Hi there awesome Claper team,
I just stumbled upon this cool project and directly wanted to try it out. Unfortunately, I am having some issues deploying it with keycloak as OIDC provider.
Running it standalone via Portainer on Docker Swarm works well, but when OIDC comes into place the login process gets stuck with a keycload "invalid request" error on the following redirect page: https://keycloak.MYURL/realms/MYREALM/protocol/openid-connect/auth?request_uri=urn%3Aietf%3Aparams%3Aoauth%3Arequest_uri%XX-XX-XX-XX-XX&client_id=MY_CLIENT_ID
After trying to debug on my own and consulting both the docs and issues, I hoped to get some assistance here.
This is an extract from the current setup:
[...]
app:
image: ghcr.io/claperco/claper:latest
volumes:
- "/mnt/ceph_data/claper/claper-uploads:/app/uploads"
healthcheck:
test: curl --fail http://localhost:4000 || exit 1
retries: 3
start_period: 20s
timeout: 5s
depends_on:
- db
environment:
BASE_URL: ${BASE_URL}
DATABASE_URL: postgres://claper:claper@db:5432/claper
SECRET_KEY_BASE: ${SECRET_KEY_BASE}
PRESENTATION_STORAGE: local
PRESENTATION_STORAGE_DIR: /app/uploads
OIDC_ISSUER: ${OIDC_ISSUER}
OIDC_CLIENT_ID: ${OIDC_CLIENT_ID}
OIDC_CLIENT_SECRET: ${OIDC_CLIENT_SECRET}
OIDC_SCOPES: ${OIDC_SCOPES}
OIDC_AUTO_REDIRECT_LOGIN: "true"
ENABLE_ACCOUNT_CREATION: "false"
ELIXIR_ERL_OPTIONS: "+fnu" # <-- here because of an encoding error in the logs hinting to use this env (but the keycloak issue is the same without this env)
networks:
[...]With this environment variable set:
BASE_URL=https://claper.MYURL.TLD
SECRET_KEY_BASE=--random-64-cH4rs--
OIDC_ISSUER=https://keycloak.MYURL.TLD/realms/MYREALM
OIDC_CLIENT_ID=--redacted--
OIDC_CLIENT_SECRET=--redacted--
OIDC_SCOPES=openid email profile
As other services like OpenWebUI or Grist work out of the box, I assumed a config issue on my side or some bug, therefore scanned a bit through the code of Claper, finding the following:
|
client_assertion_type: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer", |
With %3A = : substitution in the above-mentioned URL:
[...]auth?request_uri=urn:ietf:params:oauth:request_uri:XX-XX-XX-XX-XX&client_id=sy_claper
This looks to me, like the "invalid request" URL shown above might not have been fully asserted and therefore looks vastly different from the ones I was able to observe using Grist or OpenWebUI. Maybe this can be a hint to where the root cause is to be found? Unfortunately, I am somewhat stuck...
Thanks for the help and work on this great project :)
Hi there awesome Claper team,
I just stumbled upon this cool project and directly wanted to try it out. Unfortunately, I am having some issues deploying it with keycloak as OIDC provider.
Running it standalone via Portainer on Docker Swarm works well, but when OIDC comes into place the login process gets stuck with a keycload "invalid request" error on the following redirect page:
https://keycloak.MYURL/realms/MYREALM/protocol/openid-connect/auth?request_uri=urn%3Aietf%3Aparams%3Aoauth%3Arequest_uri%XX-XX-XX-XX-XX&client_id=MY_CLIENT_IDAfter trying to debug on my own and consulting both the docs and issues, I hoped to get some assistance here.
This is an extract from the current setup:
With this environment variable set:
As other services like OpenWebUI or Grist work out of the box, I assumed a config issue on my side or some bug, therefore scanned a bit through the code of Claper, finding the following:
Claper/lib/lti_13/tool/services/access_token.ex
Line 74 in 8d04136
With %3A = : substitution in the above-mentioned URL:
This looks to me, like the "invalid request" URL shown above might not have been fully asserted and therefore looks vastly different from the ones I was able to observe using Grist or OpenWebUI. Maybe this can be a hint to where the root cause is to be found? Unfortunately, I am somewhat stuck...
Thanks for the help and work on this great project :)