Ocis with keycloak deploy

rtest12 · April 12, 2022, 1:14pm

I’m trying to install ocis in docker with my own keycloak (also in docker, that was installed before) and nginx.
I get an error when logging in

Login Error

Your user session is invalid or has expired.

If you like to login with a different user please proceed to exit.
Attention: this will log you out from all applications you are running in this browser with your current user.

And in docker log

{“error”:“invalid_token”,“error_description”:“Token verification failed”}

My yml

version: “3.7”

services:
ocis:
image: owncloud/ocis:latest
networks:
ocis_net:
entrypoint:
- /bin/sh
- /entrypoint-override.sh
environment:
# Keycloak IDP specific configuration
PROXY_AUTOPROVISION_ACCOUNTS: “true”
PROXY_OIDC_ISSUER: https://keycloak.mydomain.com/auth/realms/myrealm
WEB_OIDC_AUTHORITY: https://keycloak.mydomain.com/auth/realms/myrealm

  WEB_OIDC_CLIENT_ID: ocis
  WEB_OIDC_METADATA_URL: https://keycloak.mydomain.com/auth/realms/myrealm/.well-known/openid-configuration
  STORAGE_OIDC_ISSUER: https://keycloak.mydomain.com/auth/realms/myrealm
  STORAGE_LDAP_IDP: https://keycloak.mydomain.com/auth/realms/myralm
  # general config
  OCIS_URL: https://myocis.mydomain.com
  OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose
  PROXY_TLS: "false" # do not use SSL between Traefik and oCIS
  ACCOUNTS_DEMO_USERS_AND_GROUPS: "false" # don't generate demo users
  # change default secrets
  IDP_LDAP_BIND_PASSWORD: *************
  STORAGE_LDAP_BIND_PASSWORD: ********************************
  OCIS_JWT_SECRET: ********************************
  STORAGE_TRANSFER_SECRET: *********************************
  OCIS_MACHINE_AUTH_API_KEY: *********************************

  OCIS_INSECURE: "false"
volumes:
  - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh
  - ocis-data:/var/lib/ocis
ports:
  - "9200:9200"

networks:
ocis_net:

Apparently, the problem is in ISS, i’m was trying to change “PROXY_OIDC_ISSUER” to localhost, but but it did not help.

rtest12 · April 13, 2022, 2:16pm

No any ideas?
Very little information in the documentation…

rtest12 · April 14, 2022, 7:22pm

{“level”:“error”,“service”:“proxy”,“error”:“401 Unauthorized: {“error”:“invalid_token”,“error_description”:“Token verification failed”}”,“time”:“2022-04-14T19:11:27Z”,“message”:“Failed to get userinfo”}

rtest12 · April 17, 2022, 6:30pm

{"level":"error","service":"accounts","error":"github.com.owncloud.ocis.protogen.gen.ocis.messages.accounts.v0.Account with Id=95cb8724-03b2-11eb-a0a6-c33ef8ef53ad does already exist","time":"2022-04-17T15:35:16Z","message":"service user was configured but failed to be added to the index"}
process idp terminated##################################################
change default secrets:
##################################################
##################################################
delete demo users
##################################################
{"level":"error","service":"proxy","error":"401 Unauthorized: {\"error\":\"invalid_token\",\"error_description\":\"Token verification failed\"}","time":"2022-04-17T15:35:36Z","message":"Failed to get userinfo"}
{"level":"error","service":"proxy","error":"401 Unauthorized: {\"error\":\"invalid_token\",\"error_description\":\"Token verification failed\"}","time":"2022-04-17T15:35:37Z","message":"Failed to get userinfo"}
{"level":"error","service":"proxy","error":"401 Unauthorized: {\"error\":\"invalid_token\",\"error_description\":\"Token verification failed\"}","time":"2022-04-17T15:35:38Z","message":"Failed to get userinfo"}
{"level":"error","service":"proxy","error":"401 Unauthorized: {\"error\":\"invalid_token\",\"error_description\":\"Token verification failed\"}","time":"2022-04-17T15:35:46Z","message":"Failed to get userinfo"}
{"level":"error","service":"proxy","error":"401 Unauthorized: {\"error\":\"invalid_token\",\"error_description\":\"Token verification failed\"}","time":"2022-04-17T15:35:49Z","message":"Failed to get userinfo"}
{"level":"error","service":"proxy","error":"401 Unauthorized: {\"error\":\"invalid_token\",\"error_description\":\"Token verification failed\"}","time":"2022-04-17T15:35:49Z","message":"Failed to get userinfo"}
{"level":"error","service":"proxy","error":"401 Unauthorized: {\"error\":\"invalid_token\",\"error_description\":\"Token verification failed\"}","time":"2022-04-17T15:35:50Z","message":"Failed to get userinfo"}
{"level":"error","service":"proxy","error":"401 Unauthorized: {\"error\":\"invalid_token\",\"error_description\":\"Token verification failed\"}","time":"2022-04-17T15:35:52Z","message":"Failed to get userinfo"}
{"level":"error","service":"proxy","error":"401 Unauthorized: {\"error\":\"invalid_token\",\"error_description\":\"Token verification failed\"}","time":"2022-04-17T15:41:22Z","message":"Failed to get userinfo"}
{"level":"error","service":"proxy","error":"401 Unauthorized: {\"error\":\"invalid_token\",\"error_description\":\"Token verification failed\"}","time":"2022-04-17T15:41:22Z","message":"Failed to get userinfo"}
{"level":"error","service":"proxy","error":"401 Unauthorized: {\"error\":\"invalid_token\",\"error_description\":\"Token verification failed\"}","time":"2022-04-17T15:41:23Z","message":"Failed to get userinfo"}
{"level":"error","service":"proxy","error":"401 Unauthorized: {\"error\":\"invalid_token\",\"error_description\":\"Token verification failed\"}","time":"2022-04-17T15:41:30Z","message":"Failed to get userinfo"}
{"level":"error","service":"proxy","error":"gateway: grpc failed with code CODE_PERMISSION_DENIED","time":"2022-04-17T15:41:30Z","message":"error when calling Createhome"}
{"level":"error","service":"proxy","error":"gateway: grpc failed with code CODE_PERMISSION_DENIED","time":"2022-04-17T15:41:30Z","message":"error when calling Createhome"}
{"level":"error","service":"ocis","error":"error: permission denied: create container: error: permission denied: ","time":"2022-04-17T15:41:31Z","message":"error initializing metadata client"}
{"level":"error","service":"ocis","error":"error: permission denied: create container: error: permission denied: ","time":"2022-04-17T15:41:31Z","message":"error initializing metadata client"}
{"level":"error","service":"ocis","error":"error: permission denied: create container: error: permission denied: ","time":"2022-04-17T15:41:31Z","message":"error initializing metadata client"}
{"level":"error","service":"ocis","error":"error: permission denied: create container: error: permission denied: ","time":"2022-04-17T15:41:31Z","message":"error initializing metadata client"}

rtest12 · April 19, 2022, 5:53pm

I’ll duplicate it here too - this error is even on your demo server!

wkloucek · April 26, 2022, 1:17pm

Same as Ocis with keycloak&nginx problem · Issue #3540 · owncloud/ocis · GitHub

It is a regression, see Ocis with keycloak&nginx problem · Issue #3540 · owncloud/ocis · GitHub and Ocis with keycloak&nginx problem · Issue #3540 · owncloud/ocis · GitHub

rkaussow · November 28, 2023, 8:42am

A post was split to a new topic: Keycloak deployment example