Getting Karakeep working with Keycloak

[wcamicase]

Hello everyone!

Recently, I decided to install Keycloak on my home lab.
After the initial struggles, I managed to get it running, so the next step is to get apps connected to it, and the first victim is Karakeep.

Configurations and whatnot aside, I started to always get sent into the regular karakeep login page, even though it seems all should be correct; however, I noticed that I was getting this error inside the logs:

[next-auth][error][CLIENT_FETCH_ERROR] 
https://next-auth.js.org/errors#client_fetch_error⁠ fetch failed {
  error: {
    message: 'fetch failed',
    stack: 'TypeError: fetch failed\n' +
      '    at node:internal/deps/undici/undici:13510:13\n' +
      '    at process.processTicksAndRejections (node:internal/process/task_queues:105:5)',
    name: 'TypeError'
  },
  url: 'http://localhost:3000/api/auth/providers',
  message: 'fetch failed'
}

On my configs, I do have NEXTAUTH_URL pointing to https://karakeep.mydomain.com, but looking online, it seems that it exists a NEXTAUTH_URL_INTERNAL that overrides whatever value is set in the former.
The thing is, I'm not setting it anywhere, and even if I try to do something like NEXTAUTH_URL_INTERNAL=http://192.168.1.99:4010, which kinda works, it doesn't really, as Keycloak is not expecting anything coming from there, and it errors out.

Looking further into it, I found this: nextauthjs/next-auth#6949
It seems that other people were having issues similar to mine due to a version update of next-auth from back in 2023, and it seems to have been fixed in version 4.21.0, although people do still seem to be having the issue.

Checking here: https://github.com/karakeep-app/karakeep/blob/main/apps/web/package.json , I can locate "next-auth": "^4.24.11", making me believe that we're using a supposedly fixed version.

Has anyone been successful in using Keycloak? If so, how did you manage to overcome said problem?

Thank you!

[MohamedBassem]

next auth internal is set in the dockerfile itself as a safe default, it doesn't work if you're using docker host networking mode for example, or if for any reason the container is not able to talk to itself on the loopback address. In this case, just overriding by an address that the container can talk to itself with should work, and it did work for you.

this internal address is however not relevant in the communication with keycloack. Only the next_auth one is and it's what should be allowlisted in keycloack as the redirect address. What error are you seeing?

to recap, set the next auth internal address to that one you mentioned in the issue and set the next_auth to the external address of your deployment that keycloack should redirect too after a successful oauth (the one you allowlist in keycloack).

[wcamicase]

Well, I tried a few things:

Without having the NEXTAUTH_URL_INTERNAL and only having NEXTAUTH_URL pointing at my domain, looking at the logs, I have this error:

[next-auth][error][CLIENT_FETCH_ERROR] 
https://next-auth.js.org/errors#client_fetch_error⁠ fetch failed {
  error: {
    message: 'fetch failed',
    stack: 'TypeError: fetch failed\n' +
      '    at node:internal/deps/undici/undici:13510:13\n' +
      '    at process.processTicksAndRejections (node:internal/process/task_queues:105:5)',
    name: 'TypeError'
  },
  url: 'http://localhost:3000/api/auth/providers',
  message: 'fetch failed'
}

On top of having NEXTAUTH_URL pointing at my domain, if I add NEXTAUTH_URL_INTERNAL with the same value as my domain, I get:

[next-auth][error][CLIENT_FETCH_ERROR] 
https://next-auth.js.org/errors#client_fetch_error⁠ fetch failed {
  error: {
    message: 'fetch failed',
    stack: 'TypeError: fetch failed\n' +
      '    at node:internal/deps/undici/undici:13510:13\n' +
      '    at process.processTicksAndRejections (node:internal/process/task_queues:105:5)',
    name: 'TypeError'
  },
  url: 'https://karakeep.<mydomain>.com/api/auth/providers',
  message: 'fetch failed'
}

If I decide to put the IP of the container that is running Keycloak on NEXTAUTH_URL_INTERNAL, then I get no errors, I get this page:

However, if I press the newly added button, I get an error:

And this is what I have in the logs:

[next-auth][error][SIGNIN_OAUTH_ERROR] 
https://next-auth.js.org/errors#signin_oauth_error⁠ self-signed certificate {
  error: {
    message: 'self-signed certificate',
    stack: 'Error: self-signed certificate\n' +
      '    at TLSSocket.onConnectSecure (node:_tls_wrap:1679:34)\n' +
      '    at TLSSocket.emit (node:events:518:28)\n' +
      '    at TLSSocket._finishInit (node:_tls_wrap:1078:8)\n' +
      '    at ssl.onhandshakedone (node:_tls_wrap:864:12)\n' +
      '    at TLSWrap.callbackTrampoline (node:internal/async_hooks:130:17)',
    name: 'Error'
  },
  providerId: 'custom',
  message: 'self-signed certificate'
}

Could I be misconfiguring it on Keycloak's side?
I have it set up as follows, when it comes down to the Access Settings:

Thank you once again for the help!