Keycloak userinfo URL endpoint problem

breed · June 1, 2021, 1:55pm

Hi I have a problem with userinfo endpoint. Authentication works correctly but in log I see problem.

In Oauth2-proxy log I see
2021-05-27T12:43:21.370402108Z [2021/05/27 12:43:21] [internal_util.go:69] 400 GET https://keycloak.example.com/auth/realms/local/protocol/openid-connect/userinfo?access_token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIxRXQ4bWZPVVRLVG14YkdmNUp2bVNDY1BOUU81dDBPMkJiekp0a2NjNzdjIn0.eyJleHAiOjE2MjIxMTk3MDEsImlhdCI6MTYyMjExOTQwMSwiYXV0aF90aW1lIjoxNjIyMTE5NDAxLCJqdGkiOiIwYzJmNTRmNy01ZWNmLTRkMTEtODliYi0wYjg2M2M1ZDIzY2YiLCJpc3MiOiJodHRwczovL2tleWNsb2FrLXN0YWdlLm9rdWJlMS5rdWJlLmxzb2ZmaWNlLmN6L2F1dGgvcmVhbG1zL2xvY2FsIiwiYXVkIjpbIm9hdXRoMi1rZXljbG9hayIsImFjY291bnQiXSwic3ViIjoiZjEwZDFmNzAtZjE3Ni00MThkLWI5ZGEtNDViYjdlYmVjMGY5IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoib2F1dGgyLWtleWNsb2FrIiwic2Vzc2lvbl9zdGF0ZSI6IjhiNjM5ODJhLWE1NzUtNDVmYy05ZTQ1LWZiMzk1YTk4ZjRkZCIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQ... {"error":"invalid_request","error_description":"Token not provided"}

but login works fine

Keycloak LOG
12:27:29,404 WARN [org.keycloak.events] (default task-134) type=USER_INFO_REQUEST_ERROR, realmId=local, clientId=null, userId=null, ipAddress=XXX, error=invalid_token, auth_method=validate_access_token

Oauth2-proxy config

args:

–provider=keycloak
–upstream=file:///dev/null
–client-id=oauth2-keycloak
–client-secret=XXX
–cookie-secret=XXXX
–login-url=https://keycloak.example.com/auth/realms/local/protocol/openid-connect/auth
–redeem-url=https://keycloak.example.com/auth/realms/local/protocol/openid-connect/token
–profile-url=https://keycloak.example.com/auth/realms/local/protocol/openid-connect/userinfo
–validate-url=https://keycloak.example.com/auth/realms/local/protocol/openid-connect/userinfo
–email-domain=*
–http-address=0.0.0.0:8091
–whitelist-domain=.domain.com
–cookie-domain=…domain.com
–scope=openid profile email users
–redirect-url=https://oauth2-proxy.domain.com/oauth2/callback
–cookie-refresh=0
–cookie-expire=168h

Ingress setting

annotations:
    nginx.ingress.kubernetes.io/auth-url: "https://oauth2-proxy.domain.com/oauth2/auth?allowed_groups=security"
    nginx.ingress.kubernetes.io/auth-signin: "https://oauth2-proxy.domain.com/oauth2/start?rd=https://$host$request_uri"
    nginx.ingress.kubernetes.io/proxy-buffer-size: "64k"
    nginx.ingress.kubernetes.io/proxy-buffers-number: "8"

oauth2-proxy in kubernetes
image: quay.io/oauth2-proxy/oauth2-proxy:v7.1.3

Keycloak 13.0.1 latest image in Kubernetes

Topic		Replies	Views
Issue with old web-service during authentification Getting advice authentication	0	197	May 28, 2021
Issue on userinfo endpoint at keycloak 20+ Configuring the server	10	18184	January 6, 2024
An internal server error has occurred & Invalid Request Configuring the server authentication , saml	1	4936	October 25, 2022
Issue userId=null when upgrading keycloack Configuring the server upgrading	0	1408	August 22, 2021
Unable to integrate Keycloak with any identity provider Securing applications	2	1751	December 19, 2022

Keycloak userinfo URL endpoint problem

Related Topics