Ocis with keycloak&nginx problem

[rtest12]

Please, help(
I’m trying to run ocis in docker with my own keycloak (also in docker, that was installed before) and nginx.
I get error when logging in

Login Error
Your user session is invalid or has expired.
If you like to login with a different user please proceed to exit.
Attention: this will log you out from all applications you are running in this browser with your current user.

docker log

{“level”:“error”,“service”:“proxy”,“error”:“401 Unauthorized: {“error”:“invalid_token”,“error_description”:“Token verification failed”}”,“time”:“2022-04-14T19:11:27Z”,“message”:“Failed to get userinfo”}

My yml

version: “3.7”

services:
ocis:
image: owncloud/ocis:latest
networks:
ocis_net:
entrypoint:
- /bin/sh
- /entrypoint-override.sh
environment:
# Keycloak IDP specific configuration
PROXY_AUTOPROVISION_ACCOUNTS: “true”
PROXY_OIDC_ISSUER: https://keycloak.mydomain.com/auth/realms/myrealm
WEB_OIDC_AUTHORITY: https://keycloak.mydomain.com/auth/realms/myrealm

  WEB_OIDC_CLIENT_ID: ocis
  WEB_OIDC_METADATA_URL: https://keycloak.mydomain.com/auth/realms/myrealm/.well-known/openid-configuration
  STORAGE_OIDC_ISSUER: https://keycloak.mydomain.com/auth/realms/myrealm
  STORAGE_LDAP_IDP: https://keycloak.mydomain.com/auth/realms/myralm
  # general config
  OCIS_URL: https://myocis.mydomain.com
  OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose
  PROXY_TLS: "false" # do not use SSL between Traefik and oCIS
  ACCOUNTS_DEMO_USERS_AND_GROUPS: "false" # don't generate demo users
  # change default secrets
  IDP_LDAP_BIND_PASSWORD: *************
  STORAGE_LDAP_BIND_PASSWORD: ********************************
  OCIS_JWT_SECRET: ********************************
  STORAGE_TRANSFER_SECRET: *********************************
  OCIS_MACHINE_AUTH_API_KEY: *********************************

  OCIS_INSECURE: "false"
volumes:
  - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh
  - ocis-data:/var/lib/ocis
ports:
  - "9200:9200"
     restart: always
volumes:
  ocis-data:
networks:
  ocis-net:

In nginx

        location /.well-known/openid-configuration {
                proxy_pass https://keycloak.exam.com/auth/realms/Myrealm/.well-known/openid-configuration;
                proxy_set_header X-Forwarded-For $remote_addr;
        }



        location / {
                        proxy_pass http://localhost:9200/;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_http_version 1.1;
    proxy_set_header Connection “”;
    proxy_buffering off;
    client_max_body_size 0;
    proxy_read_timeout 36000s;
    proxy_redirect off;
    proxy_set_header    X-Forwarded-Server $host;
    proxy_set_header    X-Forwarded-Port   443;
    proxy_set_header    X-Forwarded-Proto  https;
    proxy_buffer_size   128k;
    proxy_buffers   4 256k;
    proxy_busy_buffers_size   256k;

        }

}

[rtest12]

Please help...

{"level":"error","service":"accounts","error":"github.com.owncloud.ocis.protogen.gen.ocis.messages.accounts.v0.Account with Id=95cb8724-03b2-11eb-a0a6-c33ef8ef53ad does already exist","time":"2022-04-17T15:35:16Z","message":"service user was configured but failed to be added to the index"}
process idp terminated##################################################
change default secrets:
##################################################
##################################################
delete demo users
##################################################
{"level":"error","service":"proxy","error":"401 Unauthorized: {\"error\":\"invalid_token\",\"error_description\":\"Token verification failed\"}","time":"2022-04-17T15:35:36Z","message":"Failed to get userinfo"}
{"level":"error","service":"proxy","error":"401 Unauthorized: {\"error\":\"invalid_token\",\"error_description\":\"Token verification failed\"}","time":"2022-04-17T15:35:37Z","message":"Failed to get userinfo"}
{"level":"error","service":"proxy","error":"401 Unauthorized: {\"error\":\"invalid_token\",\"error_description\":\"Token verification failed\"}","time":"2022-04-17T15:35:38Z","message":"Failed to get userinfo"}
{"level":"error","service":"proxy","error":"401 Unauthorized: {\"error\":\"invalid_token\",\"error_description\":\"Token verification failed\"}","time":"2022-04-17T15:35:46Z","message":"Failed to get userinfo"}
{"level":"error","service":"proxy","error":"401 Unauthorized: {\"error\":\"invalid_token\",\"error_description\":\"Token verification failed\"}","time":"2022-04-17T15:35:49Z","message":"Failed to get userinfo"}
{"level":"error","service":"proxy","error":"401 Unauthorized: {\"error\":\"invalid_token\",\"error_description\":\"Token verification failed\"}","time":"2022-04-17T15:35:49Z","message":"Failed to get userinfo"}
{"level":"error","service":"proxy","error":"401 Unauthorized: {\"error\":\"invalid_token\",\"error_description\":\"Token verification failed\"}","time":"2022-04-17T15:35:50Z","message":"Failed to get userinfo"}
{"level":"error","service":"proxy","error":"401 Unauthorized: {\"error\":\"invalid_token\",\"error_description\":\"Token verification failed\"}","time":"2022-04-17T15:35:52Z","message":"Failed to get userinfo"}
{"level":"error","service":"proxy","error":"401 Unauthorized: {\"error\":\"invalid_token\",\"error_description\":\"Token verification failed\"}","time":"2022-04-17T15:41:22Z","message":"Failed to get userinfo"}
{"level":"error","service":"proxy","error":"401 Unauthorized: {\"error\":\"invalid_token\",\"error_description\":\"Token verification failed\"}","time":"2022-04-17T15:41:22Z","message":"Failed to get userinfo"}
{"level":"error","service":"proxy","error":"401 Unauthorized: {\"error\":\"invalid_token\",\"error_description\":\"Token verification failed\"}","time":"2022-04-17T15:41:23Z","message":"Failed to get userinfo"}
{"level":"error","service":"proxy","error":"401 Unauthorized: {\"error\":\"invalid_token\",\"error_description\":\"Token verification failed\"}","time":"2022-04-17T15:41:30Z","message":"Failed to get userinfo"}
{"level":"error","service":"proxy","error":"gateway: grpc failed with code CODE_PERMISSION_DENIED","time":"2022-04-17T15:41:30Z","message":"error when calling Createhome"}
{"level":"error","service":"proxy","error":"gateway: grpc failed with code CODE_PERMISSION_DENIED","time":"2022-04-17T15:41:30Z","message":"error when calling Createhome"}
{"level":"error","service":"ocis","error":"error: permission denied: create container: error: permission denied: ","time":"2022-04-17T15:41:31Z","message":"error initializing metadata client"}
{"level":"error","service":"ocis","error":"error: permission denied: create container: error: permission denied: ","time":"2022-04-17T15:41:31Z","message":"error initializing metadata client"}
{"level":"error","service":"ocis","error":"error: permission denied: create container: error: permission denied: ","time":"2022-04-17T15:41:31Z","message":"error initializing metadata client"}
{"level":"error","service":"ocis","error":"error: permission denied: create container: error: permission denied: ","time":"2022-04-17T15:41:31Z","message":"error initializing metadata client"}

[rtest12]

But what happens in general, you even have the same error on the demo stand!

[henniaufmrenni]

I also encountered this issue, after upgrading from 1.18 to 1.20. After some testing, it seems there is a regression which was introduced in 1.19. Rolling back to 1.18 solved the issue for me.

[rtest12]

I also encountered this issue, after upgrading from 1.18 to 1.20. After some testing, it seems there is a regression which was introduced in 1.19. Rolling back to 1.18 solved the issue for me.

Yes, thanks for the tip, I figured that out too.

[wkloucek]

I also encountered this issue, after upgrading from 1.18 to 1.20. After some testing, it seems there is a regression which was introduced in 1.19. Rolling back to 1.18 solved the issue for me.

Yes, that's indeed a regression. Sorry for the inconvenience.

I'm not exactly sure when we'll be able to provide a fixed version, since we're currently in the process of switching to a new user backend (We're replacing the accounts and glauth service with the IDM / identity management service).

I'll let you know when this bug is fixed.

We're also about to enter BETA phase (currently we're in the Tech Preview phase of oCIS), therefore we will no longer have such breaking changes, soon.

[suderman]

Apologies if this is the wrong place to ask, but I have a question about user sessions.

Every time I restart my OCIS service (based on the docker compose example with traefik), all my clients are logged out. It says "the connection's access token has expired or become invalid". Is this intended behaviour, or am I doing something wrong? Are all my clients supposed to re-authenticate after every image update?

[wkloucek]

You're using the built-in IDP and no Keycloak? You can generate a certificate and a secret, so that your sessions survive a restart:

openssl rand -out /etc/ocis/idp-encryption.key 32
openssl genpkey -algorithm RSA -out /etc/ocis/idp-private-key.pem -pkeyopt rsa_keygen_bits:4096

Then you need to configure the IDP to use them:

IDP_SIGNING_PRIVATE_KEY_FILES=/etc/ocis/idp-private-key.pem
IDP_ENCRYPTION_SECRET_FILE=/etc/ocis/idp-encryption.key

I filed an issue so that we can do this automatically in the future: #3909

[suderman]

Thank you, @wkloucek! I'm new to OCIS and wouldn't have discovered that for a long time. Works like a charm! ^_^