How to configure Keycloak as OIDC provider for Linshare

[kvvloten]

Hi all,

I am trying to make Keycloak work as OIDC for Linshare, but so far thatis unsuccessful.
Although I am sure I can make it work by using headers (and do the configuration in Apache), that has been marked as deprecated in the documentation. Therefor I am trying to follow the OIDC documentation for Lemonldap and Azure and make the best of it. But no success yet.

I see the calls to Keycloak are happening and successful (according to Keycloak's logs), however the Linshare user frontend returns "SSO authentication failed" while it keeps on showing a spinning wheel.

What is a good approach to debug this?
Or has anybody been able to configure Linshare + Keycloak OIDC successfully?

-- Kees.

[wboudiche]

Hi,
Did you enabled the debug mode in log4j file ?

[kvvloten]

I don't think I am getting to the point where there is relevant logging in linshare.log.
It is hard to set it up due to fragmented and (to me) unclear documentation.

Let's go over the setup.

• OS on all involved machines is Debian Bookworm.
• Linshare version: 6.3
• Keycloak version: 25.0.6

Linshare and Keycloak are on different machines and are both behind an Apache reverse-proxy.

The domain office.example.com is accessible internally as well as from the internet. While example.lan is the internal DNS and AD-domain.

Log4j.properties fragment:

property.LOG4J2_APPENDER=LINSHARE
rootLogger=DEBUG, ${LOG4J2_APPENDER}
logger.security = TRACE, ${LOG4J2_APPENDER}
logger.security.name = org.springframework.security
logger.securityldap = TRACE, ${LOG4J2_APPENDER}
logger.securityldap.name = org.springframework.security.ldap
logger.linshareldap = TRACE, ${LOG4J2_APPENDER}
logger.linshareldap.name = org.linagora.linshare.ldap

A fragment of the config of ui-user (config.js):

    oidcEnabled: true,
    oidcForceRedirection: false,
    oidcSetting: {
      authority: 'https://office.example.com/auth/realms/example.lan',
      oidcToken: 'Oidc-Jwt',
      client_id: 'cli_linshare-trusted',
      client_secret: 'the-client-secret',
      scope: 'openid email profile linshare',
      loadUserInfo: false
    },
    mobileOidcEnabled: false,

I left mobile oidc disabled for now, I just want to see it working from a browser first.

According to Keycloak's documentation, it returns a Jwt-token, so I followed sso-microsoft-azure-using-OIDC-JWT-tokens.md to set that bit up, for most other items I used sso-lemonldap-using-OIDC-opaque-tokens.md.

Fragment of linshare.properties:

oidc.on=true
oidc.issuerUri=https://office.example.com/auth/realms/example.lan
oidc.client.id=cli_linshare-trusted
oidc.client.secret=the-client-secret
oidc.access.claim.value="true"
oidc.ldap.connectionUuid=b87a9343-8f8d-4f16-9c3e-d386e6a60af3
oidc.ldap.provider.patternUuid=d541a817-34b1-4803-bcd9-b37ccbb7bfb0

sso-lemonldap-using-OIDC-opaque-tokens.md states: for LinShare >= 5 : Allowed redirection addresses for login: http://linshare-user.local/#!/oidc/callback

This is the first issue! The redirection address is different. Apache on the Linshare host logged this for the redirect performed by Keycloak back to the Linshare application:

GET /oidc/callback?state=e01e701193a94c12a043872304e6f944&session_state=0cfc4ecf-1112-45f6-939b-e46187253a50&iss=https%3A%2F%2Foffice.example.com%2Fauth%2Frealms%2Fexample.lan&code=045680a8-d060-4404-897f-40df8bb291ee.0cfc4ecf-7612-45f6-939b-e46657253a50.d736c258-33df-4f5e-9c78-bd8bcec0a321

The bit /#! is missing !

As a result the /oidc/callback is sent to the java backend instead of the javascript in the frontend.
I worked around it by putting a rewrite in the Apache config:

RewriteEngine On
RewriteCond %{REQUEST_URI} ^/oidc/
RewriteRule ^/oidc/(.+) /#!/oidc/$1 [R,L,NE]

This will insert the /#! before continuing and now we have the expected url and it ends up in the frontend's javascript.

This is what Linshared sent to Apache on office.example.com (the Keycloak side):

GET /auth/realms/example.lan/protocol/openid-connect/auth?client_id=cli_linshare-trusted&redirect_uri=https%3A%2F%2Fshare.example.lan%2Foidc%2Fcallback&response_type=code&scope=openid%20email%20profile%20linshare&state=e01e7055693a94c62a043872304e6f944&code_challenge=tQGDDpmTTsl0TCf1LH8ipd5OYF_a7Sj6NozUVqB0sFA&code_challenge_method=S256&response_mode=query

It looks like the missing uri fragment /#! was not sent by Linshare's frontend to Keycloak!

But assuming it had to be there, the rewrite workaround solves it and the token get sent to frontend user-ui.

Unfortunately, it fails there with:

21:13:31.635 Cross-Origin-aanvraag geblokkeerd: de Same Origin Policy staat het lezen van de externe bron op https://office.example.com/auth/realms/example.lan/protocol/openid-connect/token niet toe. (Reden: CORS-header ‘Access-Control-Allow-Origin’ ontbreekt). Statuscode: 200.

21:13:31.635 Error: Network Error [angular.js:15697:40](webpack:///node_modules/angular/angular.js)
    onerror oidc-client.min.js:1
    r Angular
    n oidcCallbackController.js:35

This is visible in browser error-console. The browser windows briefly returns an error saying: SSO authentication failed and then shows a (forever) spinning wheel.

I have not been able yet to figure out how to solve this CORS issue. It is unclear where header ‘Access-Control-Allow-Origin’ should be added. It is easy enough to add a line to one of the reverse proxies to do that. But what I tried so far did not solve anything.

If I remove the rewrite workaround from the config of apache, things get worse: apache log on the Linshare server shows a 404:

"GET /oidc/callback?state=d910f9d0b1964da084793a594ec786cb&session_state=0723ccaa-0450-4a89-95ad-56aad17babf9&iss=https%3A%2F%2Foffice.example.com%2Fauth%2Frealms%2Fexample.lan&code=8b287727-c143-4a45-8d6c-119a3fdc775e.0724ccaa-0360-4a89-95ad-56aad17babf9.d736c258-44df-4f5e-9c78-bd8bcec0a321 HTTP/1.1" 404

And there is more to it: if Linshare would send a redirect url with /#! to Keycloak, then it fails there, because it is not possible to use # in Keycloak in the redirect urls of a client!

Any help is welcome!

• What about the uri fragment /#!, is it necessary or not?
• What about the user-ui config.js, is it configured correctly?
• How to go forward and get a working oidc?

-- Kees.

[wboudiche]

Hello,
What about the uri fragment /#!, is it necessary or not? -> Since 6.0.2 the /#! is removed from url.
What about the user-ui config.js, is it configured correctly? it looks good

Did you succeed to get the access token ?

[kvvloten]

Unfortunately without the uri fragment /#!, there is nothing that handles the uri, as a result apache returns a 404 (see in my previous message). The java backend reacts to /linshare only (as per documentation), so it will ignore the incoming request at /oidc/callback.
Keycloak authentication is successful (there is a token) and hence it returns /oidc/callback?state=d910f9d0b1964da084793a594ec786cb&session_state=0723ccaa-0450-4a89-95ad-56aad17babf9&iss=https%3A%2F%2Foffice.example.com%2Fauth%2Frealms%2Fexample.lan&code=8b287727-143-4a45-8d6c-119a3fdc775e.0724ccaa-0360-4a89-95ad-56aad17babf9.d736c258-44df-4f5e-9c78-bd8bcec0a321

Fragment of the current apache conf:

RewriteEngine On
# Rewrite to insert /#!
#RewriteCond %{REQUEST_URI} ^/oidc/
#RewriteRule ^/oidc/(.+) /#!/oidc/$1 [R,L,NE]

DocumentRoot /srv/linshare/ui_current/linshare-ui-user

<Directory /srv/linshare/ui_current/linshare-ui-user>
    Require all granted
</Directory>

<Location /linshare>
    Require all granted

    # Workaround to remove httpOnly flag (could also be done with tomcat)
    # Header edit Set-Cookie "(JSESSIONID=.*); Path.*" "$1; Path=/"
    # For https, you should add Secure flag.
    Header edit Set-Cookie "(JSESSIONID=.*); Path.*" "$1; Path=/; Secure"

    # This header is added to avoid the  JSON cache issue on IE.
    Header set Cache-Control "max-age=0,no-cache,no-store"

    ProxyPass http://127.0.0.1:8080/linshare
    ProxyPassReverse http://127.0.0.1:8080/linshare
    ProxyPassReverseCookiePath /linshare /
</Location>

What should be changed to make this work?

-- Kees.

[wboudiche]

Hello,

Configuration of Apache LinShare-ui-admin :

<Directory /usr/local/apache2/htdocs/linshare-ui-admin/new>
RewriteEngine on

  RewriteRule  "^(.*)config\.js" "config/config.js"
  RewriteRule  "^(.*)beta\.png" "beta.png"
  RewriteRule  "^(.*)favicon\.ico" "favicon.ico"
  RewriteRule  "^(.*)assets/(.*)" "assets/$2"

  # Don't rewrite files or directories
  RewriteCond %{REQUEST_FILENAME} -f [OR]
  RewriteCond %{REQUEST_FILENAME} -d
  RewriteRule ^ - [L]

  # Rewrite everything else to index.html to allow html5 state links
  RewriteRule ^ index.html [L]
</Directory>

Configuration Apache LinShare-ui-user :

<Directory /usr/local/apache2/htdocs/linshare-ui-user>
RewriteEngine on
RewriteBase /
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule ^ index.html [L]