Hi all - looking for some help regarding OIDC using Keycloak! I have managed to setup datahub to run on minikube locally Keycloak is also running via minikube and is being exposed with ingress. In addition, I also followed these instructions: https://minikube.sigs.k8s.io/docs/tutorials/custom_cert_ingress/ to enable TLS for that ingress. To enable OIDC with keycloak for datahub I added the following to the values.yaml

extraEnvs:
    - name: AUTH_OIDC_ENABLED
      value: "true"
    - name: AUTH_OIDC_CLIENT_ID
      value: datahub-frontend
    - name: AUTH_OIDC_CLIENT_SECRET
      value: <secret>
    - name: AUTH_OIDC_DISCOVERY_URI
      value: <https://keycloak.192.168.49.2.nip.io/realms/datahub/.well-known/openid-configuration> 
    - name: AUTH_OIDC_BASE_URL
      value: <http://192.168.49.1:9002>

Then ran :

helm install datahub datahub/datahub --values values.yaml

However, when accessing http://192.168.49.1:9002 I get the message "Oops an error occurred" on the front end. The datahub-frontend pod logs show the following:

Unexpected exception[CompletionException: org.pac4j.core.exception.TechnicalException: javax.net.ssl.SSLHandshakeException: PKIX path building failed:sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I note that @handsome-football-66174 had an similar error which was due to a problem with the java server not being able to trust the SSL certificate. I have tried to following the suggestions from @big-carpet-38439 and@orange-night-91387 on the thread here https://datahubspace.slack.com/archives/C029A3M079U/p1644017149655469?thread_ts=1643841330.686689&cid=C029A3M079U. To create the certificate I used mkcert and ran the following commands 1) mkcert -install to create a local CA certificate and add it to the Java truststore 2) mkcert -key-file key.pem -cert-file cert.pem keycloak.192.168.49.2.nip.io *.keycloak.192.168.49.2.nip.io to create a locally trusted certificate I then created a ConfigMap and copied the contents of the truststore (cacerts file) and added the JAVA_OPTS, extraVolumes and extraVolumeMounts similar to here: https://datahubspace.slack.com/archives/C029A3M079U/p1644017149655469?thread_ts=1643841330.686689&cid=C029A3M079U Any help would be much appreciated! Thanks.

Questions/Sugestions about this: 1. Where did you add these extraEnvs? in the datahub-frontend? If yes, ok! 2. I've also added the AUTH_OIDC_SCOPE, USER_NAME_CLAIN and the REGEX, i don't know if it's crucial or not, but ok. 3. The value of my OIDC_CLIENT_ID is between quotation marks, maybe it could help. About the ingress i've not used the enable tls and it's working...

Interesting - is it still the error around SSL?

I tried to overcome the self-signed certificate issue by using mkcert (https://github.com/FiloSottile/mkcert). This is taken from their Github for reference:

Using certificates from real certificate authorities (CAs) for development can be dangerous or impossible (for hosts like example.test, localhost or 127.0.0.1), but self-signed certificates cause trust errors. Managing your own CA is the best solution, but usually involves arcane commands, specialized knowledge and manual steps.

mkcert automatically creates and installs a local CA in the system root store, and generates locally-trusted certificates. mkcert does not automatically configure servers to use the certificates, though, that's up to you.

The mkcert library adds the local CA to the Java truststore. I copied the contents of cacerts to a file called truststore.jdk and added this as a Data attribute within a ConfigMap

datahub-frontend
...  
  extraEnvs:
    - name: AUTH_OIDC_ENABLED
      value: "true"
    - name: AUTH_OIDC_CLIENT_ID
      value: datahub-frontend
    - name: AUTH_OIDC_CLIENT_SECRET
      value: 3HKSBF5r7OesXsPNnmNE8FeCHMyPPnc7
    - name: AUTH_OIDC_DISCOVERY_URI
      value: <https://keycloak.192.168.49.2.nip.io/realms/datahub/.well-known/openid-configuration> 
    - name: AUTH_OIDC_BASE_URL
      value: <http://192.168.49.1:9002>
    #JAVA_OPTS for configuring a custom truststore (for mkcert)
    - name: JAVA_OPTS
      value: |-
        -Xms512m
        -Xmx1024m
        -Dhttp.port=9002
        -Dconfig.file=datahub-frontend/conf/application.conf
        -Djava.security.auth.login.config=datahub-frontend/conf/jaas.conf
        -Dlogback.configurationFile=datahub-frontend/conf/logback.xml
        -Dlogback.debug=false
        -Dpidfile.path=/dev/null
        -Djavax.net.ssl.trustStore=/etc/trustore/truststore.jdk
        -Djavax.net.ssl.trustStorePassword=changeit
  extraVolumes:
    - name: config-volume
      configMap:
        # Provide the name of the ConfigMap containing the files you want
        # to add to the container
        name: truststore-configmap
  extraVolumeMounts:
    - name: config-volume
      mountPath: /etc/truststore
      readOnly: true

And ConfigMap...

apiVersion: v1
kind: ConfigMap
metadata:
  name: truststore-configmap
data:
  truststore.jdk: |-
    debian:mkcert_development_ca_295197005253883957369769066988969075093.pem, Mar 27, 2022, trustedCertEntry, 
    Certificate fingerprint (SHA-256): E3:D4:06:CF:8E:39:7A:....etc

Perhaps mkcert doesn't get past the issue of self-signed certificates and I will have to get a certificate from my organisation!

You are awesome @brief-businessperson-12356! I'm beginning to think we need some deployment guide on this topic...

Is the SSL cert necessary in order to get OIDC working? I'm having a similar issue where I enabled all the ENV vars as per the docs but running into the oops error

13:37:29 [application-akka.actor.default-dispatcher-2] ERROR application - 

! @7oe488g58 - Internal server error, for (GET) [/authenticate?redirect_uri=%2F] ->
 
play.api.UnexpectedException: Unexpected exception[TechnicalException: java.net.ConnectException: Connection refused (Connection refused)]
        at play.api.http.HttpErrorHandlerExceptions$.throwableToUsefulException(HttpErrorHandler.scala:340)
        at play.api.http.DefaultHttpErrorHandler.onServerError(HttpErrorHandler.scala:263)
        at play.core.server.AkkaHttpServer$$anonfun$1.applyOrElse(AkkaHttpServer.scala:443)
        at play.core.server.AkkaHttpServer$$anonfun$1.applyOrElse(AkkaHttpServer.scala:441)
        at scala.concurrent.Future.$anonfun$recoverWith$1(Future.scala:417)
        at scala.concurrent.impl.Promise.$anonfun$transformWith$1(Promise.scala:41)
        at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:64)
        at akka.dispatch.BatchingExecutor$AbstractBatch.processBatch(BatchingExecutor.scala:55)
        at akka.dispatch.BatchingExecutor$BlockableBatch.$anonfun$run$1(BatchingExecutor.scala:92)
        at scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.java:23)
        at scala.concurrent.BlockContext$.withBlockContext(BlockContext.scala:85)
        at akka.dispatch.BatchingExecutor$BlockableBatch.run(BatchingExecutor.scala:92)
        at akka.dispatch.TaskInvocation.run(AbstractDispatcher.scala:41)
        at akka.dispatch.ForkJoinExecutorConfigurator$AkkaForkJoinTask.exec(ForkJoinExecutorConfigurator.scala:49)
        at akka.dispatch.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260)
        at akka.dispatch.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1339)
        at akka.dispatch.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979)
        at akka.dispatch.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107)
Caused by: org.pac4j.core.exception.TechnicalException: java.net.ConnectException: Connection refused (Connection refused)
        at org.pac4j.oidc.config.OidcConfiguration.internalInit(OidcConfiguration.java:136)
        at org.pac4j.core.util.InitializableObject.init(InitializableObject.java:20)
        at auth.sso.oidc.custom.CustomOidcClient.clientInit(CustomOidcClient.java:21)
        at org.pac4j.core.client.IndirectClient.internalInit(IndirectClient.java:58)
        at org.pac4j.core.util.InitializableObject.init(InitializableObject.java:20)
        at org.pac4j.core.client.IndirectClient.getRedirectAction(IndirectClient.java:93)
        at org.pac4j.core.client.IndirectClient.redirect(IndirectClient.java:79)
        at controllers.AuthenticationController.redirectToIdentityProvider(AuthenticationController.java:278)
        at controllers.AuthenticationController.authenticate(AuthenticationController.java:89)
        at router.Routes$$anonfun$routes$1.$anonfun$applyOrElse$8(Routes.scala:489)
        at play.core.routing.HandlerInvokerFactory$$anon$6.resultCall(HandlerInvoker.scala:139)
        at play.core.routing.HandlerInvokerFactory$$anon$6.resultCall(HandlerInvoker.scala:138)
        at play.core.routing.HandlerInvokerFactory$JavaActionInvokerFactory$$anon$3$$anon$4$$anon$5.invocation(HandlerInvoker.scala:112)
        at play.core.j.JavaAction$$anon$1.call(JavaAction.scala:128)
        at play.mvc.Action.lambda$call$0(Action.java:89)
        at java.util.Optional.map(Optional.java:215)
        at play.mvc.Action.call(Action.java:81)
        at play.http.DefaultActionCreator$1.call(DefaultActionCreator.java:33)
        at play.core.j.JavaAction.$anonfun$apply$8(JavaAction.scala:188)
        at scala.concurrent.Future$.$anonfun$apply$1(Future.scala:659)
        at scala.util.Success.$anonfun$map$1(Try.scala:255)
        at scala.util.Success.map(Try.scala:213)
        at scala.concurrent.Future.$anonfun$map$1(Future.scala:292)
        at scala.concurrent.impl.Promise.liftedTree1$1(Promise.scala:33)
        at scala.concurrent.impl.Promise.$anonfun$transform$1(Promise.scala:33)
        at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:64)
        at play.core.j.HttpExecutionContext$$anon$2.run(HttpExecutionContext.scala:77)
        at play.api.libs.streams.Execution$trampoline$.execute(Execution.scala:70)
        at play.core.j.HttpExecutionContext.execute(HttpExecutionContext.scala:69)
        at scala.concurrent.impl.CallbackRunnable.executeWithValue(Promise.scala:72)
        at scala.concurrent.impl.Promise$KeptPromise$Kept.onComplete(Promise.scala:372)
        at scala.concurrent.impl.Promise$KeptPromise$Kept.onComplete$(Promise.scala:371)
        at scala.concurrent.impl.Promise$KeptPromise$Successful.onComplete(Promise.scala:379)
        at scala.concurrent.impl.Promise.transform(Promise.scala:33)
        at scala.concurrent.impl.Promise.transform$(Promise.scala:31)
        at scala.concurrent.impl.Promise$KeptPromise$Successful.transform(Promise.scala:379)
        at scala.concurrent.Future.map(Future.scala:292)
        at scala.concurrent.Future.map$(Future.scala:292)
        at scala.concurrent.impl.Promise$KeptPromise$Successful.map(Promise.scala:379)
        at scala.concurrent.Future$.apply(Future.scala:659)
        at play.core.j.JavaAction.apply(JavaAction.scala:189)
        at play.api.mvc.Action.$anonfun$apply$2(Action.scala:95)
        at play.api.libs.streams.StrictAccumulator.$anonfun$mapFuture$4(Accumulator.scala:181)
        at scala.util.Try$.apply(Try.scala:213)
        at play.api.libs.streams.StrictAccumulator.$anonfun$mapFuture$3(Accumulator.scala:181)
        at scala.Function1.$anonfun$andThen$1(Function1.scala:57)
        at play.api.libs.streams.StrictAccumulator.run(Accumulator.scala:216)
        at play.core.server.AkkaHttpServer.$anonfun$runAction$4(AkkaHttpServer.scala:436)
        at akka.http.scaladsl.util.FastFuture$.strictTransform$1(FastFuture.scala:41)
        at akka.http.scaladsl.util.FastFuture$.$anonfun$transformWith$3(FastFuture.scala:51)
        ... 12 common frames omitted
Caused by: java.net.ConnectException: Connection refused (Connection refused)
        at java.net.PlainSocketImpl.socketConnect(Native Method)
        at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
        at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
        at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
        at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
        at java.net.Socket.connect(Socket.java:607)
        at sun.net.NetworkClient.doConnect(NetworkClient.java:175)
        at sun.net.www.http.HttpClient.openServer(HttpClient.java:463)
        at sun.net.www.http.HttpClient.openServer(HttpClient.java:558)
        at sun.net.www.http.HttpClient.<init>(HttpClient.java:242)
        at sun.net.www.http.HttpClient.New(HttpClient.java:339)
        at sun.net.www.http.HttpClient.New(HttpClient.java:357)
        at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:1226)
        at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1162)
        at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1056)
        at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:990)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1570)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1498)
        at com.nimbusds.jose.util.DefaultResourceRetriever.getInputStream(DefaultResourceRetriever.java:249)
        at com.nimbusds.jose.util.DefaultResourceRetriever.retrieveResource(DefaultResourceRetriever.java:201)
        at org.pac4j.oidc.config.OidcConfiguration.internalInit(OidcConfiguration.java:133)
        ... 61 common frames omitted

Yes I believe the SSL cert is necessary to get OIDC working! I recently had the same issue crop up again when I upgraded to v0.8.45 with the error

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

If anyone else encounters this issue it seems I think it is due to the migration to the Java 11 runtime see (https://github.com/datahub-project/datahub/pull/5853) I fixed it by changing JAVA_OPTS to JDK_JAVA_OPTIONS in the custom yaml file in the helm deployment

Thanks for the solution @brief-businessperson-12356