTP/1.1" 200 4708 "http://localhost:8090/" "Mozilla/5.0 (X11; Linux x86_64; rv:81.0) Gecko/20100101 Firefox/81.0"
nginx stdout | 172.18.0.1 - - [06/Oct/2020:09:09:51 +0000] "GET /static/weblate-180.png HTTP/1.1" 200 2390 "http://localhost:8090/" "Mozilla/5.0 (X11; Linux x86_64; rv:81.0) Gecko/20100101 Firefox/81.0"
celery-main stderr | [2020-10-06 09:09:54,465: INFO/MainProcess] Received task: weblate.utils.tasks.heartbeat[34c29165-3273-4503-8433-9fc3ac32adde]
uwsgi stderr | [pid: 714|app: 0|req: 1/3] 172.18.0.1 () {52 vars in 965 bytes} [Tue Oct 6 09:09:55 2020] POST /accounts/login/keycloak/?next=/ => generated 0 bytes in 540 msecs (HTTP/1.1 302) 11 headers in 759 bytes (1 switches on core 0)
nginx stdout | 172.18.0.1 - - [06/Oct/2020:09:09:56 +0000] "POST /accounts/login/keycloak/?next=/ HTTP/1.1" 302 0 "http://localhost:8090/" "Mozilla/5.0 (X11; Linux x86_64; rv:81.0) Gecko/20100101 Firefox/81.0"
uwsgi stderr | WARNING Handled exception: AuthFailed: Authentication failed: HTTPConnectionPool(host='localhost', port=8085): Max retries exceeded with url: /auth/realms/aos/protocol/openid-connect/token (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7fa13e2e6e80>: Failed to establish a new connection: [Errno 111] Connection refused'))
uwsgi stderr | [pid: 716|app: 0|req: 1/4] 172.18.0.1 () {46 vars in 1571 bytes} [Tue Oct 6 09:10:00 2020] GET /accounts/complete/keycloak/?redirect_state=2Ldmmz0faHokiliN9j5DMQP55UkpA8if&state=2Ldmmz0faHokiliN9j5DMQP55UkpA8if&session_state=3a7c9dbc-9345-460d-8645-74dac0b14d77&code=b4fd559c-eb81-44b6-98c6-cf77a1d12279.3a7c9dbc-9345-460d-8645-74dac0b14d77.7f638188-e4db-4ee3-af40-ca6dba80c85f => generated 0 bytes in 537 msecs (HTTP/1.1 302) 11 headers in 496 bytes (2 switches on core 0)
nginx stdout | 172.18.0.1 - - [06/Oct/2020:09:10:00 +0000] "GET /accounts/complete/keycloak/?redirect_state=2Ldmmz0faHokiliN9j5DMQP55UkpA8if&state=2Ldmmz0faHokiliN9j5DMQP55UkpA8if&session_state=3a7c9dbc-9345-460d-8645-74dac0b14d77&code=b4fd559c-eb81-44b6-98c6-cf77a1d12279.3a7c9dbc-9345-460d-8645-74dac0b14d77.7f638188-e4db-4ee3-af40-ca6dba80c85f HTTP/1.1" 302 0 "http://localhost:8085/auth/realms/aos/protocol/openid-connect/auth?client_id=aos-translate&redirect_uri=http%3A%2F%2Flocalhost%3A8090%2Faccounts%2Fcomplete%2Fkeycloak%2F%3Fredirect_state%3D2Ldmmz0faHokiliN9j5DMQP55UkpA8if&state=2Ldmmz0faHokiliN9j5DMQP55UkpA8if&response_type=code" "Mozilla/5.0 (X11; Linux x86_64; rv:81.0) Gecko/20100101 Firefox/81.0"
uwsgi stderr | [pid: 716|app: 0|req: 2/5] 172.18.0.1 () {44 vars in 745 bytes} [Tue Oct 6 09:10:00 2020] GET /accounts/login/ => generated 13745 bytes in 88 msecs (HTTP/1.1 200) 10 headers in 469 bytes (2 switches on core 0)
uwsgi stderr | WARNING Handled exception: AuthFailed: Authentication failed: HTTPConnectionPool(host='localhost', port=8085): Max retries exceeded with url: /auth/realms/aos/protocol/openid-connect/token (Caused by NewConnectionError('
: Failed to establish a new connection: [Errno 111] Connection refused'))
This certainly is related, Weblate cannot connect to the keycloak server. Probably the URL should not be localhost unless you are using host networking in the Docker.
nijel
on 6 Oct 2020
Keycloak run on localhost as well, and on the same network:
keycloak:
container_name: aos-keycloak
depends_on:
- mysql
environment:
DB_USER: xxxxxxx
DB_PASSWORD: xxxxxx
DB_VENDOR: mysql
KEYCLOAK_USER: xxxxxx
KEYCLOAK_PASSWORD: xxxxxx
KEYCLOAK_IMPORT: /tmp/my_realm.json
image: jboss/keycloak:10.0.1
networks:
- web
ports:
- 8085:8080
# - 8085:8443
volumes:
- ./apps/aos-server-account/export:/tmp
- ./apps/aos-server-account/themes/aos:/opt/jboss/keycloak/themes/aos
- ./apps/aos-server-account/themes/base:/opt/jboss/keycloak/themes/base
- ./apps/aos-server-account/deployments/recaptcha-login.jar:/opt/jboss/keycloak/standalone/deployments/recaptcha-login.jar
doums
on 6 Oct 2020
But it's not localhost for Weblate. Please read on how Docker networking works, for example on https://docs.docker.com/network/network-tutorial-standalone/
nijel
on 6 Oct 2020
Ok thank you.
doums
on 8 Oct 2020
The issue you have reported seems to be resolved now.
- In case you see a similar problem, please open a separate issue.
- If you are happy with the outcome, consider supporting Weblate by donating.
github-actions[bot]
on 8 Oct 2020
Related issues
nblock
路
3Comments
yarons
路
4Comments
sct
路
4Comments
WTBenjamin
路
4Comments
GabLeRoux
路
3Comments
Most helpful comment
There is absolutely no log emitted by the weblate container on the sign in process.
WEBLATE_SOCIAL_AUTH_KEYCLOAK_ALGORITHM: RS256is already present in thedocker-composefile.The only log I can see is on keycloak side and happens right after clicking the "keycloak" button, while the redirection to keycloak's sign in form
EDIT: It seems some logs appear after long waiting time or after sign in through normal form (not keycloak), but not sure if the log are relevant to the keycloak sign in process.