[BUG] Dashy not work with latest Keycloack 26.0.5

[logrisua]

Environment

Self-Hosted (Docker)

System

Firefox 132.0.2

Version

3.1.1

Describe the problem

Dashy not work with latest Keycloack 26.0.5.

docker compose file:

services:
  dashy:
    container_name: Dashy
    image: lissy93/dashy:latest
    volumes:
      - ./user-data:/app/user-data
    ports:
      - 4000:8080
    environment:
      - NODE_ENV=production
    restart: unless-stopped
    healthcheck:
      test: ['CMD', 'node', '/app/services/healthcheck']
      interval: 1m30s
      timeout: 10s
      retries: 3
      start_period: 40s

Dashy conf.yml

# Page meta info, like heading, footer text and nav links
pageInfo:
  title: Dashy
  description: Welcome to your new dashboard!
  navLinks:
  - title: GitHub
    path: https://github.com/Lissy93/dashy
  - title: Documentation
    path: https://dashy.to/docs

# Optional app settings and configuration
appConfig:
  theme: colorful
  auth:
    enableKeycloak: true
    keycloak:
      serverUrl: 'https://keycloak.local.com/auth/'
      realm: 'local'
      clientId: 'dashy'

# Main content - An array of sections, each containing an array of items
sections:
- name: Getting Started
  icon: fas fa-rocket
  items:
  - title: Dashy Live
    description: Development a project management links for Dashy
    icon: https://i.ibb.co/qWWpD0v/astro-dab-128.png
    url: https://live.dashy.to/
    target: newtab
  - title: GitHub
    description: Source Code, Issues and Pull Requests
    url: https://github.com/lissy93/dashy
    icon: favicon

Dashy nginx conf

server {
   listen 443 ssl;
   server_name dashy.local.com;

   ssl_certificate /etc/ssl/cert.pem;
   ssl_certificate_key /etc/ssl/key.pem;

   location / {
     proxy_pass http://127.0.0.1:4000;
     proxy_set_header X-Forwarded-User $http_authorization;
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header Host $host;
     proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
   }
}

Keycloak nginx conf

server {
   listen 443 ssl;
   server_name keycloak.local.com;

   ssl_certificate /etc/ssl/cert.pem;
   ssl_certificate_key /etc/ssl/key.pem;
   
      location / {
     proxy_pass http://127.0.0.1:8583;
     proxy_set_header Host $host;
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-Proto $scheme;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_buffer_size   128k;
     proxy_buffers   4 256k;
     proxy_busy_buffers_size   256k;
   }
}

Keycloack client settings:

When opening https://dashy.local.com it redirects to https://keycloak.local.com, where I enter my login and password, then it redirects back to https://dashy.local.com, and then the page "It looks like something's gone wrong...
This is likely caused by the app source not being found at the current domain."
I've tried all the settings according to what I found in the documentation, but the result is always the same. And there are no errors or suggestive information in the keycloak or Dashy logs.
Authorization for more than a dozen different services works without problems through my keycloak, but I can't get Dashy to work.

Additional info

No response

Please tick the boxes

• You have explained the issue clearly, and included all relevant info
• You are using a supported version of Dashy
• You've checked that this issue hasn't already been raised
• You've checked the docs and troubleshooting guide
• You agree to the code of conduct

[nOw-Ay]

@logrisua, Keycloak auth is broken and should soon be deprecated (I think). You should use the OIDC-based auth solution with which you can achieve the same result.

[signaleleven]

You should use the OIDC-based auth solution with which you can achieve the same result.

To be clear, you can configure that auth solution to use keycloak, right? Keycloak is OIDC compliant.

[nOw-Ay]

To be clear, you can configure that auth solution to use keycloak, right? Keycloak is OIDC compliant.

Exactly. Just replace the adequate fields in the documentation example and you should be good to go.
Notice that the stable tag (:3.1.1) does not fully implement OIDC, you should use the :latest tag if using Docker, or the last commit if you are building Dashy yourself.

[logrisua]

Thanks guys! I was able to run it through OIDC via Keycloak. But now I can't figure out how to set up access by roles. For example, access to Dashy administration only for users with the DashyAdmin role. Or access to certain sections or pages for certain roles. Maybe someone can share an example of a working config?

[signaleleven]

Can you share your config? I gave it a try and landed exactly on the same issue than the original keycloak config. I ended up putting oauth2-proxy in front of dashy, but I lost groups and role granularity....

[logrisua]

Here are the settings with which authorization worked for me, but I still couldn’t figure out whether roles and groups are pulled up and how to configure access.

appConfig:
  theme: colorful
  auth:
    enableOidc: true
    oidc:
      clientId: dashy
      endpoint: https://keycloak.local.com/auth/realms/local
      scope: ''
    enableGuestAccess: false