Today I was surprised that my HedgeDoc refused to let me in using my SI-Auth SSO based on Keycloak.
I updated Keycloak to version 20 and it fixed some enforcement on the OIDC user info endpoint, which resulted in a error for HedgeDoc.
The HedgeDoc guide on Keycloak authentication lists the following variables:
CMD_OAUTH2_CLIENT_ID=<your client ID>
CMD_OAUTH2_CLIENT_SECRET=<your client secret, which you can find under the Credentials tab for your client>
These are no longer enough and will result in the following error in the log, along with a stack-trace:
InternalOAuthError: Failed to fetch user profile
When checking the corresponding Keycloak logs, the problem becomes obvious immediately:
WARN [org.keycloak.services] (executor-thread-2) KC-SERVICES0091: Request is missing scope 'openid' so it's not treated as OIDC, but just pure OAuth2 request.
HedgeDoc doesn’t request a scope and therefore can’t fetch content from the
The fix for it is easy, just add the missing scope parameter:
CMD_OAUTH2_SCOPE="openid email profile"
After a restart HedgeDoc properly requests the correct scopes (given you allowed them on Keycloak itself) and will be able to fetch the
userinfo endpoint again.