keycloakdirectus

How to set Directus with Keycloak SSO Config?

I'm new to directus, but after watching youtube about directus, I think directus what i need to support my backend development.

I already setup selfhost, succeed login with my admin auth. Now, I want to setup to connect with my SSO Keycloak server.

I'm using this article as my guide: Directu Keycloak Guide

Already setup client-id (I named it: directus at my keycloak admin console). Keycloak button already there. But, when I tried to login with Keycloak, it always redirect to https://mydirectussite/admin/login?reason=INVALID_CREDENTIALS.

When I checked at the server, it has this log:

[06:02:07] GET /auth/login/keycloak?redirect=https%3A%2F%2Fcoba2-directus.blablabla.host%2Fadmin%2Flogin%3Freason%3DSIGN_OUT%26continue%3D 302 25ms
[06:02:09.388] WARN: [OpenID] Unknown RP error
    err: {
      "type": "RPError",
      "message": "unexpected JWT alg received, expected RS256, got: RS512",
      "stack":
          RPError: unexpected JWT alg received, expected RS256, got: RS512
              at Client.validateJWT (/directus/node_modules/.pnpm/openid-client@5.6.5/node_modules/openid-client/lib/client.js:911:13)
              at Client.validateIdToken (/directus/node_modules/.pnpm/openid-client@5.6.5/node_modules/openid-client/lib/client.js:766:60)
              at Client.callback (/directus/node_modules/.pnpm/openid-client@5.6.5/node_modules/openid-client/lib/client.js:505:18)
              at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
              at async OpenIDAuthDriver.getUserID (file:///directus/node_modules/.pnpm/@directus+api@file+api_@types+node@18.19.45_@unhead+vue@1.9.9_vue@3.4.27_typescript@5.4.5___e_m3k5vy5wr7txl4ii3ls7kgdvt4/node_modules/@directus/api/dist/auth/drivers/openid.js:114:24)
              at async AuthenticationService.login (file:///directus/node_modules/.pnpm/@directus+api@file+api_@types+node@18.19.45_@unhead+vue@1.9.9_vue@3.4.27_typescript@5.4.5___e_m3k5vy5wr7txl4ii3ls7kgdvt4/node_modules/@directus/api/dist/services/authentication.js:46:22)
              at async file:///directus/node_modules/.pnpm/@directus+api@file+api_@types+node@18.19.45_@unhead+vue@1.9.9_vue@3.4.27_typescript@5.4.5___e_m3k5vy5wr7txl4ii3ls7kgdvt4/node_modules/@directus/api/dist/auth/drivers/openid.js:291:28
      "jwt": "eyJhbGciOiJSUzUxMiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI1LWNHMFFpRy14bGY0cU41Uk43WGJmNThTR01JMXplMjlVdW8wYjFhNWUwIn0.eyJleHAiOjE3MjY4MTIxMjksImlhdCI6MTcyNjcyNTcyOSwiYXV0aF90aW1lIjoxNzI2NzI1NjY4LCJqdGkiOiJlNjkxNTExMC1kOTEwLTQxMzgtYWUxMi1kMjA3N2U0OWVmZmUiLCJpc3MiOiJodHRwczovL3Nzby5wYXJhbWFydGhhLm5ldC9yZWFsbXMvcGFyYW1hcnRoYS1pZCIsImF1ZCI6ImRpcmVjdHVzIiwic3ViIjoiM2M3ZjFhMjgtNzViNC00YWJiLThiZWUtNDIxMjM1ODU3ZGIyIiwidHlwIjoiSUQiLCJhenAiOiJkaXJlY3R1cyIsIm5vbmNlIjoidXF5QnVYOV9JQzFJR3FORnU5ZGRkNUhiaGk1TlliTEtfVzdaYkdZVDRzYyIsInNpZCI6ImEzZjg0Y2NlLTExYTctNDBmMy05MWJkLTFmNzQ3NDZiYTc2ZiIsImF0X2hhc2giOiI0WWV3eTA3TmhRYldzRzE2TDIybURDbkdESUVoSlAzOE5vZmMweWQ3LXBjIiwiYWNyIjoiMCIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJuYW1lIjoiWW9zZXAgTXVoYW1tYWQgWXVzdWYgU3VkcmFqYXQiLCJncm91cHMiOlsiL0RpdiBJVCIsIi9BdWRpbyBBa3NlcyIsIi9LYXRhbG9nRWRpdG9yIl0sInByZWZlcnJlZF91c2VybmFtZSI6Inlvc2VwIiwiZ2l2ZW5fbmFtZSI6Illvc2VwIiwiZmFtaWx5X25hbWUiOiJNdWhhbW1hZCBZdXN1ZiBTdWRyYWphdCIsImVtYWlsIjoieW15czk5OTlAZ21haWwuY29tIiwiZ3JvdXAiOnsibGRhcCI6WyIvRGl2IElUIiwiL0F1ZGlvIEFrc2VzIiwiL0thdGFsb2dFZGl0b3IiXX19.q_KnxlvRKMItZNCq-5ScXsaz3mBzmC3bE3Niz5Eu-jZ7GE1JVqjizxUU_zp6xI1SvTv2hpIIafc45YXVsEFMGWNUZuaJcfpJ3nWb_0UyG-rQ2uopg0Xe03op29lZJSZ8i-0V9ufUuDMbljq4aMRCssDzORoxbjzT_HUquYy2e66tGnHL8VqEpftU7Id-8xDNx88GPgVQVzjsPqJfcs1Y0JTGAPcYHwOMsiFrucdTaasFB7h9mKE3XD_hf",
      "name": "RPError"
    }
[06:02:09.405] WARN: Invalid user credentials.
    err: {
      "type": "",
      "message": "Invalid user credentials.",
      "stack":
          DirectusError: Invalid user credentials.
              at handleError (file:///directus/node_modules/.pnpm/@directus+api@file+api_@types+node@18.19.45_@unhead+vue@1.9.9_vue@3.4.27_typescript@5.4.5___e_m3k5vy5wr7txl4ii3ls7kgdvt4/node_modules/@directus/api/dist/auth/drivers/openid.js:234:16)
              at OpenIDAuthDriver.getUserID (file:///directus/node_modules/.pnpm/@directus+api@file+api_@types+node@18.19.45_@unhead+vue@1.9.9_vue@3.4.27_typescript@5.4.5___e_m3k5vy5wr7txl4ii3ls7kgdvt4/node_modules/@directus/api/dist/auth/drivers/openid.js:124:19)
              at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
              at async AuthenticationService.login (file:///directus/node_modules/.pnpm/@directus+api@file+api_@types+node@18.19.45_@unhead+vue@1.9.9_vue@3.4.27_typescript@5.4.5___e_m3k5vy5wr7txl4ii3ls7kgdvt4/node_modules/@directus/api/dist/services/authentication.js:46:22)
              at async file:///directus/node_modules/.pnpm/@directus+api@file+api_@types+node@18.19.45_@unhead+vue@1.9.9_vue@3.4.27_typescript@5.4.5___e_m3k5vy5wr7txl4ii3ls7kgdvt4/node_modules/@directus/api/dist/auth/drivers/openid.js:291:28
      "name": "DirectusError",
      "code": "INVALID_CREDENTIALS",
      "status": 401
    }

So I change Default Signature Algorithm at /realm-setting/tokens, then the error changed, so I assume "alg RS512" solved. But then, I got different error:

WARN: [OpenID] Couldn't verify OpenID cookie
12|npm  |     err: {
12|npm  |       "type": "JsonWebTokenError",
12|npm  |       "message": "jwt must be provided",
12|npm  |       "stack":
12|npm  |           JsonWebTokenError: jwt must be provided
12|npm  |               at module.exports [as verify] (/home/blabla/dir/node_modules/jsonwebtoken/verify.js:60:17)

12|npm  | [13:48:00.479] WARN: [OpenID] User doesn't exist, and public registration not allowed for provider "keycloak"
12|npm  | [13:48:00.481] WARN: Invalid user credentials.
12|npm  |     err: {
12|npm  |       "type": "",
12|npm  |       "message": "Invalid user credentials.",
12|npm  |       "stack":
12|npm  |           DirectusError: Invalid user credentials.
12|npm  |               at OpenIDAuthDriver.getUserID (file:///home/xxx/dir/node_modules/@directus/api/dist/auth/drivers/openid.js:164:19)
12|npm  |               at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
12|npm  |               at async AuthenticationService.login (file:///home/x/dir/node_modxxules/@directus/api/dist/services/authentication.js:46:22)
12|npm  |               at async file:///home/xxx/dir/node_modules/@directus/api/dist/auth/drivers/openid.js:291:28
12|npm  |       "name": "DirectusError",
12|npm  |       "code": "INVALID_CREDENTIALS",
12|npm  |       "status": 401
12|npm  |     }

When I click "Login with Keycloack" buton, then check cookies via inspect elements, there was keycloak response but then suddenly gone when it redirect to /admin/login/?reason=INVALID_CREDENTIALS.

Directus version: 11.1.0 Keycloak version: 25.0.4

Are there any solutions for this?

Solution

  • Solved:

    First problem: I changed the "Default Signature Algorithm" from RS512 to RS256 at realm-settings/tokens. So basically, this is Keycloak Admin problems.

    Second Problem:

    1. First, check at Keycloak Admin Console at {client-id}/sessions. If there is user you tested, then delete it.
    2. Add "AUTH_KEYCLOAK_ALLOW_PUBLIC_REGISTRATION=TRUE" to your env
    3. If still no luck, env should redirect config to config.json with this parameter: CONFIG_PATH="path/to/config.json" and convert your .env to config.json