Xwiki Get response 504 after SSO (keycloak) authenticaion when redirect to /xwiki/oidc/authenticator/callback

Help / Discuss
#1

Hi,

I have a xwiki deployed in kubernetes cluster with helm, this is the helm version:
NAME REVISION UPDATED STATUS CHART APP
xwiki 3 Sat Jan 30 08:42:41 2021 DEPLOYED xwiki-1.0-SNAPSHOT 11.10.4 utility

The topology is:
Apache reverse proxy (https) --> Kubernetes Ingress (http) --> Xwiki

I configured SSO with keycloak reference this:

And also add one base URL in xwiki deployment:
- name: CONTEXT_PATH
value: “/xwiki”

When I access https://mydomain/xwiki/, it can redirect to keycloak and the authentication is working (I can verify that the user passed authentication in keycloak), after authentication, when it redirect to /xwiki/oidc/authenticator/callback, it gets " 504 Gateway Time-out" on browser.

This is the log from kubernetes ingress: (seems ingress didn’t get response from xwiki within 60s, then timeout)
10.3.7.3 - - [30/Jan/2021:13:55:23 +0000] “GET /xwiki/oidc/authenticator/callback?state=fcQcpz4mzfWH50ARfD1pasiapdFD2TCXxbniRWUAj_4&session_state=17e0f41c-3783-4e44-80ad-ad19bb9ed02f&code=0833e729-0f1e-4fe5-9a5c-7bf4b936c4a7.17e0f41c-3783-4e44-80ad-ad19bb9ed02f.eeb7c110-ecff-409e-95b3-78f51035a311 HTTP/1.1” 504 167 “https://mydomain/vre/auth/realms/vre/protocol/openid-connect/auth?scope=openid+profile+email+address&claims={“id_token”%3A{“xwiki_instance_id”%3Anull}%2C"userinfo"%3A{“xwiki_user_accessibility”%3Anull%2C"xwiki_user_displayHiddenDocuments"%3Anull%2C"xwiki_user_editor"%3Anull%2C"xwiki_user_usertype"%3Anull%2C"xwiki_groups"%3Anull%2C"xwiki_user_company"%3Anull}}&response_type=code&redirect_uri=https%3A%2F%2Fmydomain%2Fxwiki%2Foidc%2Fauthenticator%2Fcallback&state=fcQcpz4mzfWH50ARfD1pasiapdFD2TCXxbniRWUAj_4&client_id=xwiki” “Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0” 1432 65.000 [utility-xwiki-xwiki-80] [] 192.168.92.221:8080, 0.0.0.1:80 0, 0 60.001, 5.000 504, 504 d0e21763b3f550f8f2bb2a14881b242c

This is the log from xwiki pod: (seems xwiki didn’t response to this request)
192.168.86.243 - - [30/Jan/2021:13:48:28 +0000] “GET /xwiki/oidc/authenticator/callback?state=BKHWvnxmtE0HxOL_dhqSfrTbc1TNjYLviRKS6EyMJ6E&session_state=aa9e0ed2-be2f-4816-be89-32471301d3b9&code=1c4d6eb1-967f-41e0-8d6f-022f2d16303b.aa9e0ed2-be2f-4816-be89-32471301d3b9.eeb7c110-ecff-409e-95b3-78f51035a311 HTTP/1.1” 500 8358

BTW, I have another DEV environment deployed xwiki the same way, the only difference is DEV env has no Apache reverse proxy, it works fine in DEV.

Could you help me to check this one?

Let me know if you need any info.

Thank you very much

Helm chart not working with non-ROOT context
#2

Fixed.

oidc.endpoint.userinfo, this parameter in xwiki.properties should be a internal DNS name instead of https URL

#3

Glad you fixed your problem but not sure what you exactly means. It should definitely be an HTTPS URL but maybe what you mean is that the XWiki instance cannot access the domain you are using in oidc.endpoint.authorization.

By the way note that both oidc.endpoint.token and oidc.endpoint.userinfo are directly accessed by the authenticator (contrary to oidc.endpoint.authorization which redirect the user) so they have pretty much the same constraint.

#4

Yes, keycloak and xwiki are deployed in kubernetes, so oidc.endpoint.token and oidc.endpoint.userinfo can be internal DNS name within K8S.

Thanks for your reply