Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

keycloak multi login #31

Open
VivianBass opened this issue May 9, 2022 · 1 comment
Open

keycloak multi login #31

VivianBass opened this issue May 9, 2022 · 1 comment

Comments

@VivianBass
Copy link
Contributor

In SIAgro we have 7 different Zendro instances for each project and we need to have users and roles defined for each of them.

Ideally, if a user has a username USER and have access to different instances, we wish to have the same username with different roles in each instance, e.g. in instance_1 it could have editor permissions and in instance_2 could have read permissions only.

For now, if a single keycloak service is created to manage everything in the same place, we can automatically login in all instances without asking for credentials again in other instances (unexpected behavior because not all users will have access to all instances).

On the other hand, if we create independent keycloak services for each instance, it does ask for credentials, but in both (1. same keycloak service and 2. different keycloak services) if we have the same username in the instances, the next error appears sometimes:

Error: connect ECONNREFUSED 10.5.0.11.4000

What we need is to be able to have the same username in different instances so a user doesn't have to remember 4, 5 or 6 different usernames.
@VivianBass
Copy link
Contributor Author

VivianBass commented May 11, 2022
edited
Loading

Possible solution: change role names in keycloak for each instance.

  • I changed the names in ./graphql-server/utils/setup-keycloak.js
  • I'm getting this error when try to login in spa. This happens when the login keycloak interface of instance 1 is open, login in instance 2 and return to instance 1 and try to login. If I click the button "Sign in with zendro" I can login. This will be very unlikely to happen in the normal workflow because a user doesn't make these changes of interfaces when trying to login:
[next-auth][error][JWT_SESSION_ERROR] 
https://next-auth.js.org/errors#jwt_session_error decryption operation failed {
  message: 'decryption operation failed',
  stack: 'JWEDecryptionFailed: decryption operation failed\n' +
    '    at gcmDecrypt (/usr/single-page-app/node_modules/jose/dist/node/cjs/runtime/decrypt.js:67:15)\n' +
    '    at decrypt (/usr/single-page-app/node_modules/jose/dist/node/cjs/runtime/decrypt.js:92:20)\n' +
    '    at flattenedDecrypt (/usr/single-page-app/node_modules/jose/dist/node/cjs/jwe/flattened/decrypt.js:119:52)\n' +
    '    at processTicksAndRejections (internal/process/task_queues.js:95:5)\n' +
    '    at async compactDecrypt (/usr/single-page-app/node_modules/jose/dist/node/cjs/jwe/compact/decrypt.js:18:23)\n' +
    '    at async jwtDecrypt (/usr/single-page-app/node_modules/jose/dist/node/cjs/jwt/decrypt.js:8:23)\n' +
    '    at async Object.decode (/usr/single-page-app/node_modules/next-auth/jwt/index.js:64:7)\n' +
    '    at async Object.session (/usr/single-page-app/node_modules/next-auth/core/routes/session.js:41:28)\n' +
    '    at async NextAuthHandler (/usr/single-page-app/node_modules/next-auth/core/index.js:96:27)\n' +
    '    at async NextAuthNextHandler (/usr/single-page-app/node_modules/next-auth/next/index.js:21:19)\n' +
    '    at async /usr/single-page-app/node_modules/next-auth/next/index.js:57:32\n' +
    '    at async Object.apiResolver (/usr/single-page-app/node_modules/next/dist/server/api-utils/node.js:184:9)\n' +
    '    at async NextNodeServer.runApi (/usr/single-page-app/node_modules/next/dist/server/next-server.js:397:9)\n' +
    '    at async Object.fn (/usr/single-page-app/node_modules/next/dist/server/base-server.js:473:37)\n' +
    '    at async Router.execute (/usr/single-page-app/node_modules/next/dist/server/router.js:233:32)\n' +
    '    at async NextNodeServer.run (/usr/single-page-app/node_modules/next/dist/server/base-server.js:583:29)',
  name: 'JWEDecryptionFailed'
}
[next-auth][error][OAUTH_CALLBACK_ERROR] 
https://next-auth.js.org/errors#oauth_callback_error checks.state argument is missing {
  error: {
    message: 'checks.state argument is missing',
    stack: 'TypeError: checks.state argument is missing\n' +
      '    at Client.callback (/usr/single-page-app/node_modules/openid-client/lib/client.js:385:13)\n' +
      '    at oAuthCallback (/usr/single-page-app/node_modules/next-auth/core/lib/oauth/callback.js:112:29)\n' +
      '    at processTicksAndRejections (internal/process/task_queues.js:95:5)\n' +
      '    at async Object.callback (/usr/single-page-app/node_modules/next-auth/core/routes/callback.js:50:11)\n' +
      '    at async NextAuthHandler (/usr/single-page-app/node_modules/next-auth/core/index.js:139:28)\n' +
      '    at async NextAuthNextHandler (/usr/single-page-app/node_modules/next-auth/next/index.js:21:19)\n' +
      '    at async /usr/single-page-app/node_modules/next-auth/next/index.js:57:32\n' +
      '    at async Object.apiResolver (/usr/single-page-app/node_modules/next/dist/server/api-utils/node.js:184:9)\n' +
      '    at async NextNodeServer.runApi (/usr/single-page-app/node_modules/next/dist/server/next-server.js:397:9)\n' +
      '    at async Object.fn (/usr/single-page-app/node_modules/next/dist/server/base-server.js:473:37)\n' +
      '    at async Router.execute (/usr/single-page-app/node_modules/next/dist/server/router.js:233:32)\n' +
      '    at async NextNodeServer.run (/usr/single-page-app/node_modules/next/dist/server/base-server.js:583:29)\n' +
      '    at async NextNodeServer.handleRequest (/usr/single-page-app/node_modules/next/dist/server/base-server.js:298:20)',
    name: 'TypeError'
  },
  providerId: 'zendro',
  message: 'checks.state argument is missing'
}
[next-auth][error][CALLBACK_OAUTH_ERROR] 
https://next-auth.js.org/errors#callback_oauth_error checks.state argument is missing TypeError: checks.state argument is missing
    at Client.callback (/usr/single-page-app/node_modules/openid-client/lib/client.js:385:13)
    at oAuthCallback (/usr/single-page-app/node_modules/next-auth/core/lib/oauth/callback.js:112:29)
    at processTicksAndRejections (internal/process/task_queues.js:95:5)
    at async Object.callback (/usr/single-page-app/node_modules/next-auth/core/routes/callback.js:50:11)
    at async NextAuthHandler (/usr/single-page-app/node_modules/next-auth/core/index.js:139:28)
    at async NextAuthNextHandler (/usr/single-page-app/node_modules/next-auth/next/index.js:21:19)
    at async /usr/single-page-app/node_modules/next-auth/next/index.js:57:32
    at async Object.apiResolver (/usr/single-page-app/node_modules/next/dist/server/api-utils/node.js:184:9)
    at async NextNodeServer.runApi (/usr/single-page-app/node_modules/next/dist/server/next-server.js:397:9)
    at async Object.fn (/usr/single-page-app/node_modules/next/dist/server/base-server.js:473:37)
    at async Router.execute (/usr/single-page-app/node_modules/next/dist/server/router.js:233:32)
    at async NextNodeServer.run (/usr/single-page-app/node_modules/next/dist/server/base-server.js:583:29)
    at async NextNodeServer.handleRequest (/usr/single-page-app/node_modules/next/dist/server/base-server.js:298:20) {
  name: 'OAuthCallbackError',
  code: undefined
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@VivianBass