Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User not allowed to login? #53

Open
ion-elgreco opened this issue Dec 5, 2024 · 2 comments
Open

User not allowed to login? #53

ion-elgreco opened this issue Dec 5, 2024 · 2 comments

Comments

@ion-elgreco
Copy link
Contributor

Got it finally configured with keycloak in a deployment on k8s with the bitnami helm chart. But getting an error after logging in keycloak.

Unfortunately, it's not quite clear to me what the next steps are. Since in my keycloak realm, I am a user.

    auth_client.parse_request_body_response(token_response.text)
  File "/.local/lib/python3.12/site-packages/oauthlib/oauth2/rfc6749/clients/base.py", line 427, in parse_request_body_response
    self.token = parse_token_response(body, scope=scope)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/.local/lib/python3.12/site-packages/oauthlib/oauth2/rfc6749/parameters.py", line 441, in parse_token_response
    validate_token_parameters(params)
  File "/.local/lib/python3.12/site-packages/oauthlib/oauth2/rfc6749/parameters.py", line 448, in validate_token_parameters
    raise_from_error(params.get('error'), params)
  File "/.local/lib/python3.12/site-packages/oauthlib/oauth2/rfc6749/errors.py", line 399, in raise_from_error
    raise cls(**kwargs)
oauthlib.oauth2.rfc6749.errors.InvalidGrantError: (invalid_grant) Code not valid
@ion-elgreco
Copy link
Contributor Author

ion-elgreco commented Dec 16, 2024
edited
Loading

Hi @kharkevich, do you have any ideas on how to debug this?

This is my configuration of the container,

extraEnvVars:
    - name: OIDC_CLIENT_SECRET
      value: 
    - name: OIDC_CLIENT_ID
      value: mlflow
    - name: OIDC_DISCOVERY_URL
      value: "https://<internal_keycloak_url>/realms/<realm>/.well-known/openid-configuration"
    - name: OIDC_REDIRECT_URI
      value: "https://<internal_mlflow_url>/callback"
    - name: OIDC_PROVIDER_DISPLAY_NAME
      value: "Login with Keycloak"
    - name: OIDC_SCOPE
      value: "openid email profile"
    - name: OAUTHLIB_INSECURE_TRANSPORT
      value: "1"
    - name: OIDC_ADMIN_GROUP_NAME
      value: "admin-mlflow"
    - name: OIDC_GROUP_NAME
      value: "users-mlflow"
    - name: REQUESTS_CA_BUNDLE
      value: "/etc/ssl/certs/ca-certificates.crt"
    - name: "OIDC_USERS_DB_URI"
      value: postgresql://<>:<>@mlflow-postgresql:5432/bitnami_mlflow_auth

My keycloak user (me) is part of the user and admin group.

@ion-elgreco
Copy link
Contributor Author

Ok got it working now, had some issues with getting the groups in the token response. I'll make a PR to have a more graceful error for this, because the groups was simply not in the token response.

@ion-elgreco ion-elgreco reopened this Dec 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ion-elgreco