Configuring authorization via Keycloak

Troubleshooting Self hosted Taiga
,
1

Dear friends. Configuring authorization via Keycloak. I have installed the plugin, the redirect is working, but something is not going through to the end.
After entering the username and password, it returns to Taiga but writes an error:
Our Oompa Loompas have not been able to get your credentials from OpenID.
/conf.json

{
    "api": "${TAIGA_URL}${TAIGA_SUBPATH}/api/v1/",
    "eventsUrl": "${TAIGA_WEBSOCKETS_URL}${TAIGA_SUBPATH}/events",
    "baseHref": "${TAIGA_SUBPATH}/",
    "eventsMaxMissedHeartbeats": 5,
    "eventsHeartbeatIntervalTime": 60000,
    "eventsReconnectTryInterval": 10000,
    "debug": ${DEBUG},
    "debugInfo": ${DEBUG},
    "defaultLanguage": "${DEFAULT_LANGUAGE}",
    "themes": ["taiga"],
    "defaultTheme": "taiga",
    "defaultLoginEnabled": true,
    "publicRegisterEnabled": ${PUBLIC_REGISTER_ENABLED},
    "feedbackEnabled": true,
    "supportUrl": "https://community.taiga.io/",
    "privacyPolicyUrl": null,
    "termsOfServiceUrl": null,
    "maxUploadFileSize": null,
    "contribPlugins": ${CONTRIB_PLUGINS},
    "gitHubClientId": "${GITHUB_CLIENT_ID}",
    "gitLabClientId": "${GITLAB_CLIENT_ID}",
    "gitLabUrl": "${GITLAB_URL}",
    "tagManager": { "accountId": null },
    "tribeHost": null,
    "enableAsanaImporter": false,
    "enableGithubImporter": ${ENABLE_GITHUB_IMPORTER},
    "enableJiraImporter": ${ENABLE_JIRA_IMPORTER},
    "enableTrelloImporter": ${ENABLE_TRELLO_IMPORTER},
    "gravatar": false,
    "rtlLanguages": [
        "ar",
        "fa",
        "he"
    ],
    "openidAuth": "${OPENID_URL}",
    "openidClientId": "${OPENID_CLIENT_ID}",
    "openidClientSecret": "${OPENID_CLIENT_SECRET}",
    "openidName": "${OPENID_NAME}",
    "openidScope": "${OPENID_SCOPE}",
    "contribPlugins": ["/plugins/openid-auth/openid-auth.json"]
}

/taiga.conf

server {
    listen 80;
    server_name taiga.handyman.moscow;
    client_max_body_size 100M;
    charset utf-8;

    # Frontend
    location / {
        proxy_pass http://taiga-taiga-front-1/;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_redirect off;
    }

    # API
    location /api/ {
        proxy_pass http://taiga-taiga-back-1:8000;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_redirect off;
    }

    # Admin
    location /admin/ {
        proxy_pass http://taiga-taiga-back-1:8000/admin/;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_redirect off;
    }

    # Static files
    location /static/ {
        alias /taiga/static/;
        expires max;
        log_not_found off;
        access_log off;
    }

    # Media files
    location /media/ {
        alias /taiga/media/;
        expires max;
        log_not_found off;
        access_log off;
    }
}

ā€œGET /conf.json HTTP/1.1ā€ 304 0
ā€œPOST /api/v1/auth HTTP/1.1ā€ 405 559

There is also an HTTPS-portal through which I receive an SSL certificate for the domain.

How can I fix this? Please help me. I havenā€™t been able to handle this for 3 days now.

2

Hi @glazole , I donā€™t use Keycloak but have recently been spending a lot of time getting an OIDC flow working with Taiga.

The error is a generic one when the plugin was unable to determine the true cause of the error.

Which OIDC plugin are you using, for Taiga? There are several different ones, all with different types of bugs :slight_smile: Is it GitHub - robrotheram/taiga-contrib-openid-auth: Taiga plugin for openid authentication ?

The error implies that your Keycloak returned to the callback URL with an error of some sort.

I would start by checking the URL address bar in your browser when it occurs, as there might be ā€˜errorā€™ or ā€˜error_descriptionā€™ attributes as query parameters, that might tell you more. If there are not, check your web traffic logs as well, you might find the error as a query parameter logged in the URL anyway.

Also check your Keycloak side, are there any errors logged there?

Iā€™ve read that some people have gleaned more info by setting DEBUG=True in config.py (and then presumably watching the logs of the taiga-back component)

1 Like
3

Thank you so much @mig5 !! I think that have solved this problem. I had an incorrect redirect. I made the necessary settings in Keycloak. I did this NGINX setup and everything worked) But it just takes a very long time to open the pages of the Taiga.
And you are right! I used GitHub - robrotheram/taiga-contrib-openid-auth: Taiga plugin for openid authentication.

This is what my NGINX looks like now:

server {
    listen 80;
    server_name 192.168.150.26:9001;

    location / {
        proxy_pass http://taiga-front:80;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_buffers 16 4k;
        proxy_buffer_size 8k;
        proxy_read_timeout 60s;
        proxy_send_timeout 60s;
        keepalive_timeout 75s;
    }

    location /api {
        proxy_pass http://taiga-back:8000;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_buffers 16 4k;
        proxy_buffer_size 8k;
        proxy_read_timeout 60s;
        proxy_send_timeout 60s;
    }

    location /websocket {
        proxy_pass http://taiga-events:8888;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_read_timeout 60s;
    }

    location ~* \.(?:ico|css|js|gif|jpe?g|png|woff2?|eot|ttf|svg)$ {
        expires 6M; 
        access_log off;
        add_header Cache-Control "public";
    }

    # Logs
    error_log /var/log/nginx/taiga_error.log;
    access_log /var/log/nginx/taiga_access.log;

    # Global parametrs
    client_max_body_size 250M;
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_requests 100;
    keepalive_timeout 75;
}

But Iā€™m not good at NGINX. The Taiga pages take a very long time to open.
Iā€™m currently trying to solve 2 new problems: the page loading speed, and why the files that I attach to the project donā€™t open.

Screenshot 2025-01-27 134427
Screenshot 2025-01-27 1344271356Ɨ101 2.62 KB

After I click on the file, a window opens, but the download wheel is spinning all the time.

1 Like
4

It was necessary to set up the storage.

1 Like