Sam Thursfield commented: Spent a while trying to get this to work today, here's what happened. OpenID Connect is a superset of OAuth2, and so OpenQA OAuth2 backend can authenticate against Keycloak OpenID Connect provider. In theory. This is working at http://openqa.qa.codethink.co.uk/ already. https://auth.gnome.org/ uses Keycloak and we configured a new 'openqa' application. Login on openqa.gnome.org successfully redirects to auth.gnome.org, back to openqa.gnome.org/login, at which point we see an error: "User data returned by OAuth2 provider is insufficient" The error comes from https://github.com/os-autoinst/openQA/blob/master/lib/OpenQA/WebAPI/Auth/OAuth2.pm#L82 and is triggered by return value of the https://auth.gnome.org/auth/realms/master/protocol/openid-connect/userinfo endpoint. OpenQA expects to find `id` (not configurable) and `preferred_username` (configurable) in the output, and doesn't. Keycloak doesn't set `id` by default, but it can be configured to map one property to another. This is what happens in the Codethink instance and it works. In the Gnome instance, the `id` property is never sent - regardless which property it is mapped from (tried `email`, `username`, `preferred_username`). OpenQA doesn't print debug logs here, but I modified the Perl code directly to add some. Specifically `./usr/share/openqa/lib/OpenQA/WebAPI/Auth/OAuth2.pm` adding lines: use OpenQA::Log qw(log_debug); use Data::Dumper; (at the top) log_debug("TX result: " . Dumper($tx->res)); log_debug("Details: " . Dumper($details)); (just before line 82). Also set `logging.level = debug` in the openqa.ini file. This is enough to dump the user data it receives, and see that there's no `id` field. At this point we don't know why Keycloak isn't sending the field. -- Reply to this email directly or view it on GitLab: https://gitlab.gnome.org/Infrastructure/Infrastructure/-/issues/637#note_1243350 You're receiving this email because of your account on gitlab.gnome.org.
_______________________________________________ gnome-infrastructure mailing list [email protected] https://mail.gnome.org/mailman/listinfo/gnome-infrastructure
