Issues with using Keycloak 25.0.4 Receiving Ext.Ajax

[codwow]

I originally post this issue #1368 but was told to post a discussion.

I'm currently just using podman for my deployment with separate containers and no docker compose. This is currently what it looks like

podman create --replace --name nginx
-p 20000:20000
-v /var/lib/containers/storage/volumes/nginx/_data/nginx.conf:/etc/nginx/nginx.conf
-v /var/lib/containers/storage/volumes/nginx/_data/[server cert].crt:/etc/nginx/cert.pem
-v /var/lib/containers/storage/volumes/nginx/_data/[server cert].key:/etc/nginx/privkey.pem
-v /var/lib/containers/storage/volumes/nginx/_data/dod_CAs.pem:/etc/nginx/dod-certs.pem
-v /var/lib/containers/storage/volumes/nginx/_data/index.html:/usr/share/nginx/html/index.html
--network stig-manager
registry1.dso.mil/ironbank/opensource/nginx/nginx:1.26.2

podman create --replace --name stig-manager-auth --restart=always
-e KEYCLOAK_ADMIN=admin
-e KEYCLOAK_ADMIN_PASSWORD=admin
-e KC_PROXY-HEADERS=xforwarded
-e KC_HOSTNAME=https://[ip of host]:20000/kc/
-e KC_HOSTNAME_ADMIN=https://[ip of host]:20000/kc
-e KC_SPI_X509CERT_LOOKUP_PROVIDER=nginx
-e KC_SPI_X509CERT_LOOKUP_NGINX_SSL_CLIENT_CERT=SSL-CLIENT-CERT
-e KC_TRUSTSTORE_PATHS=/tmp/truststore.p12
-e KC_TRUSTSTORE_FILE_PASSWORD=1234
-v /var/lib/containers/storage/volumes/nginx/_data/dod_CAs.p12:/tmp/truststore.p12
-v stig-manager-auth:/opt/keycloak/data/
--network stig-manager
registry1.dso.mil/ironbank/opensource/keycloak/keycloak:25.0.4 start-dev

podman create --replace --name stig-manager-db --restart=always
-e MYSQL_ROOT_PASSWORD=rootpw
-e MYSQL_DATABASE=stigman
-e MYSQL_USER=stigman
-e MYSQL_PASSWORD=stigman
-v stig-manager-db:/var/lib/mysql
--network stig-manager
registry1.dso.mil/ironbank/opensource/mysql/mysql8:8.0.36-ubi9

podman create --replace --name stig-manager --restart=always
-e STIGMAN_OIDC_PROVIDER=http://stig-manager-auth:8080/realms/stigman
-e STIGMAN_CLIENT_OIDC_PROVIDER=https://[ip of host]:20000/kc/realms/stigman
-e STIGMAN_DB_HOST=stig-manager-db
-e STIGMAN_DB_PASSWORD=stigman
-e STIGMAN_CLASSIFICATION=U
-e STIGMAN_SWAGGER_ENABLED=true
-e STIGMAN_LOG_LEVEL=4
-e NODE_EXTRA_CA_CERTS=/tmp/truststore.crt
-v /var/lib/containers/storage/volumes/nginx/_data/[server cert].crt:/tmp/truststore.crt
--network stig-manager
registry1.dso.mil/ironbank/opensource/stig-manager/stig-manager:1.4.13

when using this configuration I get an Ext.Ajax error, I tried to configure the NODE_EXTRA_CA_CERTS but I wasn't sure which cert to point it too and nothing that I tried worked. The weird part is when I replace the stig-manager-auth container (keycloak) with the one below it works and authenticates without issue. The below container was taken from stigman-orchestration repo and the above container was modified from the stig-manager-auth to include the x.509 certificate authentication process instead of username and password

podman create --replace --name stig-manager-auth --restart=always
-e KEYCLOAK_ADMIN=admin
-e KEYCLOAK_ADMIN_PASSWORD=admin
-e KC_PROXY=edge
-e KC_HOSTNAME_URL=https://[ip of host]:20000/kc/
-e KC_HOSTNAME_ADMIN_URL=https://[ip of host]:20000/kc
-e KC_SPI_X509CERT_LOOKUP_PROVIDER=nginx
-e KC_SPI_X509CERT_LOOKUP_NGINX_SSL_CLIENT_CERT=SSL-CLIENT-CERT
-e KC_SPI_TRUSTSTORE_FILE_FILE=/tmp/truststore.p12
-e KC_SPI_TRUSTSTORE_FILE_PASSWORD=1234
-v stig-manager-auth-old:/opt/keycloak/data/
-v /var/lib/containers/storage/volumes/nginx/_data/create-x509-user.jar:/opt/keycloak/providers/create-x509-user.jar
-v /var/lib/containers/storage/volumes/nginx/_data/dod_CAs.p12:/tmp/truststore.p12
--network stig-manager
registry1.dso.mil/ironbank/opensource/keycloak/keycloak:19.0.2 start-dev

[codwow]

So it looks to be a problem with version 25 of keycloak. I was able to use 24.0.5 without issue

[cd-rite]

@codwow Oh, that's great! I mean, sorry it wasted some of your time, but I'm glad you figured it out! Thanks for posting the problem with that version of Keycloak, hopefully it will save other users some trouble!

[codwow]

@cd-rite can I submit an issue about supporting keycloak 25+? I think it would be important so everyone can utilize the latest version.

[cd-rite]

HI @codwow I don't think the issue is with STIG Manager, but in some significant changes to the way you configure Keycloak that were made in 25+. You'll likely have to adjust your Keycloak configuration for it to work, but not STIGMan.

For example, it looks like the KC_HOSTNAME_URL would just be KC_HOSTNAME in 25+. KC_PROXY has also been removed as of 26.0.0:
https://www.keycloak.org/docs/latest/upgrading/index.html#new-hostname-options
https://www.keycloak.org/docs/latest/upgrading/index.html#deprecated-proxy-option
This page describes how to map command line params to their envvar equivalents:
https://www.keycloak.org/server/configuration
(Environment variable format - Values for environment variables use the uppercased KC_<key_with_underscores>= format.)