Configure OpenID redirect port

[xy8000]

Hello together,

is there a way to force django-allauth to use Port X for redirects?

Current Redirect-URL after clicking SSO-Button: https://keycloak.[SUBDOMAIN].[DOMAIN].de:8080/[PATH]
Wanted Redirect-URL after clicking SSO-Button: https://keycloak.[SUBDOMAIN].[DOMAIN].de/[PATH]

Seems, that allauth is using the Port provided in the openid-connector-configuration:

"openid_connect": {
            "APPS": [
                {
                    "provider_id": "keycloak",
                    "name": "Keycloak",
                    "client_id": "paperless",
                    "secret": "[SECRET]",
                    "settings": {
                        "server_url": "http://keycloak:8080/realms/master/.well-known/openid-configuration"
                    }
                }
            ]
          }

and not the value provided in the keycloak-openid-configuration:
openid-configuration.txt

Maybe i've configured something wrong, but my application is running in a containerized environment. Therefore i would like to use the container-name to access the openid-configuration from my keycloak-container.
The configuration mentioned above worked a few weeks ago. The problem occurred after upgrading paperless. I already posted a bug in the paperless-repo. The problem doesn't seem to be related to paperless at all: BUG

[pennersr]

You are referring to the URL where allauth redirects to, to initiate the OIDC handshake? That definitely does not use server_url, it fetches the openid-configuration, and from that it extracts authorization_endpoint, see:

https://github.com/pennersr/django-allauth/blob/main/allauth/socialaccount/providers/openid_connect/views.py#L40

So, according to your openid-configuration.txt, that would be:

  "authorization_endpoint": "https://keycloak.[SUMDOMAIN].[DOMAIN].de/realms/master/protocol/openid-connect/auth",

[xy8000]

In my case django mixed both configs.

Example-Response from paperless:

HTTP/2 302 
access-control-allow-origin: https://paperless.[SUBDOMAIN].[DOMAIN].de
content-language: en-us
content-type: text/html; charset=utf-8
cross-origin-opener-policy: same-origin
date: Sat, 15 Jun 2024 12:16:32 GMT
location: http://keycloak.[SUBDOMAIN].[DOMAIN].de:8080/realms/master/protocol/openid-connect/auth?client_id=paperless&redirect_uri=https%3A%2F%2Fpaperless.[SUBDOMAIN].[DOMAIN].de%2Faccounts%2Foidc%2Fkeycloak%2Flogin%2Fcallback%2F&scope=email+openid+profile&response_type=code&state=[STATE]
referrer-policy: same-origin
server: uvicorn
set-cookie: sessionid=[SESSION_ID]; expires=Sat, 29 Jun 2024 12:16:32 GMT; HttpOnly; Max-Age=1209600; Path=/; SameSite=Lax
vary: Accept-Language, origin, Cookie
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
content-length: 0
X-Firefox-Spdy: h2

Somehow it used port 8080 here.

[pennersr]

allauth really doesn't do any processing with that URL, except for adding ?query-parameters. See:

https://github.com/pennersr/django-allauth/blob/main/allauth/socialaccount/providers/oauth2/provider.py#L119

and:

https://github.com/pennersr/django-allauth/blob/main/allauth/socialaccount/providers/oauth2/client.py#L50

As you can see, the URL is used as is.

[xy8000]

Thank you for clarification. My keycloak-instance was not set up correctly after keycloak moved to the new hostname-v2 feature. System is working now.