OIDC using Keykloak causes Error on Login

Jannis_Goeing · March 27, 2025, 9:33am

OS Name/Version: Arch Linux

Product Name/Version: AMP Phobos 2.6.1.2

Problem Description:
I’ve created a Client in my Keykloak Instance with Client Secret and assigned my self a role AMP_SuperAdmins (Also tried AMP_Super_Admins), but I cannot login, I just get an error in the logs. Here’s my config:

Login.UseOIDC=True
Login.OIDCProviderFriendlyName=SSO
Login.OIDCClientID=<myClientID>
Login.OIDCClientSecret=<myClientSecret>
Login.OIDCRedirectUri=https://amp.mydomain.tld
Login.OIDCAuthorizeEndpoint=https://sso.mydomain.tld/realms/myrealm/protocol/openid-connect/auth
Login.OIDCValidationEndpoint=https://sso.mydomain.tld/realms/myrealm/protocol/openid-connect/token
Login.OIDCTokenEndpoint=https://sso.jmydomain.tld/realms/myrealm/protocol/openid-connect/token
Login.OIDCUserInfoEndpoint=https://sso.mydomain.tld/realms/myrealm/protocol/openid-connect/userinfo
Login.OIDCLogoutEndpoint=https://sso.mydomain.tld/realms/myrealm/protocol/openid-connect/logout
Login.OIDCRevokeEndpoint=https://sso.mydomain.tld/realms/myrealm/protocol/openid-connect/revoke
Login.OIDCRoleNamePrefix=AMP_
Login.OIDCNewUsersDisabledAtCreation=False

Here’s the Exception I get:

[09:17:48] [System Warning/14]    : Returned exception from API call Core/OIDCLogin
[09:17:48] [Core Error/14]        : ArgumentNullException
[09:17:48] [Core Error/14]        : [0] (ArgumentNullException) : Value cannot be null. (Parameter 'source')
[09:17:48] [Core Error/14]        :    at Linq.ThrowHelper.ThrowArgumentNullException(ExceptionArgument argument)
   at Linq.Enumerable.Where[TSource](IEnumerable`1 source, Func`2 predicate)
   at GSMyAdmin.Authentication.InternalAuth.AuthenticateOIDCUser(HttpRequest request, OidcUserInfo info, Nullable`1 serverId)
   at GSMyAdmin.WebServer.WebMethods.OIDCLogin(HttpRequest request, String code, String redirect_uri, Nullable`1 serverId)
   at GSMyAdmin.WebServer.WebAttributes.InvokeMethod(String MethodName, JObject Data, HttpContext context, IWebSession Session, WebMethodsBase MethodsClass, IPAddress RealIP)
   at GSMyAdmin.WebServer.ApiService.InvokeAPI(HttpContext context, IWebSession Session, JObject Data, String RequestModule, String RequestMethod)

Steps to reproduce:

Create Keycloak Client
Configure AMP Instance
Start AMP Instance
Visit Login Page and Login to Keykloak

Actions taken to resolve so far:

Tried different variations of the Role Name for Super Admins
Tried to just make the created user a Super Admin manually
Tried to create a custom role Admin with access to everything
Made Keykloak place the roles inside a roles claim instead of under resource_access

The roles part in the JWT from Keykloak looks correct to me:

  "resource_access": {
    "amp": {
      "roles": [
        "AMP_Admin"
      ]
    },

tankbusta · April 16, 2025, 3:53am

I’m not able to replicate this exact error but I have a very similar config. The login works correctly but my user does not have privileges when I login. Validating with Keycloak “Generated User Info” section, I do see

"resource_access": {
    "amp": {
      "roles": [
        "AMP_Super Admins"
      ]
    }
  },

AMP version 2.6.1.4

Jannis_Goeing · April 16, 2025, 5:14am

I eventually figured it out. The Client Roles need to be mapped to the groups claim for it to work, so just create a Mapper from Configuration, select User Client Role, give it a name, select your AMP Client and set Token Claim Name to groups. Then go back, go to client scopes, evaluate, select your user, then click on generated access token, it should contain this:

  "groups": [
    "AMP_Super Admins"
  ],

tankbusta · April 17, 2025, 12:30am

Yes! This fixes it, thank you very much!