[BUG] Dashy 3.1.1 baremetal with keycloak doesn't work

[juantxorena]

Environment

Self-Hosted (Bare Metal)

System

debian 12

Version

3.1.1

Describe the problem

This is different than most of the other bugs, since the other ones usually relate to docker.

As the title says, dashy 3.1.1 doesn't work with the latest keycloak version (25.0.1). It redirects to the login page, and after login, I get the black screen of death (with "It looks like something's gone wrong..." etc). When disabling keycloak auth it works as expected. This happened after upgrading dashy from a very old version (2.x).

My setup: dashy behind nginx in a LXC container (in proxmox). Keycloak in another LXC container in the same machine.

Unfortunately the browser console doesn't say anything:

The strange thing is that I actually get a token, so I assume that the keycloak config is ok:

Additional info

dashy conf:

pageInfo:
  title: Dashy
  description: Willkommen in der
  navLinks:
    - title: GitHub
      path: https://github.com/Lissy93/dashy
    - title: Documentation
      path: https://dashy.to/docs
appConfig:
  theme: default
  auth:
    enableKeycloak: true
    keycloak:
      serverUrl: https://auth.lan:8443/
      realm: zuhause
      clientId: dashy
  layout: auto
  iconSize: medium
  statusCheck: true
  disableConfiguration: true
  hideComponents:
    hideNav: true
    hideSearch: true
    hideFooter: true
    hideSettings: true
  language: en
sections:
  - name: Apps
    displayData:
      sortBy: default
      rows: 1
      cols: 5
      collapsed: false
      hideForGuests: true
    items:
      - title: Rezepte
        icon: tandoorrecipes.png
        url: https://rezepte.lan
        target: newtab
        id: 0_404_rezepte
        statusCheckAllowInsecure: true
      - title: Projekte
        icon: vikunja.png
        url: https://projekt.lan?redirectToProvider=true
        target: newtab
        id: 1_404_projekte
        statusCheckAllowInsecure: true
      - title: Smart Home
        icon: openhab.png
        url: https://openhab.lan/oauth2/start?rd=/
        target: newtab
        id: 2_404_smarthome
        statusCheckAllowInsecure: true
      - title: Cloud
        icon: nextcloud.png
        url: https://nextcloud.lan/apps/sociallogin/custom_oidc/keycloak
        target: newtab
        statusCheckAllowInsecure: true
        id: 3_404_cloud

nginx conf:

server {
    listen                          80;
    listen                          [::]:80;
    server_name                     zuhause.lan;
    return 301                      https://$server_name$request_uri;
}

server {
    #listen 80;
    listen 443 ssl http2;
    #listen 8443 ssl;

    ssl_certificate /etc/ssl/certs/dashy-bundle.crt;
    ssl_certificate_key /etc/ssl/private/dashy.key;
    #access_log /var/log/nginx/access.log;
    #error_log /var/log/nginx/error.log;
    server_name zuhause.lan;

    add_header X-Frame-Options SAMEORIGIN always;

    location / {
        add_header 'Access-Control-Allow-Origin' 'https://zuhause.lan' always;
        proxy_set_header Host $http_host;
        proxy_pass http://localhost:4000/;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

Please tick the boxes

• You have explained the issue clearly, and included all relevant info
• You are using a supported version of Dashy
• You've checked that this issue hasn't already been raised
• You've checked the docs and troubleshooting guide
• You agree to the code of conduct

[classic-mcfly]

Hello, same issue here. After downgrading Keycloak to v24 everything is working as expected.

[veniplex]

Same issue for me. I use:

• Dashy v3.1.1
• Keycloak v25.0.1

Both hosted as Docker containers on a Synology NAS behind the built-in (Synology) Reverse Proxy and publicly available via HTTPS.

I get the same result. Auth seems to work on Keycloak side, because a session is created and the Keycloak logs show nothing. But Dashy shows this:

[juantxorena]

Since I'm not using docker, I cannot really roll back keycloak to a previous version (I could, but it's too much work). Is there any way I can help testing and fixing this bug?

[veniplex]

@juantxorena I assume that Keycloak v25.0.0 introduced some breaking changes, so that the implementation in Dashy needs some adjustments. For reference: https://www.keycloak.org/docs/latest/release_notes/index.html

Dashy is currently using "keycloak-js": "^20.0.3". The current version is Keycloak JS v25.0.1. According to the release notes of Keycloak v25.0.0 there were some (maybe breaking) changes regarding the Keycloak JS adapter:

Legacy Promise API removed
With this release, we have removed the legacy Promise API methods from the Keycloak JS adapter. This means that calling .success() and .error() on promises returned from the adapter is no longer possible.

Required to be instantiated with the new operator
In a previous release we started to actively log deprecation warnings when the Keycloak JS adapter is constructed without the new operator. Starting this release doing so will throw an exception instead. This is to align with the expected behavior of JavaScript classes, which will allow further refactoring of the adapter in the future.

A quick look at the old v24.0.5 and latest v25.0.1 docs did not reveal any major changes for the overall implementation so far.

Maybe it is worth noting this in the installation instructions / troubleshooting section / readme file... until it is updated.

[veniplex]

@juantxorena Did you try to use the OIDC method in the meantime? Maybe this works with Keycloak... I haven't tried it and I can't at the moment, because I removed Dashy for now.

[MioOgbeni]

Hi, I also encountered with this error. Last week we upgraded to Keycloak 25.X.X and after that login into Dashy stopped working. It definitely looks like some issue with the deprecation of the keycloak-js library in the currently used version.

I also tried your @veniplex recommendation, and it seems to work after switching to generic OIDC auth.

Will anyone try to upgrade the keycloak-js library, or should I try it in PR?

[nOw-Ay]

Hello,

Now that general OIDC Authentication is available, what benefit is there to use keycloak-js ?

The library is supposed to help developers to implement Keycloak-based Auth in their solutions. Now that a general solution is available, don't you think that Keycloak Auth with keycloak-js should be deprecated ?

[CrazyWolf13]

@nOw-Ay

I think that would a good decision, as keycloak allows oidc, however if we'd really deprecate keycloak( as it requires a lot of maintenance and there are often many problems with keycloak) we'd have to communicate and plan this out well, as I think a lot of people use keycloak, so we can't just remove it.

@Lissy93 What's your opinion on this?

[veniplex]

@nOw-Ay As far as I understand, there are Keycloak-specific features available within keycloak-js. However, if Dashy is not using these features, a secure OIDC-implementation should be enough for most of the providers.

@CrazyWolf13 Since Dashy doesn't work with the newest version of Keycloak, the most part is already done 😆... I think an update of the documentation would be enough. Just refer to the OIDC implementation for now.

[viperfan7]

I'm having trouble with getting the OIDC implementation working, specifically, getting a whole lot of "Invalid scopes" errors, and I can't find any documentation as to what might be causing it