My Profile Photo

Sheogorath's Blog

Fixing HedgeDoc failing to fetch profileinfo with Keycloak 20

on

Today I was surprised that my HedgeDoc refused to let me in using my SI-Auth SSO based on Keycloak.

The Problem

I updated Keycloak to version 20 and it fixed some enforcement on the OIDC user info endpoint, which resulted in a error for HedgeDoc.

The HedgeDoc guide on Keycloak authentication lists the following variables:

CMD_OAUTH2_USER_PROFILE_URL=https://keycloak.example.com/auth/realms/your-realm/protocol/openid-connect/userinfo
CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=preferred_username
CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=name
CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=email
CMD_OAUTH2_TOKEN_URL=https://keycloak.example.com/auth/realms/your-realm/protocol/openid-connect/token
CMD_OAUTH2_AUTHORIZATION_URL=https://keycloak.example.com/auth/realms/your-realm/protocol/openid-connect/auth
CMD_OAUTH2_CLIENT_ID=<your client ID>
CMD_OAUTH2_CLIENT_SECRET=<your client secret, which you can find under the Credentials tab for your client>
CMD_OAUTH2_PROVIDERNAME=Keycloak
CMD_DOMAIN=hedgedoc.example.com
CMD_PROTOCOL_USESSL=true 
CMD_URL_ADDPORT=false

These are no longer enough and will result in the following error in the log, along with a stack-trace:

InternalOAuthError: Failed to fetch user profile

When checking the corresponding Keycloak logs, the problem becomes obvious immediately:

WARN  [org.keycloak.services] (executor-thread-2) KC-SERVICES0091: Request is missing scope 'openid' so it's not treated as OIDC, but just pure OAuth2 request.

HedgeDoc doesn’t request a scope and therefore can’t fetch content from the userinfo endpoint.

The Solution

The fix for it is easy, just add the missing scope parameter:

CMD_OAUTH2_SCOPE="openid email profile"

After a restart HedgeDoc properly requests the correct scopes (given you allowed them on Keycloak itself) and will be able to fetch the userinfo endpoint again.