Homarr failing to get Admin roles(groups from Keycloak OIDC (SOLVED)
When I attempt to login with a user assigned the admin role in keycloak the user in not authenticated as an Admin in Homarr
Solution:Jump to solution
Upon further investigation, looks like a Keycloak issue:
- Keyclaok is not sending the admin role
- Decided to switch the Homarr admin group to "uma_authorization" (a role that was passed thru) and Homarr worked as expected...
19 Replies
Thank you for submitting a support request.
Depending on the volume of requests, our team should get in contact with you shortly.
⚠️ Please include the following details in your post or we may reject your request without further comment: - Log (See https://homarr.dev/docs/community/faq#how-do-i-open-the-console--log) - Operating system (Unraid, TrueNAS, Ubuntu, ...) - Exact Homarr version (eg. 0.15.0, not latest) - Configuration (eg. docker-compose, screenshot or similar. Use ``your-text`` to format) - Other relevant information (eg. your devices, your browser, ...)
Frequently Asked Questions | Homarr documentation
Can I install Homarr on a Raspberry Pi?
I have an "admin" role setup in the keycloak Admin UI
and have my SSO account included:
!qa leaked_secret_key
Our team noted that at least one of your messages contains a secrets encryption key used in Homarr.
As documented at the installation docs, the secrets encryption key is a cruicial key that will be used to encrypt your data. By posting this key you compromised part of your security and we strongly recommend you to change it, since malicious acters could gain access to your integration passwords, usernames and tokens by decrypting your database if they gain access to said database.
To do this, update the secrets encryption key variable. Doing so will break all integrations and you must manually re-enter the secrets again.
Manually removing it after posting does not fix your issue since automated bots can and will scrape messages for leaked data.
To avoid such problems in the future, please always remove the encryption key when posting online. The Homarr team will never ask you for any passwords or the secrets encryption key.
Docker | Homarr documentation
Docker is our recommended installation method for beginners and professionals.
@Meierschlumpf can you take a look?
@Zeroturnpete you'll need to add
microprofile-jwt to the scopes (instead of roles)No worries on the key, its a dev instance
Going to try this tomorrow
should the ODIC_GROUPS_ATTRIBUTE stay the same?
I haven't configured that on my local test instance, so try to leave it empty
getting correct openID calls now
still failing to auth as admin. checking logs now
still not having any luck, I didm't see any group membership getting passed thru in the logs
for your Setup are you using Keycloak as you ODIC, It might help me to see your keycloak group config
P.S. Thank you for being responsive, arguably one of the best support experiences I'vee had had this year
a call might be the fastest way to resolve this
I'll look into it tonight 👍🏽 (CEST)
Solution
Upon further investigation, looks like a Keycloak issue:
- Keyclaok is not sending the admin role
- Decided to switch the Homarr admin group to "uma_authorization" (a role that was passed thru) and Homarr worked as expected
working to get keycloak to pass thru the correct roles
No Need! Stayed up until 2am local to fix this
turns out it was a keycloak role issue
The role needed to be assigned at a realm level not a client level
Thank you for the help with the "microprofile-jwt" addition to the compose file!
for any one wondering here is where roles should be added:
Pkay great that you were able to fix it, good night