Vouch Proxy and Keycloak 400 bad request after authenticating

[Dialgatrainer02]

Hello, I'm new to server infrastructure like this and I'm struggling to understand how I can implement vouch proxy in a setup.

My current setup uses nginx proxy manager as a reverse proxy for my domain and also deals with SSL termination for many apps like portainer and Heimdall using subdomains.

I would like to change to swag as a reverse proxy and Implement vouch for sso and keycloak as my identity provider.
When you use vouch does it take the place of a reverse proxy eg forward everything to vouch and have vouch redirect to apps as needed? I've read the documentation for swag, vouch and keycloak and I'm feeling a little lost as how to combine the 3 services.

Edit #551 helps with understanding keycloak but I'm still unsure about configuring a reverse proxy with vouch and SSL termination by extension

[bnfinet]

SWAG appears to be NGINX based but beyond that I'm not familiar enough with SWAG to offer you support.

https://github.com/linuxserver/docker-swag/blob/master/Dockerfile

Vouch Proxy is a "sidecar". The headers of every request are sent to VP via the auth_request module.

I can't advise you on how to integrate SWAG + VP + Keycloak. Forgive me, I just don't have time to offer that level of support.

If you do get to the point where you have something working to the point where you're getting errors please read the README and offer the items describe there.

I'm going to close this for now but please do feel free to ask more questions here.

[Dialgatrainer02]

Thank you for your time. I'm probably going to spend some time researching more and if I have any more questions I'll come back here

[Dialgatrainer02]

https://pastebin.com/h4XMkSt5
i get an ssl error and i think the authentication fails but i haven't been able to test due to this error
i can access the service locally and through nginx proxy manager when i remove
"auth_request /validate;"

i have set up keycloak like the pr i linked originally did changing to my domain and realm
i have no active sessions under my client id in keycloak

[bnfinet]

Well that's good progress!

Please do provide all configs and logs as described in the README

[Dialgatrainer02]

https://pastebin.com/1XWpjsxD
here are all the config
im unsure how to get the bugreport as im running vouch proxy using env vars not a config file and in docker compose would i just need to change the config volume to the env vars i use? And use docker run the same?

[bnfinet]

Don't worry about the bug report but please do include all logs from VP

That error is saying the browser got an http response even though you requested https in the URL.

Change line 111 to http

[Dialgatrainer02]

i changed line 111 and another line i can now access the testing page

here are the vouch logs from container startup

https://pastebin.com/HDViiX0f

[bnfinet]

Getting closer.

Please do leave comments here instead of in the pastebin so we can be clear about what question you're asking.

Feel free to edit out the health check logs. Though everything else is very helpful.

Can you clarify what's happening now?

[Dialgatrainer02]

when i go a site which i enabled vouch proxy by adding

i get to the testing page
if i follow it to key cloak i get
"Invalid parameter: redirect_uri"
i looked at my redirect uri found i missed a colon fixed that
now when i follow the testing page link it takes me back to the testing page

[bnfinet]

What happens if you turn off testing?

[Dialgatrainer02]

without testing it takes me to the login i log in using the correct credentials and then i get 400 bad request

if i try to go to the same website again i just go straight to 400

[bnfinet]

Please turn on testing and update your pastebin with the current info

What happens after keycloak returns you to VP's / auth endpoint? What's the error in the logs? Try searching here and generally online for that error

I'm going to be afk for a while here. But it feels like you're closer

[Dialgatrainer02]

log in appears to be successful i see a 200 repsonse code auth has a 200
after authenticating it seems to error trying to read the json file

2024-02-15T19:24:14.807Z	DEBUG	id_token missing - may not be supported by this provider
2024-02-15T19:24:14.807Z	DEBUG	ptokens: accessToken length: 1641, IdToken length: 0
2024-02-15T19:24:14.824Z	INFO	OpenID userinfo body: 
2024-02-15T19:24:14.824Z	ERROR	Error unmarshaling claims
2024-02-15T19:24:14.824Z	ERROR	unexpected end of JSON input
2024-02-15T19:24:14.824Z	WARN	/auth Error while retrieving user info after successful login at the OAuth provider: unexpected end of JSON input
2024-02-15T19:24:14.824Z	DEBUG	domain vouch.domain matched array value at [0]=gunnar.duckdns.org
2024-02-15T19:24:14.824Z	DEBUG	rendering error for user: 400 Bad Request
2024-02-15T19:24:14.824Z	DEBUG	CaptureWriter.Write set w.StatusCode 400

this occurs just after the successfully /auth

here is the full logs :
https://pastebin.com/YxqdrRGP

this mentions an incorrect scope
https://keycloak.discourse.group/t/how-to-get-the-id-token/17286/4

i havent changed my OAUTH_SCOPES varible and im not using a config so could the issue be i need to customise which scopes to use?

i added
OAUTH_SCOPES: |
openid
email
profile
and still get 400 bad request

[Dialgatrainer02]

When using keycloak the opening claim is changed and the claim is called preferred_username and not username. How do I change this in the config as that might fix the issue

[Dialgatrainer02]

i was looking through the config and i saw this

{"level":"info","ts":1708107741.7217891,"msg":"setting OAuth param 'claims' to null"}

im my compose file i have

OAUTH_CLAIMS: | 
   preferred_username

keycloak uses a different username claim called preferred_username instead of the default i configured a different service with just oauth2 and keycloak and also had to change this

https://pastebin.com/sjLzgA7x

do you know why this might be being blanked?

[shkpk]

you need OAUTH_CLAIMS because you are not using scopes:

[Dialgatrainer02]

you need OAUTH_CLAIMS because you are not using scopes:

I am setting oauth claims in my compose file however it's not being picked up if you look at the compose file at the bottom of here:
https://pastebin.com/sjLzgA7x

[shkpk]

you need OAUTH_CLAIMS because you are not using scopes:

I am setting oauth claims in my compose file however it's not being picked up if you look at the compose file at the bottom of here: https://pastebin.com/sjLzgA7x

well it can be the problem of how you make docker container image.
you better first test it manually, may be inside container, by creating config file and run vouch proxy..and later figure out why those values are being ignored when using docker compose.

[Dialgatrainer02]

Okay I won't be able to do that until I'm home but thank you for the help I really appreciate it I'll report back when I've done that