I’ve been trying to figure this out for a while and can’t seem to resolve this issue. I’m trying to integrate discourse with a Keycloak setup for authentication using the discourse-openid-connect plugin. I’m running the discourse-docker version 3.0.1. Right now when clicking the OpenID connect login button, this message pops up in discourse: “Unable to fetch configuration from identity provider. Please try again.”
I’m migrating to a new discourse setup, and the funny thing is, discourse is able to reach the Keycloak login screen using my OLD keycloak instance just fine, but can’t with my new one. This means the following should be true:
- openid-connect plugin settings are definitely correct (copied from old discourse)
- keycloak settings for the discourse client are definitely correct (copied from old discourse)
- there is no networking issue
- there is no firewall on or anything blocking traffic
I’ve additionally found I can successfully curl the discovery document URL for keycloak from the discourse instance just fine. Keycloak version is the same as the old one, and keycloak authentication works fine for other tools located in the same AWS region and AZ as discourse. Below is the error from the logs when I try to login using openid-connect.
I’ve done research and tested so much and nothing has worked. The error about disallowed IPs seems pretty generic, and I’m almost certain there is no firewall blocking anything, especially since I can curl the discovery document just fine. I can only think that possibly discourse is trying to pull the document from a cache somewhere or is not hitting the right token URL, but I just don’t know. Any help would be appreciated.
Started GET "/session/csrf" for <my_ip> at 2023-02-01 18:02:24 +0000
Processing by SessionController#csrf as JSON
Completed 200 OK in 2ms (Views: 0.2ms | ActiveRecord: 0.0ms | Allocations: 406)
Started POST "/auth/oidc" for 10.158.133.85 at 2023-02-01 18:02:24 +0000
(oidc) Setup endpoint detected, running now.
OIDC Log: Fetching discovery document from https://<keycloak_URL>.com/auth/realms/<my_realm>/.well-known/openid-configuration
OIDC Log: Fetching discovery document raised error Faraday::ConnectionFailed FinalDestination: all resolved IPs were disallowed
OIDC Log: Discovery document is
---
(oidc) Request phase initiated.
(oidc) Authentication failure! openid_connect_discovery_error: OmniAuth::OpenIDConnect::DiscoveryError, Discovery document is missing
Started GET "/auth/failure?message=openid_connect_discovery_error&strategy=oidc" for <my_ip> at 2023-02-01 18:02:24 +0000
Processing by Users::OmniauthCallbacksController#failure as HTML
Parameters: {"message"=>"openid_connect_discovery_error", "strategy"=>"oidc"}
Rendered users/omniauth_callbacks/failure.html.erb within layouts/no_ember (Duration: 0.1ms | Allocations: 17)
Rendered layout layouts/no_ember.html.erb (Duration: 17.3ms | Allocations: 5113)
Completed 200 OK in 24ms (Views: 19.7ms | ActiveRecord: 0.0ms | Allocations: 6610)