SSO is broken with Keycloak

[Starz0r]

Description

Keycloak SSO logins seem to have been broken since v1.36.0. So far I've configured them per the documentation, but they haven't seem to work, and the last I've heard of them working is v1.27.0.

Steps to reproduce

• Setup OpenID Connect in the configuration.
• Attempt to log in from SSO on a device.
• Be unable to properly login from the newly configured SSO.

This is really odd considering others have claimed that it has worked before, but it seems to no longer work now? Only posing the relevant information from my config, but it seems pretty straightforward in setup at first:

## Ports ##

listeners:
  - port: 8008
    tls: false
    bind_addresses: ['::']
    type: http
    x_forwarded: false
    resources:
      - names: [client, openid]
        compress: true
      - names: [federation]
        compress: false
		
## OpenID Connect ##
oidc_providers:
  - idp_id: keycloak
    idp_name: "Centralized Authentication"
    skip_verification: false
    issuer: "https://keycloak.domain.tld/auth/realms/Main"
    # authorization_endpoint: "https://keycloak.domain.tld/auth/realms/Main/protocol/openid-connect/auth"
    # token_endpoint: "https://keycloak.domain.tld/auth/realms/Main/protocol/openid-connect/token"
    # userinfo_endpoint: "https://keycloak.domain.tld/auth/realms/Main/protocol/openid-connect/userinfo"
    client_id: "matrix"
    client_secret: ""
    scopes: ["openid", "profile"]
    user_mapping_provider:
      config:
        localpart_template: "{{ user.preferred_username }}"
        display_name_template: "{{ user.name }}"

By setting this up, a new button appears when trying to login to my homeserver, this lets you login from the OpenID Connect provider instead. However, pressing this button just brings you to a page on the homeserver that says

{"errcode": "M_UNRECOGNIZED", "error": "Unrecognized request"}

Which seems weird, I've seen this error before.

Pairing this with the logs from the homeserver:

2021-10-18 15:20:41,514 - synapse.access.http.8008 - 358 - DEBUG - GET-10 - <request ip> - 8008 - Received request: GET /_matrix/client/r0/login/sso/redirect/oidc-keycloak?redirectUrl=element%3A%2F%2Fconnect

2021-10-18 15:20:41,515 - synapse.access.http.8008 - 400 - INFO - GET-10 - <request ip> - 8008 - {None} Processed request: 0.001sec/-0.000sec (0.002sec, 0.000sec) (0.000sec/0.000sec/0) 20B 302 "GET /_matrix/client/r0/login/sso/redirect/oidc-keycloak?redirectUrl=element%3A%2F%2Fconnect HTTP/1.1" "<device useragent>" [0 dbevts]

2021-10-18 15:20:41,612 - synapse.access.http.8008 - 358 - DEBUG - GET-11 - <request ip> - 8008 - Received request: GET /_matrix/client/r0/login/sso/redirect/matrix.domain.tld/_matrix/client/r0/login/sso/redirect/oidc-keycloak?redirectUrl=element%3A%2F%2Fconnect

2021-10-18 15:20:41,616 - synapse.access.http.8008 - 400 - INFO - GET-11 - <request ip> - 8008 - {None} Processed request: 0.002sec/0.001sec (0.001sec, 0.000sec) (0.000sec/0.000sec/0) 75B 400 "GET /_matrix/client/r0/login/sso/redirect/matrix.domain.tld/_matrix/client/r0/login/sso/redirect/oidc-keycloak?redirectUrl=element%3A%2F%2Fconnect HTTP/1.1" "<device useragent>" [0 dbevts]

Perhaps, is Synapse by chance ignoring part of the config and accepting everything else? The button can only come up if the relevant parts related to SSO are configured, but it then turns around and says "We cannot handle this type of request here"? Which is odd considering that the button to sign in from SSO is there, but it doesn't get handled properly by the homeserver. Is there something I'm missing that is supposed to be connecting these two, or is it just a bug?

Version information

• Homeserver: Personal homeserver.

• Version: Synapse 1.44.0 / Python 3.8.12

• Install method: Docker Hub

• Platform: Kubernetes

[clokep]

There's some changes around v1.27.0 and v1.29.0 that might affect this: https://matrix-org.github.io/synapse/latest/upgrade#upgrading-to-v1290

The logs look like a redirect loop, so maybe double check that your public_baseurl is configured properly?

[Starz0r]

@clokep public_baseurl from where? That's not in the OpenID documentation, unless you mean the Keycloak side or something else?

[DMRobertson]

@Starz0r public_baseurl is a Synapse config option, i.e. it's in homeserver.yaml.

[Starz0r]

That doesn't make any sense, if it were misconfigured, I don't think my instance would be working at all, right?

Currently, in my homeserver.yaml it's listed as:

public_baseurl: "matrix.domain.tld"

Which looks to be correct.

[DMRobertson]

I think you need to include the protocol in the public_baseurl, i.e. https://matrix.domain.tld.

If that doesn't resolve the problem, I think your best bet for pinning down the problem is the room #synapse:matrix.org.

[richvdh]

also: do make sure that your reverse-proxy is correctly passing through an X-Forwarded-Proto header, so that synapse can tell you are using HTTPS. More details at https://matrix-org.github.io/synapse/latest/reverse_proxy.html.

[Starz0r]

@DMRobertson That did not seem to resolve the issue, just sent the device into an infinite redirect loop.

@richvdh Already being done I believe by the Ingress.

[dklimpel]

Sounds like this #10492

[Starz0r]

That is a closely related, but not entirely relevant, issue to the problem I'm having. My issue isn't directly related to a redirect loop at all.

[DMRobertson]

@Starz0r there's a comment here that mentions setting x_forwarded: true in the listener config. Have you tried setting that, possibly together with including the protocol in the public_baseurl?

[Starz0r]

@DMRobertson I did try that as well combied with public_baseurl, still gives me a redirect loop.

[Starz0r]

Updated to https://github.com/matrix-org/synapse/releases/tag/v1.45.1, and the issue no longer seems to happen.

However, I do get a different issue with it not entering to the right account and creating an entirely new one because the other might have already been reserved? I'll create a new issue with this problem if I can't find the proper documentation to resolve it.