Too many redirects - Keycloak Authentication

Hi,
I’m trying to integrate keycloak following the documentation here.
The error I get is ERR_TOO_MANY_REDIRECTS on Chrome. Could anyone help me figure out what is wrong?
(As a first time user, I can’t post links, so I’ve tried to obfuscate it a bit :frowning: )

My config.yaml file.

extraEnv:
OAUTH2_AUTHORIZE_URL: my-keycloak-site/auth/realms/15rock/protocol/openid-connect/auth
OAUTH2_TOKEN_URL: my-keycloak-site/auth/realms/15rock/protocol/openid-connect/token
OAUTH_CALLBACK_URL: my-notebook-site/hub/oauth_callback
auth:
type: custom
custom:
className: oauthenticator.generic.GenericOAuthenticator
config:
login_service: “keycloak”
client_id: “jupyterhub”
client_secret: “mysecret”
token_url: my-keycloak-site/auth/realms/15rock/protocol/openid-connect/token
userdata_url: my-keycloak-site/auth/realms/15rock/protocol/openid-connect/userinfo
userdata_method: GET
userdata_params: {‘state’: ‘state’}
username_key: preferred_username

My URL which fails

my-notebook-site/hub/oauth_login?response_type=code&redirect_uri=https%3A%2F%2Fnotebook.15rock.com%2Fhub%2Foauth_callback&client_id=jupyterhub&state=abcd

My Keycloak setting:

client id: jupyterhub
Valid Redirect URIs: my-notebook-site/hub/oauth_callback

I ran into this issue for a little while using our own custom oauth service but I think the solution will likely be the same.

The issue for me was that the callback URI needed to be set in both locations. I am not positive on Keycloak, but you probably need to not only authorize that callback URI as a valid redirect URI (which I see that you have done), but also configure the specific application (the one where you generated your secret keys from) in Keycloak to actually use the callback URI.

I suspect more configuration on the Keycloak end of things is your ticket here.

Additionally, the POST body of authenticate in the generic authenticator omits the client_id and client_secret values by default. (They are not passed in just because you set them in your auth.custom.config.client_secret/id.) To get these values in your POST body you will also need to add the following:

auth:
  custom:
    config:
      extra_params:
        client_id : 'ID'
        client_secret: 'SECRET'