About browser keycloak

"Recently, I noticed that runtime v52 introduced Keycloak. I want to try replacing Auth0 with Keycloak as it seems more convenient for user management. However, I encountered an error during the authentication process.

As shown in the image, it can redirect to Keycloak, and after entering the password, it returns to the browser

but fails to authenticate through ext-jwt

Sorry we forgot about your post! I just had a similar issue with another user. It ended up that the keycloak server was incorrectly configured with an invalid certificate chain. It wasn't presenting the full chain. Can you test your server with openssl: openssl s_client -connect your.server.here:port and see if you receieve an "OK" or a "-21" error?

Other than that you need to check to see if the user is mapped to the service still, if the email address coming back from keycloak matches, you need to verify the username and external claim property match as well.

Have you done those things? Are you still having an issue?

Thank you. It's really a problem with certificates. I didn't know enough about certificates before and didn't know the difference between cert and fullchain
,Learned something new :grinning:

1 Like

I'm happy to hear that was the issue and you're all set. It wasn't an easy/obvious issue to track down.

Now I have a complete browzer, but I'm confused because the controller, router, and console are all on the same server, I didn't think it was a perfect proof that could add any network to a secure ziti network, so I tried moving the controller and console to another server, changing the bootloader's ZITI_CONTROLLER_HOST, and then using the bootloader to access it.If it works, then I can add my other services to ziti
, Unfortunately, the modified bootstrapper wouldn't start
Here is the bootstrapper error log

{"code":"ECONNRESET","errno":-104,"level":"error","message":"read ECONNRESET","stack":"Error: read ECONNRESET\n    at TLSWrap.onStreamRead (node:internal/stream_base_commons:217:20)","syscall":"read","timestamp":"2024-01-12T05:13:34.464Z"}

This is the modified environment variable

cat $ZITI_HOME/browzer.env
    "targetArray": [
        "vhost": "brozac.my2.testzj.online ",
        "service": "brozac",
        "path": "/",
        "scheme": "https",
        "idp_issuer_base_url": "https://auth.keycloak.aidenzj.online:1234",
        "idp_client_id": "account",
        "idp_realm": "ziti",
        "idp_type": "keycloak"

Is idea right? it's like a certificate issue again :joy: My two servers are different certificates and domain names

two servers, should start a router on each server?

Maybe they have to be together? browzer takes an existing service (like my private notes), wraps it with ziti, and then automatically verifies my identity when I access the notes ?

which is the right direction!

I tried moving the controller and console to another server
it's like a certificate issue again

Did you recreate the entire setup or did you just copy files? Based on the error, it definitely looks to me like the bootstrappter connected to the controller with the wrong certificate.

You cannot "move" a controller. The DNS entry used when running the quickstart is the DNS entry all the PKI/identities are based on. If you simply "moved" or "changed" the controller DNS name, almost certainly nothing will connect.

If you reran the quickstart, browzer should connect just fine.

I plan to do a session on YoutTube today covering keycloak deployment and use and put into video form the issues people have encountered this week. It's at 11 AM ET (3.5 hours from 'now'). It's a livestream so if you're interested you can ask questions or you can catch the replay.

I'm sure this will work just fine, figuring out the issue is the challenge. What's the URL of your controller?