portainer keycloak 20 oauth login "unauthorized" / "Unable to login via OAuth"

Question

I have many apps using Keycloak for authentication, but only Portainer does not work yet. I am using the custom OAuth provider configured as following:

With the Keycloak client setup:

The URLs should all be correct and taken from https://auth.mydomain.com/realms/my-realm/.well-known/openid-configuration

However, when I try to login in Portainer, I get the error message "unauthorized" and "Unable to login via OAuth". Does anyone knows what I have missed?

Answer 1

Maybe it will helps someone else: Keycloak by default storing username in the field with name preferred_username, so you should use it as User identifier.

Also do not forget add ?redirect_uri={your url-encoded path} at the end of Logout URL to comeback into application login page after logout.

EDIT: I just wanted to emphasize the solution you provided here by adding an image that illustrates the settings needed to make it work in Portainer. (I don't know how to refer you to another reply, so I hope it is ok I did it this way instead.)

Answer 2

The solution was to add as User identifier: email. Only that works.

Answer 3

I had the same issue. In my case I was running both Keycloak and Portainer in the same Kubernetes cluster and I hadn't configured CoreDNS to use my upstream DNS server correctly. Starting Portainer with --log-level=DEBUG revealed that Portainer was unable to resolve the Keycloak server while trying to swap the auth code for a token.

I was able to fix the issue by correcting the forward block in the CoreDNS config map and mounting the root CA certificate to /etc/ssl/certs/cacert.pem in the Portainer container.