Re: pgadmin and keycloak

Hi Yogesh,

Thank you for your support. I have several problems with pgadmin and
keycloak. For example,

if I use OAUTH2_SERVER_METADATA_URL, I received this error ""403
Client Error: Forbidden for url:
http://keycloak.xxx.xxxx:8080/realms/iam/.well-known/openid-configuration""

I I used your example, I received this error "

{"success":0,"errormsg":"'OAUTH2_API_BASE_URL'","info":"","result":null,"data":null}

If I use this configuration
>
> OAUTH2_CONFIG = [
> {
> 'OAUTH2_NAME': 'keycloak',
> 'OAUTH2_DISPLAY_NAME': 'KEYCLOAK',
> 'OAUTH2_CLIENT_ID': 'pgadmin',
> 'OAUTH2_CLIENT_SECRET': 'xxxx',
> 'OAUTH2_TOKEN_URL': 'http://keycloak.xxx.xxx:8080/realms/iam/protocol/openid-connect/token',
> 'OAUTH2_AUTHORIZATION_URL': 'http://keycloak.xxx.xxx:8080/realms/iam/protocol/openid-connect/auth',
> 'OAUTH2_USERINFO_ENDPOINT': 'http://keycloak.xxx.xxx:8080/realms/iam/protocol/openid-connect/userinfo',
> 'OAUTH2_API_BASE_URL': 'http://keycloak.xxx.xxx:8080/realms/iam',
> 'OAUTH2_ICON': 'fa-google',
> 'OAUTH2_BUTTON_COLOR': '#0000ff',
> 'OAUTH2_SCOPE': 'openid',
> 'OAUTH2_SSL_CERT_VERIFICATION': 'False',
> 'OAUTH2_ADDITIONAL_CLAIMS': {
> 'groups': ["administrators"],
> }
> }
> ]

I receive this error

{"success":0,"errormsg":"Expecting value: line 1 column 1 (char
0)","info":"","result":null,"data":null}

In the logs you can see
>
> 10.248.227.10 - - [02/Jan/2024:07:16:47 +0000] "POST /authenticate/login HTTP/1.1" 302 791 "https://pgadmin4.apps.xxxx.xxxx.dplt/login?next=%2F" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:120.0) Gecko/20100101 Firefox/120.0"
>
> 2024-01-02 07:16:48,400: ERROR pgadmin: Expecting value: line 1 column 1 (char 0)
> Traceback (most recent call last):
> File "/venv/lib/python3.11/site-packages/requests/models.py", line 971, in json
> return complexjson.loads(self.text, **kwargs)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> File "/usr/lib/python3.11/json/__init__.py", line 346, in loads
> return _default_decoder.decode(s)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^
> File "/usr/lib/python3.11/json/decoder.py", line 337, in decode
> obj, end = self.raw_decode(s, idx=_w(s, 0).end())
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> File "/usr/lib/python3.11/json/decoder.py", line 355, in raw_decode
> raise JSONDecodeError("Expecting value", s, err.value) from None
> json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)
> During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/venv/lib/python3.11/site-packages/flask/app.py", line 1484,
in full_dispatch_request
rv = self.dispatch_request()
^^^^^^^^^^^^^^^^^^^^^^^
File "/venv/lib/python3.11/site-packages/flask/app.py", line 1469,
in dispatch_request
return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/pgadmin4/pgadmin/authenticate/oauth2.py", line 56, in oauth_authorize
status, msg = auth_obj.login()
^^^^^^^^^^^^^^^^
File "/pgadmin4/pgadmin/authenticate/__init__.py", line 301, in login
status, msg = self.source.login(self.form)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/pgadmin4/pgadmin/authenticate/oauth2.py", line 126, in login
profile = self.get_user_profile()
^^^^^^^^^^^^^^^^^^^^^^^
File "/pgadmin4/pgadmin/authenticate/oauth2.py", line 201, in get_user_profile
self.oauth2_current_client].authorize_access_token()
^^^^^^^^^^^^^^^^^^^^^^^^
File "/venv/lib/python3.11/site-packages/authlib/integrations/flask_client/apps.py",
line 101, in authorize_access_token
token = self.fetch_access_token(**params, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/venv/lib/python3.11/site-packages/authlib/integrations/base_client/sync_app.py",
line 342, in fetch_access_token
token = client.fetch_token(token_endpoint, **params)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/venv/lib/python3.11/site-packages/authlib/oauth2/client.py",
line 207, in fetch_token
return self._fetch_token(
^^^^^^^^^^^^^^^^^^
File "/venv/lib/python3.11/site-packages/authlib/oauth2/client.py",
line 364, in _fetch_token
return self.parse_response_token(resp)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/venv/lib/python3.11/site-packages/authlib/oauth2/client.py",
line 338, in parse_response_token
token = resp.json()
^^^^^^^^^^^
File "/venv/lib/python3.11/site-packages/requests/models.py", line
975, in json
raise RequestsJSONDecodeError(e.msg, e.doc, e.pos)
requests.exceptions.JSONDecodeError: Expecting value: line 1 column 1 (char 0)
10.248.227.10 - - [02/Jan/2024:07:16:48 +0000] "GET
/oauth2/authorize?state=zhsCc9Nspt61zaWitYqfT61JoHiHer&session_state=4d4bdc0d-3901-4d13-af89-d1646a3115b3&iss=http%3A%2F%2Fkeycloak.xxxx.xxxx%3A8080%2Frealms%2Fiam&code=dd98dd4a-bd20-49aa-861d-39f5d5af1795.4d4bdc0d-3901-4d13-af89-d1646a3115b3.ec389ead-d683-4f45-a63a-d93f0814efaf
HTTP/1.1" 500 104 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64;
rv:120.0) Gecko/20100101 Firefox/120.0"

Thanks for your support,

Best regards,
Jose

On Tue, Jan 2, 2024 at 5:41 AM Yogesh Mahajan
<yogesh(dot)mahajan(at)enterprisedb(dot)com> wrote:
>
> Hi Jose,
>
> pgAdmin 4 supports keycloak for authentication. Is there any error/difficulty while configuration?
> Here is typical configuration for keycloak provider -
>
> AUTHENTICATION_SOURCES = ['internal','oauth2']
> OAUTH2_CONFIG = [
>
> { 'OAUTH2_NAME': 'keycloak',
> 'OAUTH2_DISPLAY_NAME': 'Login with Keycloak',
> 'OAUTH2_CLIENT_ID': '<keycloak client id>',
> 'OAUTH2_CLIENT_SECRET': '<client secret>',
> 'OAUTH2_TOKEN_URL': 'https://<keycloak server ip:port>/realms/<realm_name>/protocol/openid-connect/token',
> 'OAUTH2_AUTHORIZATION_URL': 'https://<keycloak server ip:port>/realms/<realm_name>/protocol/openid-connect/auth',
>
> 'OAUTH2_API_BASE_URL': None,
> 'OAUTH2_USERINFO_ENDPOINT': 'https://<keycloak server ip:port>/realms/<realm_name>/protocol/openid-connect/userinfo',
> 'OAUTH2_SCOPE': 'openid',
> 'OAUTH2_USERNAME_CLAIM': None,
> 'OAUTH2_ICON': None,
> 'OAUTH2_BUTTON_COLOR': None,
> 'OAUTH2_SERVER_METADATA_URL': 'https://<keycloak server ip:port>//realms/<realm_name>/.well-known/openid-configuration',
> 'OAUTH2_SSL_CERT_VERIFICATION': False
> }]
>
>
>
> Thanks,
> Yogesh Mahajan
> EnterpriseDB
>
>
> On Mon, Jan 1, 2024 at 10:05 PM Jose M Barreiro <jmbarreiro(at)gmail(dot)com> wrote:
>>
>> Hi,
>>
>> First of all, Happy New Year!!!!
>>
>> I have a problem with pgadmin and keycloak. We need to change our IDP, actually we are using okta and pgadmin is working fine with it.
>>
>> We need to configure pgadmin to use keycloak but it's not possible to configure pgadmin to work with keycloak.
>>
>> Can you help us to understand the reason?
>>
>> Best regards,
>> Jose
>>