OIDC using Keykloak causes Error on Login

OS Name/Version: Arch Linux

Product Name/Version: AMP Phobos 2.6.1.2

Problem Description:
I’ve created a Client in my Keykloak Instance with Client Secret and assigned my self a role AMP_SuperAdmins (Also tried AMP_Super_Admins), but I cannot login, I just get an error in the logs. Here’s my config:

Login.UseOIDC=True
Login.OIDCProviderFriendlyName=SSO
Login.OIDCClientID=<myClientID>
Login.OIDCClientSecret=<myClientSecret>
Login.OIDCRedirectUri=https://amp.mydomain.tld
Login.OIDCAuthorizeEndpoint=https://sso.mydomain.tld/realms/myrealm/protocol/openid-connect/auth
Login.OIDCValidationEndpoint=https://sso.mydomain.tld/realms/myrealm/protocol/openid-connect/token
Login.OIDCTokenEndpoint=https://sso.jmydomain.tld/realms/myrealm/protocol/openid-connect/token
Login.OIDCUserInfoEndpoint=https://sso.mydomain.tld/realms/myrealm/protocol/openid-connect/userinfo
Login.OIDCLogoutEndpoint=https://sso.mydomain.tld/realms/myrealm/protocol/openid-connect/logout
Login.OIDCRevokeEndpoint=https://sso.mydomain.tld/realms/myrealm/protocol/openid-connect/revoke
Login.OIDCRoleNamePrefix=AMP_
Login.OIDCNewUsersDisabledAtCreation=False

Here’s the Exception I get:

[09:17:48] [System Warning/14]    : Returned exception from API call Core/OIDCLogin
[09:17:48] [Core Error/14]        : ArgumentNullException
[09:17:48] [Core Error/14]        : [0] (ArgumentNullException) : Value cannot be null. (Parameter 'source')
[09:17:48] [Core Error/14]        :    at Linq.ThrowHelper.ThrowArgumentNullException(ExceptionArgument argument)
   at Linq.Enumerable.Where[TSource](IEnumerable`1 source, Func`2 predicate)
   at GSMyAdmin.Authentication.InternalAuth.AuthenticateOIDCUser(HttpRequest request, OidcUserInfo info, Nullable`1 serverId)
   at GSMyAdmin.WebServer.WebMethods.OIDCLogin(HttpRequest request, String code, String redirect_uri, Nullable`1 serverId)
   at GSMyAdmin.WebServer.WebAttributes.InvokeMethod(String MethodName, JObject Data, HttpContext context, IWebSession Session, WebMethodsBase MethodsClass, IPAddress RealIP)
   at GSMyAdmin.WebServer.ApiService.InvokeAPI(HttpContext context, IWebSession Session, JObject Data, String RequestModule, String RequestMethod)

Steps to reproduce:

  • Create Keycloak Client
  • Configure AMP Instance
  • Start AMP Instance
  • Visit Login Page and Login to Keykloak

Actions taken to resolve so far:

  • Tried different variations of the Role Name for Super Admins
  • Tried to just make the created user a Super Admin manually
  • Tried to create a custom role Admin with access to everything
  • Made Keykloak place the roles inside a roles claim instead of under resource_access

The roles part in the JWT from Keykloak looks correct to me:

  "resource_access": {
    "amp": {
      "roles": [
        "AMP_Admin"
      ]
    },

I’m not able to replicate this exact error but I have a very similar config. The login works correctly but my user does not have privileges when I login. Validating with Keycloak “Generated User Info” section, I do see

"resource_access": {
    "amp": {
      "roles": [
        "AMP_Super Admins"
      ]
    }
  },

AMP version 2.6.1.4

I eventually figured it out. The Client Roles need to be mapped to the groups claim for it to work, so just create a Mapper from Configuration, select User Client Role, give it a name, select your AMP Client and set Token Claim Name to groups. Then go back, go to client scopes, evaluate, select your user, then click on generated access token, it should contain this:

  "groups": [
    "AMP_Super Admins"
  ],
1 Like

Yes! This fixes it, thank you very much!

1 Like