OS Name/Version: Arch Linux
Product Name/Version: AMP Phobos 2.6.1.2
Problem Description:
I’ve created a Client in my Keykloak Instance with Client Secret and assigned my self a role AMP_SuperAdmins (Also tried AMP_Super_Admins), but I cannot login, I just get an error in the logs. Here’s my config:
Login.UseOIDC=True
Login.OIDCProviderFriendlyName=SSO
Login.OIDCClientID=<myClientID>
Login.OIDCClientSecret=<myClientSecret>
Login.OIDCRedirectUri=https://amp.mydomain.tld
Login.OIDCAuthorizeEndpoint=https://sso.mydomain.tld/realms/myrealm/protocol/openid-connect/auth
Login.OIDCValidationEndpoint=https://sso.mydomain.tld/realms/myrealm/protocol/openid-connect/token
Login.OIDCTokenEndpoint=https://sso.jmydomain.tld/realms/myrealm/protocol/openid-connect/token
Login.OIDCUserInfoEndpoint=https://sso.mydomain.tld/realms/myrealm/protocol/openid-connect/userinfo
Login.OIDCLogoutEndpoint=https://sso.mydomain.tld/realms/myrealm/protocol/openid-connect/logout
Login.OIDCRevokeEndpoint=https://sso.mydomain.tld/realms/myrealm/protocol/openid-connect/revoke
Login.OIDCRoleNamePrefix=AMP_
Login.OIDCNewUsersDisabledAtCreation=False
Here’s the Exception I get:
[09:17:48] [System Warning/14] : Returned exception from API call Core/OIDCLogin
[09:17:48] [Core Error/14] : ArgumentNullException
[09:17:48] [Core Error/14] : [0] (ArgumentNullException) : Value cannot be null. (Parameter 'source')
[09:17:48] [Core Error/14] : at Linq.ThrowHelper.ThrowArgumentNullException(ExceptionArgument argument)
at Linq.Enumerable.Where[TSource](IEnumerable`1 source, Func`2 predicate)
at GSMyAdmin.Authentication.InternalAuth.AuthenticateOIDCUser(HttpRequest request, OidcUserInfo info, Nullable`1 serverId)
at GSMyAdmin.WebServer.WebMethods.OIDCLogin(HttpRequest request, String code, String redirect_uri, Nullable`1 serverId)
at GSMyAdmin.WebServer.WebAttributes.InvokeMethod(String MethodName, JObject Data, HttpContext context, IWebSession Session, WebMethodsBase MethodsClass, IPAddress RealIP)
at GSMyAdmin.WebServer.ApiService.InvokeAPI(HttpContext context, IWebSession Session, JObject Data, String RequestModule, String RequestMethod)
Steps to reproduce:
- Create Keycloak Client
- Configure AMP Instance
- Start AMP Instance
- Visit Login Page and Login to Keykloak
Actions taken to resolve so far:
- Tried different variations of the Role Name for Super Admins
- Tried to just make the created user a Super Admin manually
- Tried to create a custom role Admin with access to everything
- Made Keykloak place the roles inside a roles claim instead of under resource_access
The roles part in the JWT from Keykloak looks correct to me:
"resource_access": {
"amp": {
"roles": [
"AMP_Admin"
]
},