Oh wonderful. Will do. That means i can pull uploads off it when i decide to move over.
Edit:
@pfaffman Thanks for getting my ssh key added. With the extra server I was able to isolate the bug to being unrelated to reverse proxies. I threw the droplet you set up on https://webber-server.bitphoenixsoftware.com/, left everything in the app.yml the same except for adding the openid-connect plugin, changing smtp settings to work with the new domain, and changing my From email to work with the new smtp server.
I let Discourse update while rebuilding (finally I can stop getting those emails :D) so I’m now on latest tests-passed on Webber Server. I configured OpenID Connect on it too to point to Keycloak on Cassian Server.
On Cassian Server, I reconfigured the redirect URI and other URIs in the discourse client to point to Webber Server.
In Keycloak:
- Standard Flow Enabled: Yes
- Authorization Enabled: Yes
- Service Accounts Enabled: Yes
- Root URL: https://webber-server.bitphoenixsoftware.com/auth/oidc/callback
- Valid Redirect URL: https://webber-server.bitphoenixsoftware.com/auth/oidc/callback
In Discourse:
- Client Configuration: https://auth.bitphoenixsoftware.com/auth/realms/bitphoenix/.well-known/openid-configuration
- Client ID:
discourse - Client Secret: <redacted, but set>
- Authorization Scopes:
openid profile email - Token Scopes:
profile email(not sure if this is needed) - Allow disassociation: No.
- Enable OpenID Authentication: Yes
There is now a “Login with OpenID Connect” button on https://webber-server.bitphoenixsoftware.com/ (formerly https://community.watercolorgames.net/). Awesome. However, like on https://forum.bitphoenixsoftware.com/, no registration UI is shown when no Discourse user exists for the authenticated Keycloak user.
So, same exact issue! This rules out it being anything to do with Cloudflare or my Apache reverse proxy since neither are used for Webber Server. At least we’re narrowing it down to either a Keycloak config issue or a Discourse issue.
Also, yes. I name servers after characters from the MacGyver 2016 reboot. Deal with it.
MAJOR REVELATION: Webber Server has this in its Error Log…
(oidc) Authentication failure! csrf_detected: OmniAuth::Strategies::OAuth2::CallbackError, csrf_detected | CSRF detected
Cross-site request forgery! Yay!
Another update:
@dave @pfaffman With the help of the extra server I was able to isolate the issue as having nothing to do with reverse proxies. After enabling CORS on Webber Server and adding auth.bitphoenixsoftware.com as a CORS origin, I no longer get CSRF errors and instead get the exact same outcome that I would logging into Cassian Server’s Discourse.
So…
- you go to discourse as guest
- you log in using openid connect
- auth is successful but no discourse user exists for you
- you get redirected to discourse with no error and no UI to complete your registration.
- you now get put back on the homepage, as guest again.