alerta: Customer views - can't login - NoCustomerMatch - Keycloak
Issue Summary Customers Keycloak roles do not match.
Environment
-
OS: CentOS 7
-
API version: 8.5.0
-
Deployment: Docker
-
Database: Postgres
-
Server config: Auth enabled: Yes Auth provider: Keycloack Customer views: Yes
-
web UI version: 8.5.0
-
CLI version: 8.5.0
To Reproduce Steps to reproduce the behavior:
- Follow the official doc to configure Keycloak client.
- Then add new Keycloak role in the Customers menu
- Try lo loggin with customer account
- See error: No customer lookup configured for user ‘-----’ or ‘-----.com’ (403)
Expected behavior I expect that the user can identify with the group configured in Keycloak
Screenshots
Keycloack config:
Alerta Customers config:
Alertad Docker config
environment:
# - DEBUG=True # remove this line to turn DEBUG off
- DATABASE_URL=postgres://postgres:postgres@db:5432/monitoring
- AUTH_REQUIRED=True
- ADMIN_USERS=admin@alerta.io,devops@alerta.io
- ADMIN_PASSWORD=alerta # default is "alerta"
- ADMIN_KEY=demo-key # assigned to first user in ADMIN_USERS
- PLUGINS=remote_ip,reject,heartbeat,blackout,normalise,prometheus
- http_proxy=http://xxx.xxx.xxx.xxx:80
- https_proxy=http://xxx.xxx.xxx.xxx:80
- CUSTOMER_VIEWS=True
- AUTH_PROVIDER=keycloak
- KEYCLOAK_URL=https://my-keycloak-url.com
- KEYCLOAK_REALM=my_realm
- OAUTH2_CLIENT_ID=demo-alerta
- OAUTH2_CLIENT_SECRET=********
- ALLOWED_KEYCLOAK_ROLES=admin,guest,user,alerta-devops,alerta-kpi,alerta-mco
- USE_PROXYFIX=True # use if proxy is terminating HTTPS traffic
- ALLOWED_ENVIRONMENTS=Production,Development,Code,None,Acceptation
- SIGNUP_ENABLED=False
However, it works if I manually configure the client name with the keycloak role name.
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 25 (12 by maintainers)
In fact I had not paid attention to this important information, if I set these environment variables in a file and bind it to the docker it works perfectly. Thanks a lot for your help and support.
OIDC_ROLE_CLAIM
andOIDC_GROUP_CLAIM
are not supported config environment variables. You need to use a configuration file. https://github.com/alerta/docker-alerta#environment-variablesYou’re going to have to define “impossible to log in”. And perhaps this discussion could move to Slack where it would be easier to troubleshoot.
I’m trying to apply the same configuration as the other elements in the key rules (“*******”). I’ll get back to you as soon as I have something new.