External users reporting GitHub OAuth problems

Somebody on GitHub reported that they couldn't log in to our auth service using GitHub OAuth: https://github.com/tazjin/nix-1p/pull/9

I suspect this might be related to the recent changes in Keycloak's Terraform config. Logs should cover it just fine.

1. It actually just looks like Keycloak didn't start up properly in time:

   Oct 04 22:28:28 whitby nginx[1417022]: 2022/10/04 22:28:28 [error] 1417022#1417022: *6148698 connect() failed (111: Connection refused) while connecting to upstream, client: 73.xxx.xxx.xxx, server: auth.tvl.fyi, request: "GET /auth/realms/TVL/protocol/openid-connect/auth?response_type=code&client_id=gerrit&redirect_uri=https%3A%2F%2Fcl.tvl.fyi%2Foauth&scope=openid&state=[redacted] HTTP/2.0", upstream: "http://[::1]:5925/auth/realms/TVL/protocol/openid-connect/auth?response_type=code&client_id=gerrit&redirect_uri=https%3A%2F%2Fcl.tvl.fyi%2Foauth&scope=openid&state=[redacted]", host: "auth.tvl.fyi" Oct 04 22:28:28 whitby nginx[1417022]: {"remote_addr":"73.xxx.xxx.xxx","method":"GET","host":"auth.tvl.fyi","uri":"/auth/realms/TVL/protocol/openid-connect/auth?response_type=code&client_id=gerrit&redirect_uri=https%3A%2F%2Fcl.tvl.fyi%2Foauth&scope=openid&state=[redacted]","status":200,"request_size":485,"response_size":1484,"response_time":0.005,"referrer":"","user_agent":"[redacted]"} Oct 04 22:28:29 whitby nginx[1417022]: {"remote_addr":"73.xxx.xxx.xxx","method":"GET","host":"auth.tvl.fyi","uri":"/auth/resources/dhc79/common/keycloak/web_modules/@patternfly/react-core/dist/styles/base.css","status":200,"request_size":117,"response_size":6133,"response_time":0.002,"referrer":"","user_agent":"[redacted]"} Oct 04 22:28:29 whitby nginx[1417022]: {"remote_addr":"73.xxx.xxx.xxx","method":"GET","host":"auth.tvl.fyi","uri":"/auth/resources/dhc79/common/keycloak/web_modules/@patternfly/react-core/dist/styles/app.css","status":200,"request_size":79,"response_size":114335,"response_time":0.003,"referrer":"","user_agent":"[redacted]"}

   lukegb at 2022-10-04T23·31+00

2. It seems to work fine for zimbatm also, who has a Github-only account.

   Luke, why was it (re-)starting in the first place?

   tazjin at 2022-10-05T08·24+00

3. This is something more serious, got another report and caught these logs:

   http://ix.io/4cqH

   tazjin at 2022-10-06T10·09+00

4. The error is caused in this line when casting to ArrayNode. The GitHub documentation of the corresponding API endpoint tells us that it returns an array, so this should work. My guess would be that GitHub returns some kind of error as an object, but we would need to confirm this by logging the original response.

   Searching on the keycloak bugtracker reveals https://github.com/keycloak/keycloak/issues/9429 which diagnoses the root cause as having emails set to private in GitHub – maybe keycloak should request more permissions?

   sterni at 2022-11-09T22·01+00

5. https://github.com/keycloak/keycloak/issues/9429#issuecomment-1455979968 mentioned "Github have changed the flow to consent and release private email field and this works now."

   flokli at 2023-04-26T15·31+00

6. flokli closed this issue at 2023-04-26T15·31+00
7. flokli reopened this issue at 2023-05-16T17·05+00

8. This just happened again, so it semes it's not fixed.

   flokli at 2023-05-16T17·05+00

9. Let's see if other keycloak users can corroborate this: https://github.com/keycloak/keycloak/issues/9429#issuecomment-1550066834. From the logs it seems to be the same issue as before.

   sterni at 2023-05-16T17·17+00

10. https://github.com/keycloak/keycloak/issues/9429 contains a fix - we essentially needed to switch from "OAuth App" to "GitHub App", which totally makes sense…

    Fix is up in https://cl.tvl.fyi/c/depot/+/12413, and already applied. Let's see how it goes.

    flokli at 2024-09-01T12·47+00

11. https://cl.tvl.fyi/c/depot/+/12413 has landed, so this should be fixed - closing until we hear otherwise.

    flokli at 2024-09-01T13·23+00

12. flokli closed this issue at 2024-09-01T13·23+00