Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Apache + Keycloak "Error processing request." upon linking account. #80

Closed
BoBeR182 opened this issue Sep 21, 2022 · 11 comments
Closed

Apache + Keycloak "Error processing request." upon linking account. #80

BoBeR182 opened this issue Sep 21, 2022 · 11 comments
Labels
question Further information is requested

Comments

@BoBeR182
Copy link

Describe the bug
Successful authentication fails to link account.

To Reproduce
Steps to reproduce the behavior:

  1. Go to https://jellyfin.domain.tld/SSO/oid/p/keycloak?isLinking=true
  2. Login with keycloak user credentials
  3. See error

Expected behavior

Proper authentication

Config

{"keycloak":{"OidEndpoint":"https://keycloak.domain.tld/realms/realm/.well-known/openid-configuration","OidClientId":"jellyfin","OidSecret":"REDACTED","Enabled":true,"EnableAuthorization":false,"EnableAllFolders":true,"EnabledFolders":[],"AdminRoles":[],"Roles":[],"EnableFolderRoles":false,"FolderRoleMapping":[],"OidScopes":[],"CanonicalLinks":{}}}

Logs

[2022-09-21 02:38:04.838 -04:00] [ERR] [177] Jellyfin.Server.Middleware.ExceptionMiddleware: Error processing request. URL "GET" "/sso/OID/r/keycloak".
System.ArgumentNullException: Value cannot be null. (Parameter 'input')
   at System.Text.RegularExpressions.ThrowHelper.ThrowArgumentNullException(ExceptionArgument arg)
   at System.Text.RegularExpressions.Regex.Split(String input)
   at Jellyfin.Plugin.SSO_Auth.Api.SSOController.OidPost(String provider, String state)
   at lambda_method1096(Closure , Object , Object[] )
   at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.SyncActionResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeActionMethodAsync()
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeNextActionFilterAsync()
--- End of stack trace from previous location ---
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeInnerFilterAsync()
--- End of stack trace from previous location ---
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeNextResourceFilter>g__Awaited|25_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Rethrow(ResourceExecutedContextSealed context)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.InvokeFilterPipelineAsync()
--- End of stack trace from previous location ---
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
   at Microsoft.AspNetCore.Routing.EndpointMiddleware.<Invoke>g__AwaitRequestTask|6_0(Endpoint endpoint, Task requestTask, ILogger logger)
   at Jellyfin.Server.Middleware.ServerStartupMessageMiddleware.Invoke(HttpContext httpContext, IServerApplicationHost serverApplicationHost, ILocalizationManager localizationManager)
   at Jellyfin.Server.Middleware.WebSocketHandlerMiddleware.Invoke(HttpContext httpContext, IWebSocketManager webSocketManager)
   at Jellyfin.Server.Middleware.IpBasedAccessValidationMiddleware.Invoke(HttpContext httpContext, INetworkManager networkManager)
   at Jellyfin.Server.Middleware.LanFilteringMiddleware.Invoke(HttpContext httpContext, INetworkManager networkManager, IServerConfigurationManager serverConfigurationManager)
   at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)
   at Jellyfin.Server.Middleware.QueryStringDecodingMiddleware.Invoke(HttpContext httpContext)
   at Swashbuckle.AspNetCore.ReDoc.ReDocMiddleware.Invoke(HttpContext httpContext)
   at Swashbuckle.AspNetCore.SwaggerUI.SwaggerUIMiddleware.Invoke(HttpContext httpContext)
   at Swashbuckle.AspNetCore.Swagger.SwaggerMiddleware.Invoke(HttpContext httpContext, ISwaggerProvider swaggerProvider)
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Jellyfin.Server.Middleware.RobotsRedirectionMiddleware.Invoke(HttpContext httpContext)
   at Jellyfin.Server.Middleware.LegacyEmbyRouteRewriteMiddleware.Invoke(HttpContext httpContext)
   at Microsoft.AspNetCore.ResponseCompression.ResponseCompressionMiddleware.InvokeCore(HttpContext context)
   at Jellyfin.Server.Middleware.ResponseTimeMiddleware.Invoke(HttpContext context, IServerConfigurationManager serverConfigurationManager)
   at Jellyfin.Server.Middleware.ExceptionMiddleware.Invoke(HttpContext context)
[2022-09-21 02:38:47.666 -04:00] [INF] [175] Jellyfin.Plugin.SSO_Auth.Api.SSOController: SSO Controller initialized

Versions (please complete the following information):

  • OS: Arch Linux
  • Browser: Firefox
  • Jellyfin Version:10.8.4
  • Plugin Version: 3.4.0.0
@BoBeR182 BoBeR182 added the bug Something isn't working label Sep 21, 2022
@9p4
Copy link
Owner

9p4 commented Sep 21, 2022

Can you upload your plugin xml configuration?

@BoBeR182
Copy link
Author

BoBeR182 commented Sep 21, 2022
edited
Loading 

<?xml version="1.0" encoding="utf-8"?>
<PluginConfiguration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <SamlConfigs />
  <OidConfigs>
    <item>
      <key>
        <string>keycloak</string>
      </key>
      <value>
        <PluginConfiguration>
          <OidEndpoint>https://keycloak.domain.tld/realms/realm/.well-known/openid-configuration</OidEndpoint>
          <OidClientId>jellyfin</OidClientId>
          <OidSecret>REDACTED</OidSecret>
          <Enabled>true</Enabled>
          <EnableAuthorization>false</EnableAuthorization>
          <EnableAllFolders>true</EnableAllFolders>
          <EnabledFolders />
          <AdminRoles>
            <string>jellyfin-admin</string>
          </AdminRoles>
          <Roles>
            <string>jellyfin-user</string>
          </Roles>
          <EnableFolderRoles>false</EnableFolderRoles>
          <FolderRoleMappings />
          <OidScopes />
          <CanonicalLinks />
        </PluginConfiguration>
      </value>
    </item>
  </OidConfigs>
</PluginConfiguration>

@BoBeR182
Copy link
Author

In keycloak it does find the session and I am correctly authenticated.

@9p4
Copy link
Owner

9p4 commented Sep 21, 2022

Doesn't seem like you have the roleClaim value set. From the docs:

roleClaim: string. This is the value in the OpenID response to check for roles. For Keycloak, it is realm_access.roles by default. The first element is the claim type, the subsequent values are to parse the JSON of the claim value. Use a "." to denote a literal ".". This expects a list of strings from the OIDC server.

@BoBeR182
Copy link
Author

disabling Role mapping on Jellyfin-SSO still results in the same error.

@9p4
Copy link
Owner

9p4 commented Sep 21, 2022

Seems like a bug that the roleclaim value is still checked even if role mapping is disabled. Try setting it to any string.

@BoBeR182
Copy link
Author

image
image
image
Still same error, regardless of what combination or roles or lack of roles applied.

@9p4
Copy link
Owner

9p4 commented Sep 21, 2022

2022-09-21-18-07-50

Make sure that this value is set.

@9p4 9p4 added question Further information is requested and removed bug Something isn't working labels Sep 21, 2022
@BoBeR182
Copy link
Author

Let's maybe turn this in the end into a documentation ticket?

That fixes it, now I just need to work out these roles.
I get the following error.

[2022-09-21 19:53:42.932 -04:00] [WRN] [120] Jellyfin.Plugin.SSO_Auth.Api.SSOController: OpenID user "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" has one or more incorrect role claims: [{ Type: "jti", Value: "xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" }, { Type: "sub", Value: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" }, { Type: "typ", Value: "ID" }, { Type: "azp", Value: "jellyfin" }, { Type: "session_state", Value: "xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx" }, { Type: "acr", Value: "0" }, { Type: "sid", Value: "xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx" }, { Type: "resource_access", Value: "{\"jellyfin\":{\"roles\":[\"jellyfin-admin\",\"jellyfin-user\"]}}" }, { Type: "email_verified", Value: "True" }, { Type: "preferred_username", Value: "user@domain.tld" }, { Type: "given_name", Value: "" }, { Type: "family_name", Value: "" }, { Type: "email", Value: "user@domain.tld" }, { Type: "email_verified", Value: "true" }]. Expected any one of: ["jellyfin-user"]

@BoBeR182
Copy link
Author

Some of the language is unclear and I will try to find the strings to update it to allow others not to have this frustration.

@BoBeR182
Copy link
Author

Since I was using per client roles instead of realm roles to match the same format, no "jellyfin-localhost-openid" just "jellyfin"

@9p4 9p4 mentioned this issue Sep 22, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@BoBeR182 @9p4