[keycloak-user] Gerrit + Keycloak (OAuth2)

Sergio Durigan Junior sergiodj at sergiodj.net
Thu Oct 10 00:47:39 EDT 2019 

Hello,

I have been trying to set up a Gerrit instance (latest version, running
in a local VM) with OAuth2 authentication using Keycloak (also running
at the same VM), and I'm seeing some strange errors.  I posted a message
like this one to repo-discuss, but I'm now thinking it may have
something to do with a misconfiguration of Keycloak, so I decided to
give it a try here.

First, some information about my setup.  I'm running Debian 10 (buster)
with OpenJDK 11 installed.  I was trying to run Keycloak "by hand", but
am now trying the docker image provided by you guys.  Gerrit is running
on http://192.168.122.32/gerrit, and Keycloak is running on
http://192.168.122.32:8877.

I am using the "master" realm.  There, I created the "gerrit" client,
which uses "openid-connect" as the client protocol, and "confidential"
as access type.  Here are the other parameters that I think are useful
for you:

  - Root URL: http://192.168.122.32/gerrit

  - Valid Redirect URIs: http://192.168.122.32/gerrit/*

  - Base URL: empty

  - Admin URL: http://192.168.122.32/gerrit

  - Web Origins: http://192.168.122.32/gerrit

The problem happens when I try to log in.  I go to
http://192.168.122.32/gerrit/login, which takes me to Keycloak login
page.  I enter the correct user/pass, and get redirected to a URL like:

  <http://192.168.122.32/gerrit/oauth?state=4ZnqJHotq9Ul51sjdFtREk7hHlFXP7pBD8YaMvFgP2Q&session_state=86de8bed-870e-48b5-9627-954786c83c4b&code=c639f041-40b1-4205-a7d4-07f923e0e27b.86de8bed-870e-48b5-9627-954786c83c4b.b0086d87-e5ca-48d0-b2af-16b6b3ed8b47>

This URL seems correct.  However, I see a "Server Error" on Gerrit:

  [2019-10-10 00:14:46,542] [HTTP-81] ERROR com.google.gerrit.pgm.http.jetty.HiddenErrorHandler : Error in GET /gerrit/oauth?state=4ZnqJHotq9Ul51sjdFtREk7hHlFXP7pBD8YaMvFgP2Q&session_state=86de8bed-870e-48b5-9627-954786c83c4b&code=c639f041-40b1-4205-a7d4-07f923e0e27b.86de8bed-870e-48b5-9627-954786c83c4b.b0086d87-e5ca-48d0-b2af-16b6b3ed8b47
  org.scribe.exceptions.OAuthException: Cannot extract an access token. Response was: {"error":"invalid_grant","error_description":"Code not valid"}

When I look at Keycloak's logs, I see:

  04:14:46,539 WARN  [org.keycloak.protocol.oidc.utils.OAuth2CodeParser] (default task-14) Code 'c639f041-40b1-4205-a7d4-07f923e0e27b' already used for userSession '86de8bed-870e-48b5-9627-954786c83c4b' and client 'b0086d87-e5ca-48d0-b2af-16b6b3ed8b47'.
  04:14:46,540 WARN  [org.keycloak.events] (default task-14) type=CODE_TO_TOKEN_ERROR, realmId=master, clientId=gerrit, userId=null, ipAddress=192.168.122.32, error=invalid_code, grant_type=authorization_code, code_id=86de8bed-870e-48b5-9627-954786c83c4b, client_auth_method=client-secret

I tried searching for these warnings messages online, and found a few
references.  Most of them (on this same list) did not offer any useful
hints.

I'm pretty new to this whole authentication thing, so any advice is
welcome.

Thanks in advance!

-- 
Sergio
GPG key ID: 237A 54B1 0287 28BF 00EF  31F4 D0EB 7628 65FC 5E36
Please send encrypted e-mail if possible
http://sergiodj.net/

More information about the keycloak-user mailing list