SSO failed to login via keycloak oidc

[bmkor]

Hi there.

First of all, thanks so much for this wonderful plugin.

We managed to install the SSO plugin and sso.js in our testing environment of cryptpad (version-2024.6.1)

Our sso.js is as follows.

module.exports = {
    // Enable SSO login on this instance
    enabled: true,
    // Block registration for non-SSO users on this instance
    enforced: false,
    // Allow users to add an additional CryptPad password to their SSO account
    cpPassword: false,
    // You can also force your SSO users to add a CryptPad password
    forceCpPassword: false,
    // List of SSO providers
    list: [    
    {
        name: "AD account",
        type: "oidc",
        url: "https://<keycloak domain>/realms/<realm>",
        client_id: "cryptpad",
        client_secret: "<cryptpad secret>",
        jwt_alg: "RS256",
        // jwt_alg: 'RS256',
        username_scope: 'profile',
        username_claim: 'name',
    }    
    ]
};

We used oidc type provided by our self-hosted keycloak server and we saw the SSO login button after clicking the login in our testing cryptpad site; however, upon clicking the SSO login button, it gets stuck in a loading page and we found the error from the log as below:

["ERROR","2024-09-28T11:30:10.124Z","CHALLENGE_RESPONSE_ACTION_ERROR",{"error":{"stack":"Error: secretOrPrivateKey must have a value\n    at module.exports [as sign] (/cryptpad/node_modules/jsonwebtoken/sign.js:111:20)\n    at SSOUtils.createJWT (/cryptpad/lib/plugins/sso/sso-utils.js:179:9)\n    at next (/cryptpad/lib/plugins/sso/challenge.js:87:26)\n    at /cryptpad/lib/plugins/sso/challenge.js:104:29\n    at /cryptpad/lib/plugins/sso/sso-utils.js:94:9\n    at /cryptpad/lib/storage/basic.js:41:9\n    at FSReqCallback.readFileAfterClose [as oncomplete] (node:internal/fs/read/context:68:3)","message":"secretOrPrivateKey must have a value"}}]

The keycloak setting for this client is basically the same as other no problem clients. For your information, the backend of the OIDC is provided by our self-hosted AD FS server. Upon reading the transaction log of the AD FS, we found that it complained "P3P": ADFS doesn't have P3P policy, please contact your site's admin for more details. Not sure what is our problem.

[bmkor]

Hi there.

Just wanna share that we managed to pass the authentication, by adding a couple of lines as below after cryptpad/lib/api.js line 78.

     ], w(function (err) {
        if (err) { throw err; } 
        if (Env.bearerSecret === bearerSecret) { return; }
        Env.bearerSecret = bearerSecret;
    })); 

Our guess is that the SET_BEARER_SECRET command only writes the secret in the decree folder but not assigns the secret to Env.bearerSecret, resulting in the error: secretOrPrivateKey must have a value.

Not sure if this is a valid workaround. Hope to have your feedback. Thanks a lot.

[hermann-san]

Hi @bmkor
I also couldn't see the SSO button and I don't know if it's a valid workaround or not, but it works with OIDC and Keycloak 26.
Thanks a lot for sharing it.

I think this code needs to be added to the Cryptpad code, otherwise there is no point in using the SSO plugin if there is no button for login.
Maybe the SSO plugin need to be adjusted, but it would be nice if this workaround would be mentioned in the SSO Plugin readme page. It may save some people quite some time...

[hermann-san]

I've tried to update from cryptpad 2024.9.0 to 9.1 and there is an error.

git checkout 2024.9.1

error: Your local changes to the following files would be overwritten by checkout:
        lib/api.js
Please commit your changes or stash them before you switch branches.
Aborting

I did restore the api.js from by backup and then the error is gone

Also because of this issue, it would be nice if there was a fix available since this will come up with every update (I suppose).