Issue with Http callback

Help / Discuss
#1

Hi,
I’m currently running Xwiki in docker version 14.1-postgres-tomcat.
I’ve installed OpenID Connect Authenticator and have run the configuration recommended. When first logging in I’m redirected to Keycloak website. I enter my credentials and then get the following 500 server error.

image

The rest of the configuration is running nginx proxy in-front forward to docker 8080
I’ve changed settings in xwiki.cfg to include the url, and protocol https.
I’ve updated server.xml to include catalina 8443

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
               maxThreads="150" SSLEnabled="true" >
        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
        <SSLHostConfig>
            <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
                         certificateFile="conf/localhost-rsa-cert.pem"
                         certificateChainFile="conf/localhost-rsa-chain.pem"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>

   <Engine name="Catalina" defaultHost="localhost">
      <Valve className="org.apache.catalina.valves.RemoteIpValve"
        remoteIpHeader="x-forwarded-for"
        requestAttributesEnabled="true"
        protocolHeader="x-forwarded-proto"
        protocolHeaderHttpsValue="https"/>

Any help here would be greatly appreciated

#2

The “Invalid state” error seems to suggest that the session was lost between the redirect to Keycloak and the redirect back to the XWiki instance.

Now I’m not sure why. Was the domain in the URL the same before and after Keycloak ?

#3

I was able to fix the issue be editing /usr/local/tomcat/bin/setenv.sh
and adding the following line before export JAVA_OPTS at the end of file
AVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=/usr/local/openjdk-11/lib/security/cacerts

Then mount the cert and run something like the following

/usr/local/openjdk-11/bin/keytool -import -trustcacerts -cacerts -storepass changeit -noprompt -alias sdm -file /usr/local/share/ca-certificates/<your-cert>.pem