External users reporting GitHub OAuth problems

#201
Opened by tazjin at 2022-10-04T22·39+00

Somebody on GitHub reported that they couldn't log in to our auth service using GitHub OAuth: https://github.com/tazjin/nix-1p/pull/9

I suspect this might be related to the recent changes in Keycloak's Terraform config. Logs should cover it just fine.

  1. It actually just looks like Keycloak didn't start up properly in time:

    Oct 04 22:28:28 whitby nginx[1417022]: 2022/10/04 22:28:28 [error] 1417022#1417022: *6148698 connect() failed (111: Connection refused) while connecting to upstream, client: 73.xxx.xxx.xxx, server: auth.tvl.fyi, request: "GET /auth/realms/TVL/protocol/openid-connect/auth?response_type=code&client_id=gerrit&redirect_uri=https%3A%2F%2Fcl.tvl.fyi%2Foauth&scope=openid&state=[redacted] HTTP/2.0", upstream: "http://[::1]:5925/auth/realms/TVL/protocol/openid-connect/auth?response_type=code&client_id=gerrit&redirect_uri=https%3A%2F%2Fcl.tvl.fyi%2Foauth&scope=openid&state=[redacted]", host: "auth.tvl.fyi" Oct 04 22:28:28 whitby nginx[1417022]: {"remote_addr":"73.xxx.xxx.xxx","method":"GET","host":"auth.tvl.fyi","uri":"/auth/realms/TVL/protocol/openid-connect/auth?response_type=code&client_id=gerrit&redirect_uri=https%3A%2F%2Fcl.tvl.fyi%2Foauth&scope=openid&state=[redacted]","status":200,"request_size":485,"response_size":1484,"response_time":0.005,"referrer":"","user_agent":"[redacted]"} Oct 04 22:28:29 whitby nginx[1417022]: {"remote_addr":"73.xxx.xxx.xxx","method":"GET","host":"auth.tvl.fyi","uri":"/auth/resources/dhc79/common/keycloak/web_modules/@patternfly/react-core/dist/styles/base.css","status":200,"request_size":117,"response_size":6133,"response_time":0.002,"referrer":"","user_agent":"[redacted]"} Oct 04 22:28:29 whitby nginx[1417022]: {"remote_addr":"73.xxx.xxx.xxx","method":"GET","host":"auth.tvl.fyi","uri":"/auth/resources/dhc79/common/keycloak/web_modules/@patternfly/react-core/dist/styles/app.css","status":200,"request_size":79,"response_size":114335,"response_time":0.003,"referrer":"","user_agent":"[redacted]"}

    lukegb at 2022-10-04T23·31+00

  2. It seems to work fine for zimbatm also, who has a Github-only account.

    Luke, why was it (re-)starting in the first place?

    tazjin at 2022-10-05T08·24+00

  3. This is something more serious, got another report and caught these logs:

    http://ix.io/4cqH

    tazjin at 2022-10-06T10·09+00

  4. The error is caused in this line when casting to ArrayNode. The GitHub documentation of the corresponding API endpoint tells us that it returns an array, so this should work. My guess would be that GitHub returns some kind of error as an object, but we would need to confirm this by logging the original response.

    Searching on the keycloak bugtracker reveals https://github.com/keycloak/keycloak/issues/9429 which diagnoses the root cause as having emails set to private in GitHub – maybe keycloak should request more permissions?

    sterni at 2022-11-09T22·01+00