Keycloak OpenID registration/login failed "user not found with email..."

[prononext]

What happened?

I was following exactly the new Keycloak doc: https://www.librechat.ai/docs/configuration/authentication/OAuth2-OIDC/keycloak

I cannot get a registration or login via OpenID/Keycloak to work. I always get following error on the LibreChat logs:

2024-06-22 13:31:35 info: [openidStrategy] verify login openidId: mykeycloak-userid
2024-06-22 13:31:35 info: [openidStrategy] user not found with openidId: mykeycloak-userid
2024-06-22 13:31:35 info: [openidStrategy] user not found with email: mykeycloak@email.com for openidId: mykeycloak-userid

Following the doc was not working directly so I had to modify the setup like this, to get to get it connected:

My ENVs:

      - OPENID_CLIENT_ID=libre-chat
      - OPENID_CLIENT_SECRET=myclientsecret
      - OPENID_ISSUER=https://mykeycloak.url/realms/MYREALM
      - OPENID_SESSION_SECRET=randomsecret
      - OPENID_SCOPE=openid profile email
      - OPENID_CALLBACK_URL=/oauth/openid/callback
      - OPENID_REQUIRED_ROLE=Libre-Chat
      - OPENID_REQUIRED_ROLE_TOKEN_KIND=access
      - OPENID_REQUIRED_ROLE_PARAMETER_PATH=realm_access.roles

As visible the granted Keycloak user gets pulled but somehow LibreChat seems to search for the user in its own database and as it is not there its not logging in and resulting in going back to the LibreChat login page without registration/login of the OpenID user of Keycloak.

I have tried houndrets of different configurations apart from the one mentioned in the LibreChat Docs for OpenID, but had no success.

My login security ENVs for LibreChat, which I tried in multiple different variations without success.

      - ALLOW_EMAIL_LOGIN=true
      - ALLOW_REGISTRATION=true
      - ALLOW_SOCIAL_LOGIN=true
      - ALLOW_SOCIAL_REGISTRATION=true
      - ALLOW_ACCOUNT_DELETION=false (by the way the account deletion button is still available if this is set and also a account can still be delted which I have testet)

Steps to Reproduce

1. have a LibreChat instance on a FQDN
2. have a Keycloak instance on a FQDN
3. configure Keycloak client and access for LibreChat application
4. Add the Keycloak info to LibreChat ENVs
5. Try to login using OpenID

What browsers are you seeing the problem on?

Firefox, Chrome, Microsoft Edge

Relevant log output

No response

Screenshots

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[danny-avila]

are you on v0.7.3? There was a related OpenID issue there, but fixed in the latest version: #3087

However,

2024-06-22 13:31:35 info: [openidStrategy] user not found with email: mykeycloak@email.com for openidId: mykeycloak-userid

this is not an error, just an info log, what happens after this?

double check some other issues surrounding keycloak:

#3073
#2992

[prononext]

Hi @danny-avila

I am running the latest LibreChat@0.7.4-rc1 and I have checked all related Keycloak issues without any success.

• When I click on "Continue with OpenID" on the LibreChat Login page it redirects me to my Keycloak.
• On the Keycloak I login with the user that has permission to access LibreChat
• Then I get back to LibreChat Login Page, without anything changed, just like I did not even login. With following the log message I have provided. After this there are no more logs, just if I repeat this process its the same log again.

It seems like it tries to find the user inside LibreChat, but does not create it.

Thank you @danny-avila I love your wonderful software (and music 💯 ), very good and clean product.

[prononext]

Does anyone maybe have a tested config for Keycloak, because the one in the docs does not work out of the box somehow?

[prononext]

I finally got it! 🙏Problem was that realm and Client roles we're not handled like in other applications. The settings above we're correct but client roles and associated client roles cannot be used.

[danny-avila]

@prononext is there anything we can add to the docs to make sure it works as intended for everyone?

[prononext]

I am not sure. I have documented that style of ENV format for LibreChat with Keycloak. Maybe it helps:

Mandatory ENVs:

      - OPENID_CLIENT_ID=LibreChat    # The Client ID from your Keycloak Client Settings
      - OPENID_CLIENT_SECRET=your-client-secret    # The Client Secret from your Keycloak Client Credentials
      - OPENID_ISSUER=https://keycloak-url/realms/REALM-NAME    # Your Keycloak REALM URL
      - OPENID_SESSION_SECRET=random-self-generated-secret   # Random Session Secret (can be self generated)
      - OPENID_SCOPE=openid profile email   # Scopes from Keycloak to identify the user can be kept like this
      - OPENID_CALLBACK_URL=/oauth/openid/callback  # Callback URL for Callback from Keycloak to LibreChat can be kept like this
      - OPENID_REQUIRED_ROLE=created-realm-role  # Keycloak Realm Role name for LibreChat (Not Client Role) must be assigned to user or group with user assigned
      - OPENID_REQUIRED_ROLE_TOKEN_KIND=access # Keycloak Access Token kind. Can be "access" or "id" depending on your setup
      - OPENID_REQUIRED_ROLE_PARAMETER_PATH=realm_access.roles  # Keycloak Role Parameter path, can be kept like this

Optional ENVs:

      - OPENID_IMAGE_URL=https://url-to-image-on-openid-login-button  # If you want a stylish image on your OpenID login button inside LibreChat
      - OPENID_BUTTON_LABEL=Login with OpenID # If you want a custom Text on your OpenID login button in LibreChat

[MarcelRei]

Still doesn't work.
OPENID_CLIENT_ID=librechat
OPENID_CLIENT_SECRET=*******************
OPENID_ISSUER=https://keycloak01.domain.com/realms/realm
OPENID_SESSION_SECRET=*********************
OPENID_SCOPE="openid profile email userID"
OPENID_CALLBACK_URL=/oauth/openid/callback
OPENID_REQUIRED_ROLE=libregpt
OPENID_REQUIRED_ROLE_TOKEN_KIND=access
OPENID_REQUIRED_ROLE_PARAMETER_PATH=realm_access.roles

[prononext]

Your Scope is not the same.
Did you try it with a FQDN on https port 443 instead of a local one on custom port 3080?
Did you assign the realm role to the user you are trying to login with or a group which the user is part of?

[MarcelRei]

The scope was from a previous idea. I can try 443 but 3080 was the default after the installation guide.
Yes, the realm role is asigned to the user.

[prononext]

Is 3080 the url where you open LibreChat on? It should be if you use this setting.
I never used non https domains on Keycloak and always used the urls where I access my app without Keycloak also.

[MarcelRei]

yes, it is.
I am just following the guide on the website and that is without https and the custom port.