Seafile SSO against keyclaok - error oauth_callback (missing_token)

hello there,

I’m new to seafile and i’m trying to setup a server with SSO for my homelab.

i have follow this tutorial (i can’t put link here so next you will find ascii to hex of the link):

68 74 74 70 73 3A 2F 2F 64 65 2E 73 65 61 66 69 6C 65 2E 63 6F 6D 2F 73 73 6F 2D 73 65 61 66 69 6C 65 2D 6B 65 79 63 6C 6F 61 6B 2F

@christophdb i hope to see you here ^^

Seafile is install with docker and working with local users.

When i try SSO i’m well redirect to keycloak login interface.
The error occur on the callback.
Keyclaok give no log of what happen but seafile (seahub.log) say:

[ERROR] seahub.oauth.views:154 oauth_callback (missing_token) Missing access token parameter.
[INFO] xmlschema:1266 include_schema Resource ‘XMLSchema.xsd’ is already loaded

here is my seahub_settings.py:

# -*- coding: utf-8 -*-
SECRET_KEY = "b'x=XXXXXXXXXXXXXXXXXXXXXXxwe'"
SERVICE_URL = "https://seafile.mydomain.com"

DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.mysql',
        'NAME': 'seahub_db',
        'USER': 'seafile',
        'PASSWORD': '9fXXXXXXXXXXXXXXXX39767',
        'HOST': 'db',
        'PORT': '3306',
        'OPTIONS': {'charset': 'utf8mb4'},
    }
}


CACHES = {
    'default': {
        'BACKEND': 'django_pylibmc.memcached.PyLibMCCache',
        'LOCATION': 'memcached:11211',
    },
    'locmem': {
        'BACKEND': 'django.core.cache.backends.locmem.LocMemCache',
    },
}
COMPRESS_CACHE_BACKEND = 'locmem'
TIME_ZONE = 'Etc/UTC'
FILE_SERVER_ROOT = "https://seafile.mydomain.com/seafhttp"

CSRF_COOKIE_SECURE = True
CSRF_TRUSTED_ORIGINS = ['https://seafile.mydomain.com','https://127.0.0.1']



ENABLE_OAUTH = True

# If create new user when he/she logs in Seafile for the first time, defalut `True`.
OAUTH_CREATE_UNKNOWN_USER = True

# If active new user when he/she logs in Seafile for the first time, defalut `True`.
OAUTH_ACTIVATE_USER_AFTER_CREATION = True

# Usually OAuth works through SSL layer. If your server is not parametrized to allow HTTPS, some method will raise an "oauthlib.oauth2.rfc6749.errors.InsecureTransportError". Set this to `True` to avoid this error.
OAUTH_ENABLE_INSECURE_TRANSPORT = True

# Client id/secret generated by authorization server when you register your client application.
OAUTH_CLIENT_ID = "seafile-auth"
OAUTH_CLIENT_SECRET = "AUQXXXXXXXXXXXXXXiao"

# Callback url when user authentication succeeded. Note, the redirect url you input when you register your client application MUST be exactly the same as this value.
OAUTH_REDIRECT_URL = 'https://seafile.mydomain.com/oauth/callback/'

# The following should NOT be changed if you are using Github as OAuth provider.
#OAUTH_PROVIDER_DOMAIN = 'keyclaok.mydomain.com/realms/myrealm' #deprecated 
OAUTH_PROVIDER = 'keycloak..mydomain.com/realms/myrealm'

OAUTH_AUTHORIZATION_URL = 'https://auth.mydomain.com/realms/myrealm/protocol/openid-connect/auth'
OAUTH_TOKEN_URL = 'https://auth.mydomain.com/realms/myrealm/protocol/openid-connect/token'
OAUTH_USER_INFO_URL = 'https://auth.mydomain.com/realms/myrealm/protocol/openid-connect/userinfo'
OAUTH_SCOPE = ["openid", "profile", "email"] #"user"

OAUTH_ATTRIBUTE_MAP = {
        #"id":   (False, "not used"),
        "email": (True, "email"),
        "uid / id / username / email": (True, "uid"),
        "email": (False, "name"),
        "email": (False, "contact_email"),
}

ACTIVATE_AFTER_REGISTRATION = True
ENABLE_SIGNUP = True

`

I think the error is somewhere in “OAUTH_SCOPE” or “OAUTH_ATTRIBUTE_MAP” but i can’t find where.

All that i have understand i that seafile need at least uid attribute to work.

if you need any other information, let me know.

Thank you in advance for you help

zonko

For everybody else, the url is: Single Sign-On mit Seafile und Keycloak | Seafile.

and from the logs, this is where the problem takes place in the code:

I can not clearly say what the problem is, but here is my guess:

  • "uid / id / username / email": (True, "uid") in OAUTH_ATTRIBUTE_MAP? What is this?
  • OAUTH_PROVIDER_DOMAIN should be the url of your seafile
  • are you sure that keycloak provides an attribute uid?

Hello, thanks for your quick answering.

I have tried many permutation of OAUTH_ATTRIBUTE_MAP
here his the last one I have tried:

OAUTH_ATTRIBUTE_MAP = {
        "email": (False, "email"),
        "email": (True, "uid"),
        "name": (False, "name"),
        "email": (False, "contact_email"),
}

I have started with your proposition of configuration:

OAUTH_ATTRIBUTE_MAP = {
    "id":    (False, "not used"),
    "name":  (False, "full name"),
    "email": (True, "email"),
}

with no success either.

that a formulation that I have see to get the first token of the list that match. but probably bad idea any way.

I have made the correction for OAUTH_PROVIDER_DOMAIN

not sure but either way for the token mandatory for seafile.
I assume that it need a least uid or email.

thank you again.
I’m still open to any idea you could have.

best regards,
zonko