C
Coder.com3mo ago
Multigestern

Keycloak OpenID Connect does not work

Hello, I configured Keycloak as my OID Provider. I run Coder in Docker and added these lines to it (Obviously configured): 
CODER_OIDC_ISSUER_URL: "https://auth.my.domain”
CODER_OIDC_CLIENT_ID: "coder-client"
CODER_OIDC_CLIENT_SECRET: “My Secret Token”
CODER_OIDC_ISSUER_URL: "https://auth.my.domain”
CODER_OIDC_CLIENT_ID: "coder-client"
CODER_OIDC_CLIENT_SECRET: “My Secret Token”
But this throws the following error on startup: 
Encountered an error running "coder server", see "coder server --help" for more information
error: create oidc config: configure oidc provider: 404 Not Found: {"error":"Unable to find matching target resource method","error_description":"For more on this error consult the server log at the debug level."}
Encountered an error running "coder server", see "coder server --help" for more information
error: create oidc config: configure oidc provider: 404 Not Found: {"error":"Unable to find matching target resource method","error_description":"For more on this error consult the server log at the debug level."}
Can someone might help me?
12 Replies
Codercord
Codercord3mo ago
<#1278005745010344113>
Category
Help needed
Product
Coder OSS (v2)
Platform
Linux
Logs
Please post any relevant logs/error messages.
Multigestern
MultigesternOP3mo ago
No one here to help me with this?
houkai_3rd
houkai_3rd3mo ago
:dogelaugh:
Scott
Scott3mo ago
Not sure it will help, but you are missing CODER_OIDC_EMAIL_DOMAIN.
Multigestern
MultigesternOP3mo ago
Helpful I am familiar with the setting, but I don't understand how it is used and I think it is poorly documented. Are these supposed to be the domains that are allowed to authenticate themselves via Keycloak? I have never used such a setting in connection with Keycloak. It is also pointless if each of my users has a different domain.
Scott
Scott3mo ago
I agree. It is poorly documented. I believe it is a constraint (my best guess). You can add multiple domains to the value, and this constrains what email domains the users can have that are added to Coder via the first login process. If you have users with a bunch of different domains, you'd have to add them all here. There should also be a wild-card option for the use case of registering any and all domains, if so needed or wished for. As my project evolves, I'd need this too. But, as it is only my guess, it could also be completely wrong too. 😊 If you could, with your own user, add your email domain (the domain of the email you used to register in Keycloak) and see what happens. 🙂 Oh, and set 
    - name: CODER_VERBOSE
      value: 'true'
    - name: CODER_VERBOSE
      value: 'true'
to see if the logs are more helpful. 🙂
Phorcys
Phorcys3mo ago
CODER_OIDC_EMAIL_DOMAIN defines which domains to allow in the user's email address but yeah it is pretty poorly documented did you set any subpath at the CODER_OIDC_ISSUER_URL? and yes, please set this environment variable
Multigestern
MultigesternOP3mo ago
I will try thank you no. do i usualy have to? But this url goes to my keycloak server on port 8080 Ok i get 
Encountered an error running "coder server", see "coder server --help" for more information
error: create oidc config:
    github.com/coder/coder/v2/cli.(*RootCmd).Server.func2
        /home/runner/work/coder/coder/cli/server.go:671
  - configure oidc provider:
    github.com/coder/coder/v2/cli.createOIDCConfig
        /home/runner/work/coder/coder/cli/server.go:127
  - 404 Not Found: {"error":"Unable to find matching target resource method","error_description":"For more on this error consult the server log at the debug level."}
Encountered an error running "coder server", see "coder server --help" for more information
error: create oidc config:
    github.com/coder/coder/v2/cli.(*RootCmd).Server.func2
        /home/runner/work/coder/coder/cli/server.go:671
  - configure oidc provider:
    github.com/coder/coder/v2/cli.createOIDCConfig
        /home/runner/work/coder/coder/cli/server.go:127
  - 404 Not Found: {"error":"Unable to find matching target resource method","error_description":"For more on this error consult the server log at the debug level."}
So it is something with the CODER_OIDC_ISSUER_URL i guess.
Phorcys
Phorcys3mo ago
yes, when you define the app in keycloak it should give you the link to use
Phorcys
Phorcys3mo ago
@Multigestern this should help you https://apisix.apache.org/blog/2021/12/10/integrate-keycloak-auth-in-apisix/
API Gateway APISIX Integrates Keycloak for Authentication | Apache ...
This article shows you how to use OpenID-Connect protocol and Keycloak for identity authentication in API Gateway Apache APISIX through detailed steps.
Phorcys
Phorcys3mo ago
the example is for APISIX but it explains that there is different links based on the realm that you use
Multigestern
MultigesternOP3mo ago
Thank you so much! Btw you dont need the CODER_OIDC_EMAIL_DOMAIN entry, if you dont want to restrict it by the email domain.
Want results from more Discord servers?
Add your server