Can confirm I don’t have any other themes or plugins installed. The only difference between my setup and the standard install is
- CloudFlare - I’m not going to put direct load toward my server like that. I disabled it for now to test.
- Apache - Discourse is sitting behind an apache2 virtual host acting as a reverse proxy.
Discourse itself exposes its internal port 80 to port 8082 on the docker host. The reverse proxy then listens on ports 80 and 443 and it deals with SSL. All requests to port 80 redirect you to 443, and 443 on hostname forum.bitphoenixsoftware.com is the reverse proxy in front of port 8082.
I do the same thing for auth.bitphoenixsoftware.com which is a reverse proxy sitting in front of Keycloak.
I do this so that I can run things like a LAMP stack (for the MediaWiki, blog, etc) on the same box as Keycloak and Discourse and have Apache be the Internet-facing web server for everything.
Cloudflare
I followed @david’s suggestion to disasble Cloudflare routing. This resulted in:
- SSL certificate errors
- Not fixing the issue. Still can’t log in or create an account.
My guess is it is the Apache reverse proxy.
Edit
@david, I see your login attempt in the Keycloak console log. Though the only warning/error is invalid_auth_credentials, indicating you probably typoed while logging in. So that’s definitely not related.
As far as errors on keycloak’s end related to me or my moderator, nadda. It’s all either just things like “that username doesn’t exist,” “invalid password,” etc.
Are there any other Discourse logs I can look at? I know I can look at /logs but even with verbose logging on there’s no errors when I log in. I do know it stops logging after verifying the JWT. Could that be related to my ssl errors with cloudflare off…? Last night it was getting far enough to log who logged in (username, email, etc).
Edit 2: @codinghorror To clarify what I meant by “automatically:” I meant, even if the user has to set up their discourse profile like you would with Google OAuth after logging in, the actual authentication is done through Keycloak. i.e, the user does not ever enter their password into Discourse’s UI.
Edit 3: 
I see some weirdness in my rails production.log…
Processing by Users::OmniauthCallbacksController#complete as HTML
Parameters: {"state"=>"<redacted>", "session_state"=>"<redacted>", "code"=>"<redacted>", "provider"=>"oidc"}
Redirected to https://forum.bitphoenixsoftware.com/?
Completed 302 Found in 19ms (ActiveRecord: 7.5ms)
When signing into keycloak with a user whose Discourse account doesn’t exist yet. In theory this should trigger a UI prompting the user to complete registration, right? If so then why is it redirecting the user back to the home page with a ? at the end but no url params?
This is very, very strange.
Edit 4: I decided to just reinstall Discourse completely but retaining my app.yml. This time I will set it up as a public forum and not touch anything to do with login unrelated to OIDC.
That’s usually one of my troubleshooting steps lol, reinstall and hope like hell it works. A.K.A, operation: nuke everything.
I hope it works.