Keycloak fails to integrate with Synapse as an OIDC client

Description

As part of the HTAN project a collaborator is attempting link their system to Synapse, using Synapse's OpenID Connect (OIDC) services . They say, "we are considering KeyCloak because it can centralizing both authentication and authorization (which users access which datasets) for all three HTAN portals (HTAN data portal, cBioPortal, & Imaging portal)." Their attempt to make KeyCloak link to Synapse fails upon login with the error, "We are sorry...Unexpected error when authenticating with identity provider". KeyCloak is an off-the-shelf identity management system. Getting KeyCloak to work with Synapse has the benefits that (1) it enables HTAN, (2) it validates our OIDC implementation, (3) it allows others to use KeyCloak with Synapse.

I replicated the error as follows:
(1) Following this demo I ran KeyCloak:

(2) I pointed by browser to http://127.0.0.1:8080/auth/, clicked on "administrative console" and logged in with the credentials, 'admin/password'.
(3) Click "Identity Providers" > "Add provider" > OpenID Connect 1.0
(4) At the bottom, in the "Import from URL" I entered the URL to Synapse's OIDC Configuration document, https://repo-prod.prod.sagebase.org/auth/v1/.well-known/openid-configuration
(5) I edited the configuration:
Alias: "Synapse"
Display Name: "Synapse"
Client Authentication: Client secret sent as basic auth
(6) In Synapse I created a new OAuth client, using the redirect URL from Keycloak, http://127.0.0.1:8080/auth/realms/master/broker/Synapse/endpoint. I activated the client
(7) Back in Keycloak I entered the client ID and secret. I clicked Save.
Result: Keycloak displays, "Success! ..."

(8) In the upper right I click Admin/Signout.
Result: This takes me to the login page. Now there is a new choice, "Synapse".
(9) Click on "Synapse".
Result: I am redirected to the Synapse login page with the prompt, "Keycloak Demo would like to access the following items in your Synapse account:"
(10) I click "Allow".
Result: I am redirected to KeyCloak. The URL is:
http://127.0.0.1:8080/auth/realms/master/broker/Synapse/endpoint?state=kcCxl12rWaigS9aY1QPYt3BwjxBDxeNYaFInZTCHSec.OEN2NmM86QU.security-admin-console&code=AQICA...xYq3
I see the message, "We are sorry... Unexpected error when authenticating with identity provider"
(This is the same error reported by the collaborator.)
The redirect URL looks valid.
I see the following in the container logs:

(The stack trace is truncated.)

Note that the kid (key id) in the logs (W7NN:WLJT:J5RK:L7TL:T7L7:3VX6:JEOU:644R:U3IX:5KZ2:7ZCK:FPTH) is indeed the ID of the RSA Key published by Synapse, as you can see here: https://repo-prod.prod.sagebase.org/auth/v1/oauth2/jwks

Environment

None

Assignee

Bruce Hoff

Reporter

Bruce Hoff

Labels

None

Validator

Bruce Hoff

Development Area

Data Curation / Metadata

Release Version History

None

Epic Link

Sprint

Priority

Minor
Configure