My Profile Photo

Sheogorath's Blog

Fixing HedgeDoc failing to fetch profileinfo with Keycloak 20


Today I was surprised that my HedgeDoc refused to let me in using my SI-Auth SSO based on Keycloak.

The Problem

I updated Keycloak to version 20 and it fixed some enforcement on the OIDC user info endpoint, which resulted in a error for HedgeDoc.

The HedgeDoc guide on Keycloak authentication lists the following variables:

CMD_OAUTH2_CLIENT_ID=<your client ID>
CMD_OAUTH2_CLIENT_SECRET=<your client secret, which you can find under the Credentials tab for your client>

These are no longer enough and will result in the following error in the log, along with a stack-trace:

InternalOAuthError: Failed to fetch user profile

When checking the corresponding Keycloak logs, the problem becomes obvious immediately:

WARN  [] (executor-thread-2) KC-SERVICES0091: Request is missing scope 'openid' so it's not treated as OIDC, but just pure OAuth2 request.

HedgeDoc doesn’t request a scope and therefore can’t fetch content from the userinfo endpoint.

The Solution

The fix for it is easy, just add the missing scope parameter:

CMD_OAUTH2_SCOPE="openid email profile"

After a restart HedgeDoc properly requests the correct scopes (given you allowed them on Keycloak itself) and will be able to fetch the userinfo endpoint again.