I have the same problem after helm-installation…
I can even retrieve the user access token, but gitlab still doesn’t let this user login.
curl --request POST -s \
--url https://keycloak.mydomain.io/realms/gitlab/protocol/openid-connect/token \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data grant_type=password \
--data client_id=gitlab \
--data client_secret=xxxxx \
--data username=user1 \
--data password=password \
--data scope=openid | jq -r .access_token | jwt decode -j -
here is my access_token
{
"header": {
"typ": "JWT",
"alg": "RS256",
"kid": "q73TsJqpMHIq8MXwzlGBgSJcMNdo5BRq8DrammsbRfk"
},
"payload": {
"acr": "1",
"allowed-origins": [
"https://gitlab.mydomain.io",
"http://gitlab.mydomain.io"
],
"aud": "account",
"azp": "gitlab",
"email": "user1.expert@mydomain.io",
"email_verified": false,
"exp": 1713279669,
"family_name": "expert",
"given_name": "user1",
"iat": 1713279369,
"iss": "https://keycloak.mydomain.io/realms/gitlab",
"jti": "e8702cb6-4727-4580-b121-dae35947b195",
"name": "user1 expert",
"preferred_username": "user1",
"realm_access": {
"roles": [
"default-roles-gitlab",
"offline_access",
"uma_authorization"
]
},
"resource_access": {
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
}
},
"scope": "openid profile email",
"session_state": "0525de57-c08f-4772-b55d-689f1821a7ff",
"sid": "0525de57-c08f-4772-b55d-689f1821a7ff",
"sub": "f:08e35c73-e908-4ae2-bbad-2761d74ad3bd:user1",
"typ": "Bearer"
}
}
and here is my settings
name: 'openid_connect' # do not change this parameter
label: 'Keycloak'
icon: 'https://imgs.search.brave.com/rxsziFGXRM-sUemIQjrKfk0JS7CxwIaV0Tpm5yAqu_0/rs:fit:860:0:0/g:ce/aHR0cHM6Ly91cGxv/YWQud2lraW1lZGlh/Lm9yZy93aWtpcGVk/aWEvY29tbW9ucy90/aHVtYi8yLzI5L0tl/eWNsb2FrX0xvZ28u/cG5nLzIyMHB4LUtl/eWNsb2FrX0xvZ28u/cG5n'
args:
name: 'openid_connect'
scope:
- profile
- email
- openid
response_type: 'code'
issuer: 'https://keycloak.mydomain.io/realms/gitlab'
client_auth_method: 'query' # query
uid_field: 'uid' # or preferred_username
discovery: false
send_scope_to_token_endpoint: false
pkce: true
client_options:
identifier: 'gitlab'
secret: '0TKMyklbS2LBacqw9on5ev4KIEGCqUKG'
redirect_uri: 'https://gitlab.mydomain.io/users/auth/openid_connect/callback'
authorization_endpoint: 'https://keycloak.mydomain.io/realms/gitlab/protocol/openid-connect/auth'
token_endpoint: 'https://keycloak.mydomain.io/realms/gitlab/protocol/openid-connect/token'
userinfo_endpoint: 'https://keycloak.mydomain.io/realms/gitlab/protocol/openid-connect/userinfo'
end_session_endpoint: 'https://keycloak.mydomain.io/realms/gitlab/protocol/openid-connect/logout'
jwks_uri: 'https://keycloak.mydomain.io/realms/gitlab/protocol/openid-connect/certs'
And the end, it shows:
Could not authenticate you from OpenIDConnect because “Unauthorized client :: invalid client or invalid client credentials”.