Issue when use OIDC

alan · February 2, 2023, 10:53pm

My graylog version is v5.0.3.
I’m trying to tie Graylog login to keycloak and run both of them in separate docker containers.
keycloak is running on my local host, port 8089.
Under system/authentication/OIDC
For “OIDC base URL”,http://10.30.100.128:8089/auth/realms/master passed test server connection
but when I try to finish&save service, it shows error as below:
Server validation error: Unsupported URI scheme: http.
I redirected http://10.30.100.128:8089/auth/realms/master to an https://something, and entered https://something/auth/realms/master then I can save but it shows this error at login page as below:
Login failed. This might be a temporary problem. Please try again.
It looks like the authorization server can’t be redirected.
Does anybody know if I can modify some graylog config file to make OIDC base URL accept http url? or anybody can give me some advice. Thanks a lot.

gsmith · February 2, 2023, 11:37pm

Hello && welcome @alan

I also Have Keycloak. Perhaps this may help.

NOTE: Im using certificates.

KeyCloak

Create a Realm called Gray-server
Create a User called keycloak_user /w permissions
Create a client in Graylog-server realm called " graylog-server"
Add ClientID
Add Name
Enable : ON
Standard Flow Enabled: ON
Direct Access Grants Enabled : ON
Root URL: https://GRAYLOG_SERVER:9000/
Valid Redirect URIs:http://GRAYLOG_SERVER:9000/authorization-code/callback
Backchannel Logout Session Required: ON

Set up Graylog OIDC

Title keycloak
Description SSO
OIDC base URLhttps://keycloak.domain.com:8443/realms/graylog-server
Callback URLhttp://GRAYLOG_SERVER:9000/authorization-code/callback
Client ID graylog-server
(This was the name of the Client created  in Keycloak)
Client Secret ******
  (The Client secret is located in Keycloak. Navigate to Client -->  graylog-server --> Credentials) Copy & Paste from there.
Token verifier connect timeout 10
Default roles Reader

BTW… Should not use the Keycloak Master realm, Create a new realm for Graylog (i.e., Graylog_Realm)

If that does not work for you we would need to see your configurations. If your using docker-compose those configuration also, make sure you replace all personall info.

alan · February 3, 2023, 6:45pm

Thanks a lot for replying me.
How can I make graylog run on https://keycloak.domain.com:8443/realms/graylog-server like you?
Do I need to use a certificate(self signed certificate is ok?)?

gsmith · February 3, 2023, 10:08pm

Hey @alan

This all depends on how you install Keycloak and what kind of connection you would like HTTPS and/or LDAPS, etc… you can find the documents usefull here

While back I post a issue there using LDAPS you might find it ineresting.

alan · February 7, 2023, 5:22pm

I got the previous error fixed, while I get a new error. I connected Graylog and keycloak but at login page, it always showing this error:
Login failed. This might be a temporary problem. Please try again.

Do you know how to fix it? Thanks a lot!

alan · February 7, 2023, 7:24pm

Found the issue. The user I logged in with no email entered, after I entered my email and it works now.

system · February 21, 2023, 7:25pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.