OAUTH2 HTTPS PROBLEM

[SergioStekolschik]

Sorry, to continue with the question #4010 (Problems with versions 0.5.0 and 0.7.1)

I uploaded the provectuslabs/kafka-ui container version 0.7.1 to ECR and use it with ECS and I configured Azure AD for login:

AUTH_TYPE=OAUTH2
AUTH_OAUTH2_CLIENT_AZUREAD_CLIENT_NAME=Kafka-UI
AUTH_OAUTH2_CLIENT_AZUREAD_CLIENTID=xxxxx
AUTH_OAUTH2_CLIENT_AZUREAD_CLIENTSECRET=xxxxx
AUTH_OAUTH2_CLIENT_AZUREAD_SCOPE=https://graph.microsoft.com/User.Read
AUTH_OAUTH2_CLIENT_AZUREAD_PROVIDER=AZURE
AUTH_OAUTH2_CLIENT_AZUREAD_ISSUER_URI=https://login.microsoftonline.com/xxxx/v2.0
AUTH_OAUTH2_CLIENT_AZUREAD_REDIRECT_URI=https://xxxxxxxx:8080/login/code/AZURE
AUTH_OAUTH2_CLIENT_AZUREAD_AUTHORIZATION_GRANT_TYPE=authorization_code

To access the web page, I placed an AWS ALB to use the https protocol.

After I login to Azure AD and when it comes back I receive the folling error:

Few seconds later the error change to:

What could be the cause of the error?

Thanks in advance.
Regards,

Sergio

[SergioStekolschik]

I finally got it (version 0.7.1) to work, with:

AUTH_ENABLED=true
AUTH_TYPE=OAUTH2
AUTH_OAUTH2_CLIENT_AZUREAD_CLIENT_NAME=Kafka-UI
AUTH_OAUTH2_CLIENT_AZUREAD_CLIENTID=xxxxx
AUTH_OAUTH2_CLIENT_AZUREAD_CLIENTSECRET=xxxxx
AUTH_OAUTH2_CLIENT_AZUREAD_SCOPE=https://graph.microsoft.com/User.Read
AUTH_OAUTH2_CLIENT_AZUREAD_PROVIDER=AZURE
AUTH_OAUTH2_CLIENT_AZUREAD_ISSUER_URI=https://login.microsoftonline.com/xxxx/v2.0
AUTH_OAUTH2_CLIENT_AZUREAD_REDIRECT_URI=https://xxxxxxxx:8080/login/oauth2/code/AZUREAD

Regards,

Sergio

[LarsBingBong]

@SergioStekolschik ,

How did you figure out the value to use on the redirect-uri property? I'm trying to enable oauth2/oidc via Keycloak on a kafka-ui v0.7.1 instance.

Thank you very much

[SergioStekolschik]

Hi LarsBingBong, The information comes from the page: https://docs.kafka-ui.provectus.io/configuration/authentication/sso-guide Where it was written: "After that need to provide callback URLs, in our case we will use https://127.0.0.1:8080/login/oauth2/code/auth0" In my case I replaced the "127.0.0.1" with the name of the server in the DNS and the auth0 by name (AZUREAD) that I use: { "name": "AUTH_OAUTH2_CLIENT_AZUREAD_SCOPE", "value": "https://graph.microsoft.com/User.Read" }, { "name": "AUTH_ENABLED", "value": "true" }, { "name": "AUTH_OAUTH2_CLIENT_AZUREAD_CLIENTID", "value": "......" }, { "name": "AUTH_OAUTH2_CLIENT_AZUREAD_ISSUER_URI", "value": "https://login.microsoftonline.com/..../v2.0" }, { "name": "AUTH_OAUTH2_CLIENT_AZUREAD_CLIENT_NAME", "value": "Kafka-UI" }, { "name": "AUTH_TYPE", "value": "OAUTH2" }, { "name": "AUTH_OAUTH2_CLIENT_AZUREAD_REDIRECT_URI", "value": " https://server_name:8080/login/oauth2/code/AZUREAD" }, { "name": "AUTH_OAUTH2_CLIENT_AZUREAD_CLIENTSECRET", "value": "......" }, { "name": "AUTH_OAUTH2_CLIENT_AZUREAD_PROVIDER", "value": "AZURE" }, { "name": "AUTH_OAUTH2_CLIENT_AZUREAD_USER_NAME_ATTRIBUTE", "value": "email" } I understand that in your case ( https://docs.kafka-ui.provectus.io/configuration/authentication/oauth2): { "name": "auth_oauth2_client_keycloak_scope", "value": "openid" }, { "name": "auth_enabled", "value": "true" }, { "name": "auth_oauth2_client_keycloak_clientid", "value": "......" }, { "name": "auth_oauth2_client_keycloak_issuer_uri", "value": "https:// <keycloak_instance>/auth/realms/<realm>" }, { "name": "auth_oauth2_client_keycloak_client_name", "value": "Kafka-UI" }, { "name": "auth_type", "value": "OAUTH2" }, { "name": "auth_oauth2_client_keycloak_redirect_uri", "value": " https://server_name:8080/login/oauth2/code/keycloak" }, { "name": "auth_oauth2_client_keycloak_clientsecret", "value": "......" }, { "name": "auth_oauth2_client_keycloak_provider", "value": "keycloak" }, { "name": "auth_oauth2_client_keycloak_user_name_attribute", "value": "preferred_username" } I recommend that you try it in parts: 1. Redirect to SSO login 2. Login to SSO 3. Redirect to the container Regards, Sergio El sáb, 26 ago 2023 a la(s) 18:55, LarsBingBong ***@***.***) escribió:

…

@SergioStekolschik <https://github.com/SergioStekolschik> , How did you figure out the value to use on the redirect-uri property? I'm trying to enable oauth2/oidc via Keycloak on a kafka-ui v0.7.1 instance. Thank you very much — Reply to this email directly, view it on GitHub <#4038 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AEZI4CJNEWKM7FHF7CGB5P3XXJWD3ANCNFSM6AAAAAA2JXL4OM> . You are receiving this because you were mentioned.Message ID: ***@***.***>