2

I have a local apache2 server running humhub 1.3.14. My goal is to set Keycloak located on my rancher cluster as the authentication provider for humhub.

After selecting "keycloak OpenId Connect" the user is successfully redirected to the keycloak server. After the user has authenticated, keycloak redirects back to my local humhub server. There humhub complains: "Unable to verify JWS: Unsecured connection" . to validate the JWS, humhub uses yii2-authclient/src/OpenIdConnect.php which requires "spomky-labs/jose:~5.0.6" (which is abandoned, but yii2 does still use it).

in humhub/protected/vendor/yiisoft/yii2-authclient/src/OpenIdConnect.php setting

$validateJws = false

does nothing.

humhub/protected/config/common.php:

return [
'params' => [
    'enablePjax' => false
],
'components' => [
    'urlManager' => [
        'showScriptName' => false,
        'enablePrettyUrl' => false,
    ],
'authClientCollection' => [
        'class' => 'yii\authclient\Collection',
    'clients' => [
        'keycloak' => [
        'class' => 'yii\authclient\OpenIdConnect',
        'issuerUrl' => 'https://xxxx/auth/realms/humhub',
        'clientId' => 'humhub',
        'clientSecret' => 'xxxxxxx',
        'name' => 'keycloak',
        'title' => 'Keycloak OpenID Connect',
        'tokenUrl' => 'https://xxxx/auth/realms/humhub/protocol/openid-connect/token',
        'authUrl' => 'https://xxxx/auth/realms/humhub/protocol/openid-connect/auth',
        'validateAuthState' => 'false',
        'validateJws' => 'false',

        ],
    ],
    ]
]

];

Can anyone help? Further information required?

UPDATE

After updating "spomky-labs/jose" to "spomky-labs/jose:~6.1.0", the response from humhub changed to:

"Unable to verify JWS: The provided sector identifier URI is not valid: scheme must be one of the following: ["https"]."

UPDATE

I have enabled https also on my local apache2 server which runs humhub. I also downgraded spomky-labs/jose back to version 5.0.6, because of compatibility problems with the current humhub version 1.3.14. After that, the JWS error seems to be fixed but a new error accured:

enter image description here

Coult it be caused by the content type in the JWS which is not "application/json" but instead just "" (empty)? if so, how can this be fixed?

Futureman2007
  • 161
  • 10

1 Answers1

2

Finaly i found the solution: It is not working well, because humhub does not hold the specifications in its OIDC adapter. After directing back from Keycloak, the following error accures:

Error after redirect back to humhub from Keycloak

The OpenId Connect 1.0 Specification describes, that an ID-Token has to be signed using a JWS (Json Web Signature). Keycloak does that, but does not set the "cty" field. As for https://www.rfc-editor.org/rfc/rfc7515#section-4.1.10 (RFC7515), this field is optional which means, that Humhub (v. 1.3.13) has a wrong implemented Open ID Connect 1.0 adapter because it sets this field to be mandatory.

Community
  • 1
  • 1
Futureman2007
  • 161
  • 10
  • I am also trying to integrate keycloak into humhub, but I am not really coming so far. I am trying it on humhub 1.5.1. Have you found a working solution? – Markus Kollers May 14 '20 at 14:24
  • Please have a look at the Solution: If your Version of humhub still uses "spoomkylabs/jose" or uses the same OIDC adapter , it can not work since it seems to wrongly implement the OIDC protocol. – Futureman2007 May 17 '20 at 00:20
  • Does this maybe help you? https://github.com/Worteks/humhub-auth-oidc/issues/1 – Futureman2007 May 17 '20 at 00:50
  • i didnt understand if this solution works or not! ive tried it, i can login, but now i cannot logout and humhub rise a strange error: "url": "/humhub-1.5.3/user/auth/login", "status": 500, – JahStation Jul 30 '20 at 08:47