Problems connecting Connections 8 to Keycloak

martdj · January 6, 2024, 8:09pm

I'm trying to connect Connections 8 to Keycloak using this documentation. I don't get it working, but it looks like this is might not necessarily be Connections related. The documentation refers to https://<keycloak_url>/auth/realms/myRealm/.well-known/openid-configuration. However, this url gives a 404 in my Keycloak (version 23) environment.

Has anyone experienced the same when trying to use Connections? Anyone successful in connecting their Connections environment to keycloak who is ok with sharing their setup with me so I can figure out what I did wrong?

martdj · January 6, 2024, 8:55pm

Never mind on the Keycloak url. I remember now that in the past view versions "auth" disappeared from the url. So it should be https://<keycloak_url>/realms/myRealm/.well-known/openid-configuration

That said, I still don't get a keycloak login. I see that the browser opens https://<keycloak_url>/realms/myRealm/.well-known/openid-configuration, but that doesn't lead to it loading the Keycloak login page. What should happen after the login loading the openid-configuration page?

BerndGewehr · January 7, 2024, 9:10am

myRealm is a placeholder, right?

martdj · January 7, 2024, 9:33am

Hi Bernd.
Yes, it is.

urs.meli · January 8, 2024, 8:30am

Hi Martijn

Have you seen this page ? https://github.com/HCL-TECH-SOFTWARE/hclds-keycloak or https://github.com/HCL-TECH-SOFTWARE/hclds-keycloak/blob/main/docs/integration/ds-integration/cnx-integration.md

The full provider config can be studied here: https://www.ibm.com/docs/en/was/9.0.5?topic=users-configuring-openid-connect-relying-party

the .well-known/openid-configuration could be set for the provider_X.discoveryEndpointUrl

martdj · January 8, 2024, 10:17am

I hadn't found those links yet. Thanks!

urs.meli · January 8, 2024, 8:36am

The browser should open something like

https://<keycloak_url>/realms/myRealm/protocol/openid-connect/auth?response_type=code...

the .well-known/openid-configuration endpoint should not be openend in the browser...

Martin · January 8, 2024, 9:53am

Hi Martijn,

your Keycloak version uses as endpoint "https://<keycloak_url>/realms/myRealm/.well-known/openid-configuration" the "auth" part was removed in a previous Keycloak version.

FYI: The endpoint settings in Configuring the OIDC RP TAI against your IdP of keycloak github contains the /auth/ part in the url's.

I used for the WebSphere OIDC configuration the config_oidc.py configuration file from the connections-automation github repository, replaced the ansible variables with the Keycloak settings and execute it with the following command wsadmin.sh -lang jython -port 8879 -username wasadmin -password password -f config_oidc.py

The script removes all OIDC settings and recreate it in the WebSphere environment.

martdj · January 8, 2024, 7:02pm

Thanks both. I used the script to set everything up once again and the documentation from GitHub for the details. I seem to be almost there, but just not yet. When opening Connections, I'm going to the Keycloak login page. After logging in there, I'm taken back to Connections => https://<connections-url>/homepage/web/updates/#myStream/updates/all. So far, so good. But then something happens, that didn't happen before I made the connection with Keycloak: an empty page and in the SystemOut.log
0000020c TabInfoInterc E CLFRQ0415E: An error occurred while executing the action. See nested exception for more details.
com.ibm.lconn.homepage.web.WebException: CLFRQ0355E: It is not possible to retrieve the tab instance ID. An error occurred while getting the internal ID of the authenticated user from the session.
Any ideas?

Also, an unrelated question. In this installation, I have just 2 clusters. One for Connections and one for Docs (viewer, conversions, docs). The script installs the WebSphereOIDCRP.ear twice. Once for the ICCluster and once for the DocsCluster (with the same context root. Had to change those myself), but in the trust interceptor it comes up with an empty interceptedPathFilter. Is a configuration for the Docs components needed?

Martin · January 9, 2024, 8:06am

Martijn, please enable the OIDC debug in the UtilCluster for the Homepage app to see why the user can't log in.

*=info:com.ibm.ws.security.oidc.*=all:com.ibm.ws.security.openidconnect.*=all:com.ibm.ws.security.openid20.*=all:com.ibm.ws.security.web.*=all

Is there an active session visible in the Keycloak admin console?

About your Docs configuration I have to look in my environment to answer your question.

Martin · January 9, 2024, 10:16am

About the missing "interceptedPathFilter" entries for the Docs environment you have to modify the config_oidc.py script, because docs apps are missing:

Please update the script with the following line in the function "getRequiredInterceptedPathFilterForApps"

def getRequiredInterceptedPathFilterForApps(apps):
    interceptedPathFilterArray=[]
    for app in apps:
       :
       :
       :
        elif app == 'Wikis':
            interceptedPathFilterArray.append('/wikis/.*')
        elif app == 'ViewerApp':
            interceptedPathFilterArray.append('/viewer/.*')
        elif app == 'IBMDocs':
            interceptedPathFilterArray.append('/docs/.*')
        elif app == 'IBMConversion':
            interceptedPathFilterArray.append('/conversion/.*')
    return ','.join(interceptedPathFilterArray)

and restart the script with wsadmin.

martdj · January 9, 2024, 3:52pm

That gives a lot of info. Not sure what exactly I'd be looking for. Seeing that I can open my profile, there must be something of an active session. It's the only app I tried that I can open though. homepage, communities, files, forums all give an empty page, wrong redirection page or a plain not authorized.

Martin · January 9, 2024, 6:04pm

Martijn, when you can open your profile after Keycloak login than the keycloak configuration should work. My suggestion: it seems more a Connections access / configuration issue

Maybe the Web SSO configuration could be a possible cause :-/

Users can only log into Profiles

urs.meli · January 10, 2024, 9:14am

The docs config may not be needed as probably no one will directly call the urls for docs.

The WebSphereOIDCRP.ear needs to be on each cluster with a different context root. The context root has to match the provider.callbackServletContext

Do you have adjusted the security roles in the apps ? to be all authenticated in trusted realm ?

martdj · January 14, 2024, 9:08pm

Yes, I did. Not sure what the exact problem was, but I got a bit closer.

I removed all keycloak-related configurations to check if Connections still worked without keycloak. Everything was working fine. I then added the keycloak configuration again with the script, as suggested by Martin, and manually made changes to the LCC.xml.

Now I can log into Connections through keycloak. The homepage is working as are files and forums etc. However, communities are looking like this:

The accompanying error looks like this:
[14/01/24 21:57:55:120 CET] 00000239 SRTServletRes W com.ibm.ws.webcontainer.srt.SRTServletResponse addHeader SRVE8094W: WARNING: Cannot set header. Response already committed.
[14/01/24 21:57:55:122 CET] 00000239 LotusConnecti E An unexpected exception was caught by HCL Connections. The error page generated for this exception will display the identifier below.
[14/01/24 21:57:55:122 CET] 00000239 LotusConnecti E Identifier: LC97610361DB044CCEB6F9BBD93C5E6284
[14/01/24 21:57:55:123 CET] 00000239 LotusConnecti E User-Agent: CRE
[14/01/24 21:57:55:123 CET] 00000239 LotusConnecti E Request URI: GET https://athena.martdj.nl/connections/resources/web/lconn.comm/communityMembers/communityMembers.xml
[14/01/24 21:57:55:124 CET] 00000239 LotusConnecti E Remote user: null
[14/01/24 21:57:55:124 CET] 00000239 LotusConnecti E Locale: en_GB
[14/01/24 21:57:55:125 CET] 00000239 LotusConnecti E Session ID: SIc6TKDIJ54U8cIGgxe1mAA
[14/01/24 21:57:55:125 CET] 00000239 LotusConnecti E An unexpected exception was caught by HCL Connections. The error page generated for this exception will display the identifier below.
java.lang.IllegalStateException: SRVE0209E: Writer already obtained

urs.meli · January 16, 2024, 1:01pm

Hi Martijn

this happens due the

com.ibm.websphere.security.performTAIForUnprotectedURI=true

setting. Setting this to false or remove it should fix the problem.

At the end, all communities should work, except the ones that use the rich content widget.

Communities with it will either show an error in the widget or just reload.
browser console shows an error 401 for the request.

urs.meli · January 16, 2024, 1:04pm

You did not test the embedded experience in the activity stream, right ?

martdj · January 28, 2024, 11:08am

No, I didn't

martdj · January 28, 2024, 11:07am

Hi Urs,

That is indeed the solution for my communities problem, so many thanks for that. However, it has an unexpected side-effect. When I now connect to my environment, the homepage is redirected to /homepage/login which is redirected to /homepage etc. An endless loop, which surprisingly doesn't occur when com.ibm.websphere.security.performTAIForUnprotectedURI is set to true. Did you also experience this and solve it? I can log in by going directly to /profiles. From there, everything works like it should.

Another unrelated question. My Logout page currently refers to:
https://<my cnx url>/connections/undefined?post_logout_redirect_uri=https://<my cnx url>/homepage&client_id=hcl-cnx-oidc-client
That, unsurprisingly, gives a page not found. What would be the right logout url and where should I set that?

urs.meli · January 31, 2024, 7:19am

How to logout from keycloak and connections, that would be a good question for HCL support.