Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Problem/Motivation
When trying the keycloak openid auth I get the following apache error. Looking at the error it is clearly an improperly configured keycloak url
[Wed Mar 15 19:24:47.775192 2023] [proxy_fcgi:error] [pid 160737:tid 140271568262720] [client 10.220.127.13:54510] AH01071: Got error 'PHP message: Uncaught PHP Exception InvalidArgumentException: "The URI '/realms//protocol/openid-connect/auth' is invalid. You must use a valid URI scheme." at /var/www/d10/web/core/lib/Drupal/Core/Url.php line 293', referer: https://www.domain.org/user/login
I set the
- Client ID = my client name set in keycloak
- Client secret
- Allowed domains = domain.org \n www.domain.org
- Keycloak base URL = https://keycloak.xxprivxxx.org (I am not using the path based approach so not using /auth)
- Keycloak realm = = my realm name set in keycloak
Is there a setting somewhere that is causing the incorrectly assembled url as thrown in the error message?
Issue fork keycloak-3348275
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
changes
Comments
Comment #2
bramdriesenLooking at this as we speak. It was also reported here. It has to do with how the new version of OpenID Connect is working and saving it's settings.
Comment #4
bramdriesenComment #6
bramdriesenIf you keep the two (super complex) logout functions disabled, you should be fine for now.
I did break a bit of functionality in the KeycloakService in the process. I totally don't understand how the config loading can actually work in the way it is currently set-up. It will require quite a bit of digging to see how to properly fix this. The module also totally doesn't take into account that you can have multiple keycloak instances configured. (I think this is a thing since OpenID Connect 2.x)
Comment #7
bramdriesenSo to put it more into perspective. The real issue is that the current keycloak implementation is trying to read all client settings from "openid_connect.settings.keycloak" which should not even exist since there are no specific openid_connect settings defined by the keycloak module. All settings like the base URL for example live in "openid_connect.client.CLIENT_MACHINE_NAME". But there are a lot of config reads in the Keycloak service on that first settings one. To replace the logic to fetch this from the correct client based on the logged in user will be quite a challenge, because there are a LOT of config reads...
Will keep digging.
Comment #8
heneryh commentedThank you @bramdriesen.
I have a drupal site coexisting with a Nextcloud instance for document collaboration. Trying to reduce complexity for my users who need to log into both instances.
I have a limited subset of users and not a mission-critical operational model so I am good with experimenting or using some hacks.
Appreciate your efforts!
Comment #9
bramdriesenNo problem :-) guess I'll continue again on it this evening!
Also thanks for your testing effort!
Comment #10
heneryh commentedComment #12
bramdriesenJust tested, and the basics work! Logging in and logging out ;-)
Will merge this so we can tag a working release with at least the most important part working! Will create follow up tickets for all the other things that we might spot.
Comment #14
bramdriesenBeta 9 tagged. https://www.drupal.org/project/keycloak/releases/2.2.0-beta9
Comment #15
bramdriesenComment #17
tarikflz commentedWhat happened with this issue, its completely break keycloak module. getEndpoints method removed from KeycloakService but getCheckSessionIframeUrl and getKeycloakSignOutEndpoint method still using that. Whole module doesn't work for me.