Incorrect redirect after GET authnz/keycloak/callback?

With galaxy 25.0.2 deployed with helm charts on a k8s cluster, this instance uses oidc to authenticate users with keycloak idp.

After a authentication, users a redirected to callback at https://example.org/myProject/authnz/keycloak/callback?state=… and response for such GET call include a Location header to https://example.org/myProject/myProject/myProject/user/external_ids or

https://example.org/myProject/myProject/myProject/login/start?connect_external_provider=keycloak…. in the case user already exists.

In the case of new users, restart login works and users are able to log without any issue or by manually remove /myProject/myProject/ from browser url.

I do see a cookie galaxy-oidc-login-next with value “/myProject/” and src code

galaxy-25.0.2/lib/galaxy/authnz/custos_authnz.py shows that login_redirect_url was passed as parameter, but don’t understand where this duplication came from.

Is this a bug, a misconfiguration of our local galaxy instance, something related to ingress resource of k8s?

thank you in advance

Welcome @jcsilla

Hopefully we can help! I’ve asked the administrators for feedback at their chat but let’s keep the conversation here please. More soon!

Thanks!

XRef

• Authentication — Galaxy Project 25.0.2.dev0 documentation
• User Authentication Using Social and Institutional Identities - Galaxy Community Hub
• Hands-on: External Authentication / External Authentication / Galaxy Server administration
• Known issues Custos Issues · Issue #10075 · galaxyproject/galaxy · GitHub

Could you please share the OIDC configuration (wipe the secrets) that you are using?

afaik the redirect URLs are registered in AAI Service Provider Administration interface, Galaxy is just a receiver

Hi marten, thanks for your help.

this is config/oidc_backends_config.xml from galaxy web server

<?xml version="1.0"?> xxxxxxxxxxxxxx/client_id> xxxxxxxxxxxxxxxxxxxxxxxxx https://bioinfo.cnic.es/diverse/authnz/keycloak/callback https://bioinfo.cnic.es/kcbioit/realms/diverse true

and this is part of a keycloak client export:

{
“clientId”: “diverse-galaxy”,
“name”: “diverse-galaxy”,
“description”: “Diverse project realm for authenticate galaxy users”,
“rootUrl”: “https://bioinfo.cnic.es/diverse”,
“adminUrl”: “https://bioinfo.cnic.es/diverse”,
“baseUrl”: “/”,
“surrogateAuthRequired”: false,
“enabled”: true,
“alwaysDisplayInConsole”: false,
“clientAuthenticatorType”: “client-secret”,
“secret”: “xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”,
“redirectUris”: [
“https://bioinfo.cnic.es/diverse/authnz/keycloak/callback*”
],
“webOrigins”: [
“+”
],
“notBefore”: 0,
“bearerOnly”: false,
“consentRequired”: false,
“standardFlowEnabled”: true,
“implicitFlowEnabled”: false,
“directAccessGrantsEnabled”: true,
“serviceAccountsEnabled”: true,
“authorizationServicesEnabled”: true,
“publicClient”: false,
“frontchannelLogout”: false,
“protocol”: “openid-connect”,
“attributes”: {
“access.token.lifespan”: “300”,
“request.object.signature.alg”: “any”,
“frontchannel.logout.session.required”: “true”,
“post.logout.redirect.uris”: “https://bioinfo.cnic.es/diverse”,
“oauth2.device.authorization.grant.enabled”: “false”,
“backchannel.logout.revoke.offline.tokens”: “true”,
“use.refresh.tokens”: “true”,
“realm_client”: “false”,
“oidc.ciba.grant.enabled”: “false”,
“backchannel.logout.session.required”: “false”,
“client_credentials.use_refresh_token”: “false”,
“require.pushed.authorization.requests”: “false”,
“request.object.encryption.enc”: “any”,

We made several test changing rootUrl, homeUrl and baseUrl at keycloak client but always get /diverse/diverse/diverse path on Location header from diverse/authnz/keycloak/callback

Thanks & regards

Is your Galaxy running behind a prefix? I’d suspect you’re running into this bug:

Yes, it’s behind /diverse prefix. In my original post it was /myProject trying to make question general.