Today I was surprised that my HedgeDoc refused to let me in using my SI-Auth SSO based on Keycloak.
I updated Keycloak to version 20 and it fixed some enforcement on the OIDC user info endpoint, which resulted in a error for HedgeDoc.
The HedgeDoc guide on Keycloak authentication lists the following variables:
CMD_OAUTH2_USER_PROFILE_URL=https://keycloak.example.com/auth/realms/your-realm/protocol/openid-connect/userinfo CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=preferred_username CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=name CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=email CMD_OAUTH2_TOKEN_URL=https://keycloak.example.com/auth/realms/your-realm/protocol/openid-connect/token CMD_OAUTH2_AUTHORIZATION_URL=https://keycloak.example.com/auth/realms/your-realm/protocol/openid-connect/auth CMD_OAUTH2_CLIENT_ID=<your client ID> CMD_OAUTH2_CLIENT_SECRET=<your client secret, which you can find under the Credentials tab for your client> CMD_OAUTH2_PROVIDERNAME=Keycloak CMD_DOMAIN=hedgedoc.example.com CMD_PROTOCOL_USESSL=true CMD_URL_ADDPORT=false
These are no longer enough and will result in the following error in the log, along with a stack-trace:
InternalOAuthError: Failed to fetch user profile
When checking the corresponding Keycloak logs, the problem becomes obvious immediately:
WARN [org.keycloak.services] (executor-thread-2) KC-SERVICES0091: Request is missing scope 'openid' so it's not treated as OIDC, but just pure OAuth2 request.
HedgeDoc doesn’t request a scope and therefore can’t fetch content from the
The fix for it is easy, just add the missing scope parameter:
CMD_OAUTH2_SCOPE="openid email profile"
After a restart HedgeDoc properly requests the correct scopes (given you allowed them on Keycloak itself) and will be able to fetch the
userinfo endpoint again.