Ocis with keycloak&nginx problem #3540

rtest12 · 2022-04-16T20:23:25Z

Please, help(
I’m trying to run ocis in docker with my own keycloak (also in docker, that was installed before) and nginx.
I get error when logging in

Login Error
Your user session is invalid or has expired.
If you like to login with a different user please proceed to exit.
Attention: this will log you out from all applications you are running in this browser with your current user.

docker log

{“level”:“error”,“service”:“proxy”,“error”:“401 Unauthorized: {“error”:“invalid_token”,“error_description”:“Token verification failed”}”,“time”:“2022-04-14T19:11:27Z”,“message”:“Failed to get userinfo”}

My yml

version: “3.7”

services:
ocis:
image: owncloud/ocis:latest
networks:
ocis_net:
entrypoint:
- /bin/sh
- /entrypoint-override.sh
environment:
# Keycloak IDP specific configuration
PROXY_AUTOPROVISION_ACCOUNTS: “true”
PROXY_OIDC_ISSUER: https://keycloak.mydomain.com/auth/realms/myrealm
WEB_OIDC_AUTHORITY: https://keycloak.mydomain.com/auth/realms/myrealm

  WEB_OIDC_CLIENT_ID: ocis
  WEB_OIDC_METADATA_URL: https://keycloak.mydomain.com/auth/realms/myrealm/.well-known/openid-configuration
  STORAGE_OIDC_ISSUER: https://keycloak.mydomain.com/auth/realms/myrealm
  STORAGE_LDAP_IDP: https://keycloak.mydomain.com/auth/realms/myralm
  # general config
  OCIS_URL: https://myocis.mydomain.com
  OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose
  PROXY_TLS: "false" # do not use SSL between Traefik and oCIS
  ACCOUNTS_DEMO_USERS_AND_GROUPS: "false" # don't generate demo users
  # change default secrets
  IDP_LDAP_BIND_PASSWORD: *************
  STORAGE_LDAP_BIND_PASSWORD: ********************************
  OCIS_JWT_SECRET: ********************************
  STORAGE_TRANSFER_SECRET: *********************************
  OCIS_MACHINE_AUTH_API_KEY: *********************************

  OCIS_INSECURE: "false"
volumes:
  - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh
  - ocis-data:/var/lib/ocis
ports:
  - "9200:9200"
     restart: always
volumes:
  ocis-data:
networks:
  ocis-net:

In nginx

        location /.well-known/openid-configuration {
                proxy_pass https://keycloak.exam.com/auth/realms/Myrealm/.well-known/openid-configuration;
                proxy_set_header X-Forwarded-For $remote_addr;
        }



        location / {
                        proxy_pass http://localhost:9200/;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_http_version 1.1;
    proxy_set_header Connection “”;
    proxy_buffering off;
    client_max_body_size 0;
    proxy_read_timeout 36000s;
    proxy_redirect off;
    proxy_set_header    X-Forwarded-Server $host;
    proxy_set_header    X-Forwarded-Port   443;
    proxy_set_header    X-Forwarded-Proto  https;
    proxy_buffer_size   128k;
    proxy_buffers   4 256k;
    proxy_busy_buffers_size   256k;

        }

}

The text was updated successfully, but these errors were encountered:

rtest12 · 2022-04-17T18:28:03Z

Please help...

{"level":"error","service":"accounts","error":"github.com.owncloud.ocis.protogen.gen.ocis.messages.accounts.v0.Account with Id=95cb8724-03b2-11eb-a0a6-c33ef8ef53ad does already exist","time":"2022-04-17T15:35:16Z","message":"service user was configured but failed to be added to the index"}
process idp terminated##################################################
change default secrets:
##################################################
##################################################
delete demo users
##################################################
{"level":"error","service":"proxy","error":"401 Unauthorized: {\"error\":\"invalid_token\",\"error_description\":\"Token verification failed\"}","time":"2022-04-17T15:35:36Z","message":"Failed to get userinfo"}
{"level":"error","service":"proxy","error":"401 Unauthorized: {\"error\":\"invalid_token\",\"error_description\":\"Token verification failed\"}","time":"2022-04-17T15:35:37Z","message":"Failed to get userinfo"}
{"level":"error","service":"proxy","error":"401 Unauthorized: {\"error\":\"invalid_token\",\"error_description\":\"Token verification failed\"}","time":"2022-04-17T15:35:38Z","message":"Failed to get userinfo"}
{"level":"error","service":"proxy","error":"401 Unauthorized: {\"error\":\"invalid_token\",\"error_description\":\"Token verification failed\"}","time":"2022-04-17T15:35:46Z","message":"Failed to get userinfo"}
{"level":"error","service":"proxy","error":"401 Unauthorized: {\"error\":\"invalid_token\",\"error_description\":\"Token verification failed\"}","time":"2022-04-17T15:35:49Z","message":"Failed to get userinfo"}
{"level":"error","service":"proxy","error":"401 Unauthorized: {\"error\":\"invalid_token\",\"error_description\":\"Token verification failed\"}","time":"2022-04-17T15:35:49Z","message":"Failed to get userinfo"}
{"level":"error","service":"proxy","error":"401 Unauthorized: {\"error\":\"invalid_token\",\"error_description\":\"Token verification failed\"}","time":"2022-04-17T15:35:50Z","message":"Failed to get userinfo"}
{"level":"error","service":"proxy","error":"401 Unauthorized: {\"error\":\"invalid_token\",\"error_description\":\"Token verification failed\"}","time":"2022-04-17T15:35:52Z","message":"Failed to get userinfo"}
{"level":"error","service":"proxy","error":"401 Unauthorized: {\"error\":\"invalid_token\",\"error_description\":\"Token verification failed\"}","time":"2022-04-17T15:41:22Z","message":"Failed to get userinfo"}
{"level":"error","service":"proxy","error":"401 Unauthorized: {\"error\":\"invalid_token\",\"error_description\":\"Token verification failed\"}","time":"2022-04-17T15:41:22Z","message":"Failed to get userinfo"}
{"level":"error","service":"proxy","error":"401 Unauthorized: {\"error\":\"invalid_token\",\"error_description\":\"Token verification failed\"}","time":"2022-04-17T15:41:23Z","message":"Failed to get userinfo"}
{"level":"error","service":"proxy","error":"401 Unauthorized: {\"error\":\"invalid_token\",\"error_description\":\"Token verification failed\"}","time":"2022-04-17T15:41:30Z","message":"Failed to get userinfo"}
{"level":"error","service":"proxy","error":"gateway: grpc failed with code CODE_PERMISSION_DENIED","time":"2022-04-17T15:41:30Z","message":"error when calling Createhome"}
{"level":"error","service":"proxy","error":"gateway: grpc failed with code CODE_PERMISSION_DENIED","time":"2022-04-17T15:41:30Z","message":"error when calling Createhome"}
{"level":"error","service":"ocis","error":"error: permission denied: create container: error: permission denied: ","time":"2022-04-17T15:41:31Z","message":"error initializing metadata client"}
{"level":"error","service":"ocis","error":"error: permission denied: create container: error: permission denied: ","time":"2022-04-17T15:41:31Z","message":"error initializing metadata client"}
{"level":"error","service":"ocis","error":"error: permission denied: create container: error: permission denied: ","time":"2022-04-17T15:41:31Z","message":"error initializing metadata client"}
{"level":"error","service":"ocis","error":"error: permission denied: create container: error: permission denied: ","time":"2022-04-17T15:41:31Z","message":"error initializing metadata client"}

rtest12 · 2022-04-19T17:46:29Z

But what happens in general, you even have the same error on the demo stand!

henniaufmrenni · 2022-04-20T12:39:48Z

I also encountered this issue, after upgrading from 1.18 to 1.20. After some testing, it seems there is a regression which was introduced in 1.19. Rolling back to 1.18 solved the issue for me.

rtest12 · 2022-04-20T18:11:48Z

I also encountered this issue, after upgrading from 1.18 to 1.20. After some testing, it seems there is a regression which was introduced in 1.19. Rolling back to 1.18 solved the issue for me.

Yes, thanks for the tip, I figured that out too.

wkloucek · 2022-04-26T13:15:35Z

I also encountered this issue, after upgrading from 1.18 to 1.20. After some testing, it seems there is a regression which was introduced in 1.19. Rolling back to 1.18 solved the issue for me.

Yes, that's indeed a regression. Sorry for the inconvenience.

I'm not exactly sure when we'll be able to provide a fixed version, since we're currently in the process of switching to a new user backend (We're replacing the accounts and glauth service with the IDM / identity management service).

I'll let you know when this bug is fixed.

We're also about to enter BETA phase (currently we're in the Tech Preview phase of oCIS), therefore we will no longer have such breaking changes, soon.

When removing the accounts service we lost the user autoprovision feature. This re-introduces it. When autoprovisioning is enabled (via PROXY_AUTOPROVISION_ACCOUNTS, as in the past) accounts that are not resolvable via cs3 will be provsioned via the libregraph API. Closes: owncloud#3540

When removing the accounts service we lost the user autoprovision feature. This re-introduces it. When autoprovisioning is enabled (via PROXY_AUTOPROVISION_ACCOUNTS, as in the past) accounts that are not resolvable via cs3 will be provsioned via the libregraph API. Closes: #3540

suderman · 2022-06-01T18:26:05Z

Apologies if this is the wrong place to ask, but I have a question about user sessions.

Every time I restart my OCIS service (based on the docker compose example with traefik), all my clients are logged out. It says "the connection's access token has expired or become invalid". Is this intended behaviour, or am I doing something wrong? Are all my clients supposed to re-authenticate after every image update?

wkloucek · 2022-06-02T07:07:32Z

You're using the built-in IDP and no Keycloak? You can generate a certificate and a secret, so that your sessions survive a restart:

openssl rand -out /etc/ocis/idp-encryption.key 32
openssl genpkey -algorithm RSA -out /etc/ocis/idp-private-key.pem -pkeyopt rsa_keygen_bits:4096

Then you need to configure the IDP to use them:

IDP_SIGNING_PRIVATE_KEY_FILES=/etc/ocis/idp-private-key.pem
IDP_ENCRYPTION_SECRET_FILE=/etc/ocis/idp-encryption.key

I filed an issue so that we can do this automatically in the future: #3909

suderman · 2022-06-07T19:21:51Z

Thank you, @wkloucek! I'm new to OCIS and wouldn't have discovered that for a long time. Works like a charm! ^_^

rtest12 added the Type:Bug label Apr 16, 2022

IljaN added the Type:Regression label Apr 20, 2022

wkloucek added the Category:Defect Existing functionality is not working as expected label Apr 26, 2022

rtest12 mentioned this issue May 2, 2022

Release 2.0.0-beta1 #3627

Closed

45 tasks

micbar added the Priority:p2-high Escalation, on top of current planning, release blocker label May 4, 2022

rhafer self-assigned this May 12, 2022

rhafer mentioned this issue May 24, 2022

Add user autoprovisioning via libreGraph #3860

Merged

9 tasks

rhafer closed this as completed in #3860 May 24, 2022

micbar moved this to Done in Infinite Scale Team Board Dec 16, 2022

micbar added this to Infinite Scale Team Board Dec 16, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Ocis with keycloak&nginx problem #3540

Ocis with keycloak&nginx problem #3540

rtest12 commented Apr 16, 2022 •

edited

Loading

rtest12 commented Apr 17, 2022

rtest12 commented Apr 19, 2022

henniaufmrenni commented Apr 20, 2022 •

edited

Loading

rtest12 commented Apr 20, 2022

wkloucek commented Apr 26, 2022

suderman commented Jun 1, 2022

wkloucek commented Jun 2, 2022

suderman commented Jun 7, 2022

Ocis with keycloak&nginx problem #3540

Ocis with keycloak&nginx problem #3540

Comments

rtest12 commented Apr 16, 2022 • edited Loading

rtest12 commented Apr 17, 2022

rtest12 commented Apr 19, 2022

henniaufmrenni commented Apr 20, 2022 • edited Loading

rtest12 commented Apr 20, 2022

wkloucek commented Apr 26, 2022

suderman commented Jun 1, 2022

wkloucek commented Jun 2, 2022

suderman commented Jun 7, 2022

rtest12 commented Apr 16, 2022 •

edited

Loading

henniaufmrenni commented Apr 20, 2022 •

edited

Loading