OAuth setup with Keycloak

[garbast]

Configuration Example

I'm trying to use Keycloak as login provider in Mealie. For that i have tinkered around with some environment settings, but cant get it running. Could someone help?

docker-compose.yaml
services:
  mealie:
    environment:
      #OpenID Connect
      - OIDC_AUTH_ENABLED=true
      - OIDC_CONFIGURATION_URL=https://<domain>/realms/family/.well-known/openid-configuration
      - OIDC_CLIENT_ID=mealie
      - OIDC_USER_GROUP=50fb10ba-d22d-4540-a561-195e5fc3ba16
      - OIDC_AUTO_REDIRECT=false
      - OIDC_PROVIDER_NAME=SSO

In Keycloak i use (i skipped the url block, because that only contains https:/// and alike):

Client ID: mealie
Client authentication: on
Authorization: on
Authentication flow: standard low and direkt access grants

What do i miss?

[guillomep]

I got an error too saying "invalid scope" on mealie side and "Invalid value for parameter: scope"

[VincentSC]

Since I did not find a clear explanation in this discussion, I'm sharing what I did to get Mealie working with Keycloak.

The first problem is that Keycloak does not have a scope or mapper for groups, and needs to be manually added. Source is: https://shaaf.dev/keycloak-tutorial/6-usergroups/

The second problem is PKCE. That's the easy problem to fix.

Create a groups scope

Step 1: A new client scope

Create a new "client scope" called "groups". Make it "default" if you want it in all your OpenID clients, or "optional" when not. I'm picking default, as I probably want to try to get everything on groups.

step 2: mappers

Then you need two mappers. That's the second tab

The first is a "Group Membership" configuration. Click on Add Mapper -> By Configuration -> Group Membership. Then map groups to groups, like this:

• Name: groups
• Token Claim Name: groups

The second is a "User Attribute" configuration, where you map user_type to user_type:

• Name: user_type
• User Attribute: user_type
• Token Claim Name: user_type

Important last step!

As you probably have made the client "mealie" already, you need to add the now default Client Scope "groups". So go to the tab "Client scopes", click on "add" and there you will see "groups".

PKCE

Turn on client authentication, leave authorization off. You don't need "Service accounts roles". Like this:

The only thing you need to do, is:

• go to tab "Advanced"
• scroll down to "Proof Key for Code Exchange Code Challenge Method"
• put that to "S256".

Other stuff

Now a bit about groups. You see it starts with a / - that's correct, and no need to use the hash. This is because it's a directory of sub-groups. So you can have /family for users and /family/old_enough_to_cook for admins. I see all examples only use root-levels groups, and that's a waste of potential.

For completeness, here are my environment variables:

      #OpenID Connect
      - OIDC_AUTH_ENABLED=true
      - OIDC_SIGNUP_ENABLED=true
      - OIDC_CONFIGURATION_URL=https://<keycloak.domain>/auth/realms/master/.well-known/openid-configuration
      - OIDC_CLIENT_ID=mealie
      - OIDC_CLIENT_SECRET=ScrambledEggs
      - OIDC_AUTO_REDIRECT=true
      - OIDC_USER_GROUP=/A
      - OIDC_ADMIN_GROUP=/B
      - OIDC_PROVIDER_NAME=Keycloak

[igbjnI05bF]

This did work for me, but is this really the intended design of groups within Keycloak? Reading the documentation, and having configured other apps such as Nextcloud, Jellyfin, Grafana, etc, admin and user should be set up as client roles, not groups. Groups are for grouping together multiple client roles, or client roles across multiple clients.

It just seems odd that I now have to have a /mealie-user and /mealie-admin set up directly in the realm group settings. It seems messy and hurts my OCD brain. Wouldn't this be better implemented in clients -> mealie -> roles so that they are contained just to mealie and not globally to the realm? And then add the client scope mapper for mealie-dedicated for client roles?

[VincentSC]

Mmm, could be. I just went with the flow here.
I found:

In Keycloak, Groups are just a collection of users that you can apply roles and attributes to in one place. Roles define a type of user and applications assign permission and access control to roles

So, groups would be more internally. So that means that Mealie-groups should be mapped to KC-roles?

[igbjnI05bF]

Yes, I think so. I'm not a developer by any means, but that's the way I'm interpreting it and the way other apps seem to handle it. I think it makes sense that way.

[igbjnI05bF]

is it possible to do this currently with keycloak roles? or would something need to be changed in mealie to allow it? i haven't had luck so far trying, not sure if i should keep trying or if it's just not possible at the moment

[cmintey]

Set LOG_LEVEL=DEBUG in your environment variables for Mealie to get some additional logging. Those logs might point you in the right direction

[guillomep]

I manage to get it work by settings the groups scope correctly in Keycloak. But now, I’m getting an infinite loop, with « Invalid username or password » on Mealie but correct authentification on Keycloak

[cmintey]

The infinite redirect bug has been fixed on the nightly version. Hopefully a new release will come soon if you don't want to switch to it

[garbast]

I needed to empty out OIDC_USER_GROUP in the docker environment.

In addition i needed to deactivate the "Client authentication" checkbox in the client settings in Keycloak.

After that i was able to login.

[guillomep]

I manage to get things working with keycloak.

I added a client scope "groups" in keycloak with the following configuration:

  name: groups
  description: Add groups to token
  protocol: openid-connect
  attributes:
    include.in.token.scope: 'true'
    display.on.consent.screen: 'true'
    gui.order: ''
    consent.screen.text: ''
  protocolMappers:
  - name: groups
    protocol: openid-connect
    protocolMapper: oidc-group-membership-mapper
    consentRequired: false
    config:
      full.path: 'true'
      introspection.token.claim: 'true'
      userinfo.token.claim: 'true'
      multivalued: 'true'
      id.token.claim: 'true'
      access.token.claim: 'true'
      claim.name: groups

Then I added a client for mealie:

  client_id: mealie
  description: Client use to connect to mealie
  root_url: https://mealie.example.com
  admin_url: https://mealie.example.com
  base_url: https://mealie.example.com/g/home
  surrogate_auth_required: false
  enabled: true
  always_display_in_console: true
  redirectUris:
  - https://mealie.example.com/login?direct=1
  - https://mealie.example.com/login
  webOrigins:
  - https://mealie.example.com
  standard_flow_enabled: true
  implicit_flow_enabled: false
  direct_access_grants_enabled: false
  service_accounts_enabled: false
  public_client: true
  frontchannel_logout: true
  client_authenticator_type: client-secret
  protocol: openid-connect
  defaultClientScopes:
  - profile
  - email
  - groups
  attributes:
    user.info.response.signature.alg: RS256
    post.logout.redirect.uris: https://mealie.example.com/login?direct=1##https://mealie.example.com/login
    oauth2.device.authorization.grant.enabled: 'false'
    access.token.signed.response.alg: RS256
    backchannel.logout.revoke.offline.tokens: 'false'
    use.refresh.tokens: 'true'
    oidc.ciba.grant.enabled: 'false'
    id.token.signed.response.alg: RS256
    backchannel.logout.session.required: 'true'
    client_credentials.use_refresh_token: 'false'
    require.pushed.authorization.requests: 'false'
    tls.client.certificate.bound.access.tokens: 'false'
    authorization.signed.response.alg: RS256
    display.on.consent.screen: 'false'
    pkce.code.challenge.method: S256
    token.response.type.bearer.lower-case: 'false'

And finally I have use the following configuration in mealie:

    - OIDC_AUTH_ENABLED=true
    - OIDC_SIGNUP_ENABLED=true
    - OIDC_CONFIGURATION_URL=https://keycloak.example.com/realms/example/.well-known/openid-configuration
    - OIDC_CLIENT_ID=mealie
    - OIDC_USER_GROUP=/read
    - OIDC_ADMIN_GROUP=/admin
    - OIDC_SIGNING_ALGORITHM=RS256

Beware that since in the scope I enable full path on group mapper I need to add a / before group names in mealie.

[raiyni]

I'm kind of lost with my implementation with traefik + cloudflare but it's just a reload loop on nightly. I have several other OIDC enabled apps on this box.

I have made sure to clone the settings of everyone that has said they got it working. Well-known is 100% accessible...

mealie  | DEBUG    2024-04-25T16:49:27 - Starting new HTTPS connection (1): website.example.com:443
mealie  | DEBUG    2024-04-25T16:49:27 - https://website.example.com:443 "GET /realms/{realm}/.well-known/openid-configuration HTTP/1.1" 403 None
mealie  | INFO     2024-04-25T16:49:27 - [ip.addr:0] 500 Internal Server Error "POST /api/auth/token HTTP/1.1"
mealie  | ERROR    2024-04-25T16:49:27 - Exception in ASGI application
mealie  | Traceback (most recent call last):
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/uvicorn/protocols/http/httptools_impl.py", line 411, in run_asgi
mealie  |     result = await app(  # type: ignore[func-returns-value]
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/uvicorn/middleware/proxy_headers.py", line 69, in __call__
mealie  |     return await self.app(scope, receive, send)
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/fastapi/applications.py", line 1054, in __call__
mealie  |     await super().__call__(scope, receive, send)
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/applications.py", line 123, in __call__
mealie  |     await self.middleware_stack(scope, receive, send)
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/errors.py", line 186, in __call__
mealie  |     raise exc
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/errors.py", line 164, in __call__
mealie  |     await self.app(scope, receive, _send)
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/gzip.py", line 24, in __call__
mealie  |     await responder(scope, receive, send)
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/gzip.py", line 44, in __call__
mealie  |     await self.app(scope, receive, self.send_with_gzip)
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/exceptions.py", line 65, in __call__
mealie  |     await wrap_app_handling_exceptions(self.app, conn)(scope, receive, send)
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/_exception_handler.py", line 64, in wrapped_app
mealie  |     raise exc
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
mealie  |     await app(scope, receive, sender)
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 756, in __call__
mealie  |     await self.middleware_stack(scope, receive, send)
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 776, in app
mealie  |     await route.handle(scope, receive, send)
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 297, in handle
mealie  |     await self.app(scope, receive, send)
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 77, in app
mealie  |     await wrap_app_handling_exceptions(app, request)(scope, receive, send)
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/_exception_handler.py", line 64, in wrapped_app
mealie  |     raise exc
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
mealie  |     await app(scope, receive, sender)
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 72, in app
mealie  |     response = await func(request)
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/fastapi/routing.py", line 278, in app
mealie  |     raw_response = await run_endpoint_function(
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/fastapi/routing.py", line 191, in run_endpoint_function
mealie  |     return await dependant.call(**values)
mealie  |   File "/app/mealie/routes/auth/auth.py", line 50, in get_token
mealie  |     auth = await auth_provider.authenticate()
mealie  |   File "/app/mealie/core/security/providers/openid_provider.py", line 31, in authenticate
mealie  |     claims = self.get_claims(settings)
mealie  |   File "/app/mealie/core/security/providers/openid_provider.py", line 83, in get_claims
mealie  |     jwks = OpenIDProvider.get_jwks()
mealie  |   File "/app/mealie/core/security/providers/openid_provider.py", line 121, in get_jwks
mealie  |     config_response.raise_for_status()
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/requests/models.py", line 1021, in raise_for_status
mealie  |     raise HTTPError(http_error_msg, response=self)
mealie  | requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://website.example.com/realms/{realm}/.well-known/openid-configuration

[cmintey]

Anything in your Keycloak logs?

[raiyni]

Not anything that seems relevant?

[cmintey]

Can you ping Keycloak or the openid configuration url from within the Mealie container?

[raiyni]

Looks like no... This is actually a strict cloudflare rule now that you had me do that. Thank you for your time.

[Momolem]

Hi everyone I am trying to setup keycloak with mealie but not successful for now :/ My current setup is not redirecting to keycloak and I don't get why. When I press 'Login with OAuth' it tries to access 'mealie.mydomain.com/null?protocol=oauth2&response_type=code&access_type&client_id...' instead of keycloak.mydomain.com/... does anyone have an idea?

These are my environment variables for mealie

OIDC_AUTH_ENABLED: true
OIDC_SIGNUP_ENABLED: true
OIDC_CONFIGURATION_URL: https://keycloak.mydomain.com/realms/myrealm/.well-known/openid-configuration
OIDC_CLIENT_ID: mealie
OIDC_ADMIN_GROUP: /admin

[cmintey]

@ToshY I'm just a contributor, not on the core team, so I don't know. In the discord, I recall seeing they were still targeting sometime this month

[boc-the-git]

Me seeing these messages earlier today 😰

https://github.com/mealie-recipes/mealie/releases/tag/v2.0.0

[ToshY]

Thank you both for your replies 🙂

[Momolem]

Okay, i added the client secret, but I get an error when I try to authenticate: [...] Invalid scopes: openid email profile groups

[Momolem]

nvm I figured that one, i had to add group to the client scopes