OpenID Connect Invalid Client or credentials

Hello everyone,

I am trying to authenticate on GitLab via OpenId Connect service. I followed this documentation Use OpenID Connect as an OAuth 2.0 authentication provider | GitLab. However I still encounter some issue.

I am correctly redirected to my openID provider and able to login. If I enter a wrong password the provider is telling me that it does not know me which is fine. But as soon as I put correct credentials gitlab throw me this error with no more informations on what is going on.

Could not authenticate you from OpenIDConnect because "Invalid client :: invalid client or client credentials.".

It seems that gitlab does not know where to find my user or what permission it has to give.
Since it’s an already existing account I already try to link my account while Iam logged in via
Setting/account/OpenIDproviderXXX

I am running short on option is there anyway to have a more explicit traceback ?

Thanks

1 Like

I have the same problem after helm-installation…
I can even retrieve the user access token, but gitlab still doesn’t let this user login.

curl --request POST -s \
--url https://keycloak.mydomain.io/realms/gitlab/protocol/openid-connect/token \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data grant_type=password \
--data client_id=gitlab \
--data client_secret=xxxxx \
--data username=user1 \
--data password=password \
--data scope=openid | jq -r .access_token | jwt decode -j -

here is my access_token

{
  "header": {
    "typ": "JWT",
    "alg": "RS256",
    "kid": "q73TsJqpMHIq8MXwzlGBgSJcMNdo5BRq8DrammsbRfk"
  },
  "payload": {
    "acr": "1",
    "allowed-origins": [
      "https://gitlab.mydomain.io",
      "http://gitlab.mydomain.io"
    ],
    "aud": "account",
    "azp": "gitlab",
    "email": "user1.expert@mydomain.io",
    "email_verified": false,
    "exp": 1713279669,
    "family_name": "expert",
    "given_name": "user1",
    "iat": 1713279369,
    "iss": "https://keycloak.mydomain.io/realms/gitlab",
    "jti": "e8702cb6-4727-4580-b121-dae35947b195",
    "name": "user1 expert",
    "preferred_username": "user1",
    "realm_access": {
      "roles": [
        "default-roles-gitlab",
        "offline_access",
        "uma_authorization"
      ]
    },
    "resource_access": {
      "account": {
        "roles": [
          "manage-account",
          "manage-account-links",
          "view-profile"
        ]
      }
    },
    "scope": "openid profile email",
    "session_state": "0525de57-c08f-4772-b55d-689f1821a7ff",
    "sid": "0525de57-c08f-4772-b55d-689f1821a7ff",
    "sub": "f:08e35c73-e908-4ae2-bbad-2761d74ad3bd:user1",
    "typ": "Bearer"
  }
}

and here is my settings

name: 'openid_connect' # do not change this parameter
label: 'Keycloak'
icon: 'https://imgs.search.brave.com/rxsziFGXRM-sUemIQjrKfk0JS7CxwIaV0Tpm5yAqu_0/rs:fit:860:0:0/g:ce/aHR0cHM6Ly91cGxv/YWQud2lraW1lZGlh/Lm9yZy93aWtpcGVk/aWEvY29tbW9ucy90/aHVtYi8yLzI5L0tl/eWNsb2FrX0xvZ28u/cG5nLzIyMHB4LUtl/eWNsb2FrX0xvZ28u/cG5n'
args:
  name: 'openid_connect'
  scope:
    - profile
    - email
    - openid
  response_type: 'code'
  issuer: 'https://keycloak.mydomain.io/realms/gitlab'
  client_auth_method: 'query' # query
  uid_field: 'uid' # or preferred_username
  discovery: false
  send_scope_to_token_endpoint: false
  pkce: true
  client_options:
    identifier: 'gitlab'
    secret: '0TKMyklbS2LBacqw9on5ev4KIEGCqUKG'
    redirect_uri: 'https://gitlab.mydomain.io/users/auth/openid_connect/callback'
    authorization_endpoint: 'https://keycloak.mydomain.io/realms/gitlab/protocol/openid-connect/auth'
    token_endpoint: 'https://keycloak.mydomain.io/realms/gitlab/protocol/openid-connect/token'
    userinfo_endpoint: 'https://keycloak.mydomain.io/realms/gitlab/protocol/openid-connect/userinfo'
    end_session_endpoint: 'https://keycloak.mydomain.io/realms/gitlab/protocol/openid-connect/logout'
    jwks_uri: 'https://keycloak.mydomain.io/realms/gitlab/protocol/openid-connect/certs'

And the end, it shows:
Could not authenticate you from OpenIDConnect because “Unauthorized client :: invalid client or invalid client credentials”.