alerta: Customer views - can't login - NoCustomerMatch - Keycloak

Issue Summary Customers Keycloak roles do not match.

Environment

  • OS: CentOS 7

  • API version: 8.5.0

  • Deployment: Docker

  • Database: Postgres

  • Server config: Auth enabled: Yes Auth provider: Keycloack Customer views: Yes

  • web UI version: 8.5.0

  • CLI version: 8.5.0

To Reproduce Steps to reproduce the behavior:

  1. Follow the official doc to configure Keycloak client.
  2. Then add new Keycloak role in the Customers menu
  3. Try lo loggin with customer account
  4. See error: No customer lookup configured for user ‘-----’ or ‘-----.com’ (403)

Expected behavior I expect that the user can identify with the group configured in Keycloak

Screenshots

Keycloack config:

image

Alerta Customers config:

image

Alertad Docker config

    environment:
      # - DEBUG=True  # remove this line to turn DEBUG off
      - DATABASE_URL=postgres://postgres:postgres@db:5432/monitoring
      - AUTH_REQUIRED=True
      - ADMIN_USERS=admin@alerta.io,devops@alerta.io
      - ADMIN_PASSWORD=alerta # default is "alerta"
      - ADMIN_KEY=demo-key  # assigned to first user in ADMIN_USERS
      - PLUGINS=remote_ip,reject,heartbeat,blackout,normalise,prometheus

      - http_proxy=http://xxx.xxx.xxx.xxx:80
      - https_proxy=http://xxx.xxx.xxx.xxx:80

      - CUSTOMER_VIEWS=True

      - AUTH_PROVIDER=keycloak
      - KEYCLOAK_URL=https://my-keycloak-url.com
      - KEYCLOAK_REALM=my_realm
      - OAUTH2_CLIENT_ID=demo-alerta
      - OAUTH2_CLIENT_SECRET=********
      - ALLOWED_KEYCLOAK_ROLES=admin,guest,user,alerta-devops,alerta-kpi,alerta-mco

      - USE_PROXYFIX=True # use if proxy is terminating HTTPS traffic
      - ALLOWED_ENVIRONMENTS=Production,Development,Code,None,Acceptation
      - SIGNUP_ENABLED=False

However, it works if I manually configure the client name with the keycloak role name.

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 25 (12 by maintainers)

Most upvoted comments

In fact I had not paid attention to this important information, if I set these environment variables in a file and bind it to the docker it works perfectly. Thanks a lot for your help and support.

OIDC_ROLE_CLAIM and OIDC_GROUP_CLAIM are not supported config environment variables. You need to use a configuration file. https://github.com/alerta/docker-alerta#environment-variables

You’re going to have to define “impossible to log in”. And perhaps this discussion could move to Slack where it would be easier to troubleshoot.

I’m trying to apply the same configuration as the other elements in the key rules (“*******”). I’ll get back to you as soon as I have something new.