Keycloak OIDC Login not working

[beposec]

Describe the bug
When trying to log in with Keycloak, the login process fails and shows an error:
"An error eccurred while signing in: Callback".

In the server logs, the following error appears:

splitpro     | Unknown argument `refresh_expires_in`. Available options are marked with ?. [Error [LinkAccountError]:

To Reproduce

NEXTAUTH_URL="split.domain.com"
# NEXTAUTH_URL_INTERNAL="http://localhost:3000"

OIDC_NAME=keycloak
OIDC_CLIENT_ID=split.domain.com
OIDC_CLIENT_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
DISABLE_EMAIL_SIGNUP=true
OIDC_WELL_KNOWN_URL=https://idp.domain.com/realms/domain.com/.well-known/openid-configuration
OIDC_ALLOW_DANGEROUS_EMAIL_LINKING=1

Expected behavior
The login should work.

Desktop (please complete the following information):

• OS: Windows 11
• Browser: Firefox

[krokosik]

I don't have a KeyCloak instance and I don't really have the capacity to test the edge cases of every OIDC provider :(

@markocir maybe you had a similiar issue or can say whether it's a configuration issue?

[beposec]

As I understand it, Keycloak sends the refresh_expires_in attribute, and it is missing in the Prisma schema. Others have had the same problem: https://github.com/orgs/langfuse/discussions/2165

Is there anything I can do to help?

[krokosik]

According to this thread, it's a scoping issue. You could try finding a fix that would solve the custom provider issue and submit a PR with the proposed change.

[markocir]

This is my docker compose:

      - NEXTAUTH_URL=${NEXTAUTH_URL:?err}         # e.g. https://your.domain.com
      - NEXTAUTH_SECRET=${NEXTAUTH_SECRET:?err}   # e.g. some_random_hex_string
      #- GOOGLE_CLIENT_ID=${GOOGLE_CLIENT_ID:?err}
      #- GOOGLE_CLIENT_SECRET=${GOOGLE_CLIENT_SECRET:?err}
      - OIDC_NAME=${OIDC_NAME}
      - OIDC_CLIENT_ID=${OIDC_CLIENT_ID}
      - OIDC_CLIENT_SECRET=${OIDC_CLIENT_SECRET}
      - OIDC_WELL_KNOWN_URL=${OIDC_WELL_KNOWN_URL}
      - OIDC_ALLOW_DANGEROUS_EMAIL_LINKING=${OIDC_ALLOW_DANGEROUS_EMAIL_LINKING}

and this is the .env file:

OIDC_CLIENT_ID=splitpro
OIDC_CLIENT_SECRET=********************************
OIDC_NAME=Keycloak
OIDC_WELL_KNOWN_URL=https://domain.example.com/realms/master/.well-known/openid-configuration
OIDC_ALLOW_DANGEROUS_EMAIL_LINKING=true

and Keycloak is configured like this, i have blurred out my domain.

I vaguely remember that I could have had this issue but with an older version where the OIDC was not yet supported. It might just be that the Keycloak configuration is not correctly set and it triggers this error as a side effect?

You can also check the the generated token for your user under the client setting:

[markocir]

Hmm... I just tried to relogin with keycloak and it does not work for me either. I get the same error.

[markocir]

I found this in my custom code, which solved the problem.
src/server/auth.ts

[beposec]

@markocir could you please provide your custom code as pull request? Would be nice to have this merged for all :-)

[markocir]

@krokosik I can push the change if you give me permissions.

[krokosik]

You don't need my permission :)
Just create the branch in your fork and submit a PR