OIDC + Keycloak unauthorized error

Hello everyone,
I’m trying to authenticate Hue with keycloak using the helm charts. Whenever I try to log in with a user I have created in keycloak, I receive an unauthorized error. This is an extract of the log of hue:

[29/Jun/2021 06:32:18 -0700] database     WARNING  AXES: New login failure by {username: "None", ip_address: "10.244.4.39", user_agent: "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36", path_info: "/oidc/callback/"}. Creating new record in the database.
[29/Jun/2021 06:32:18 -0700] access       INFO     10.244.0.0 -anon- - "GET /oidc/callback/ HTTP/1.1" returned in 27ms 302 0 (mem: 116mb)
[29/Jun/2021 06:32:18 -0700] access       INFO     10.244.0.0 -anon- - "GET /oidc/callback/ HTTP/1.1" returned in 27ms 302 0 (mem: 116mb)
10.244.4.39 - - [29/Jun/2021:13:32:18 +0000] "GET /oidc/callback/?state=7lwSiAK0FIKtJg5CnKHffNOXlv0PGF0x&session_state=381b1152-fe5f-46d3-acbf-723bfb60d23b&code=4a4d78d4-ea6c-40bb-bb9c-cf43035489aa.381b1152-fe5f-46d3-acbf-723bfb60d23b.5faeda43-f607-4373-8bb1-ec6783590218 HTTP/1.1" 302 0 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36"
[2021-06-29 13:32:18 +0000] [38] [DEBUG] GET /hue/oidc_failed/
[29/Jun/2021 06:32:18 -0700] access       WARNING  10.244.0.0 -anon- - "GET /hue/oidc_failed/ HTTP/1.1" - (mem: 119mb)-- 401 Unauthorized by oidc
[29/Jun/2021 06:32:18 -0700] access       WARNING  10.244.0.0 -anon- - "GET /hue/oidc_failed/ HTTP/1.1" - (mem: 119mb)-- 401 Unauthorized by oidc

and these warnings at the beginning of the log (right after the deployment of the hue application):

System check identified some issues:
WARNINGS:
?: (axes.W002) You do not have 'axes.middleware.AxesMiddleware' in your settings.MIDDLEWARE.
?: (axes.W003) You do not have 'axes.backends.AxesBackend' or a subclass in your settings.AUTHENTICATION_BACKENDS.

Allow me to provide the context:

  • hue and keycloak are deployed behind two different domains: hue_mydomain_com and keycloak_mydomain_com
  • hue’s helm chart is using a custom image based on the latest release of hue’s official docker image to overcome the issue as described in the post: OIDC fails with helm

Here’s my hue configuration (sorry, I had to replace dots with underscores and protocol from urls due to the “new user restriction”):

 interpreters: |
    [[[postgresql]]]
      name = Postgresql
      interface=sqlalchemy
      options='{"url": "postgresql://hue:hue@postgres-hue:5432/hue"}'
  ini: |
    [desktop]
    secret_key=hue123
    app_blacklist=search,hbase,security,jobbrowser,oozie
    django_debug_mode=true
    gunicorn_work_class=sync
    enable_prometheus=false
    secure_content_security_policy="script-src 'self' 'unsafe-inline' 'unsafe-eval' ;style-src 'self' 'unsafe-inline' fonts_googleapis_com;connect-src 'self' *_mydomain_com;frame-src *;child-src 'self' data: *_vimeo_com;object-src 'none'"

    [[auth]]
    backend=desktop.auth.backend.OIDCBackend
    behind_reverse_proxy=true
    reverse_proxy_header=HTTP_X_FORWARDED_FOR

    [[oidc]]
    # The client ID as relay party set in OpenID provider
    oidc_rp_client_id=Hue

    # The client secret as relay party set in OpenID provider
    oidc_rp_client_secret=mysecrethere

    # The OpenID provider authoriation endpoint
    oidc_op_authorization_endpoint=keycloak_mydomain_com/auth/realms/master/protocol/openid-connect/auth

    # The OpenID provider token endpoint
    oidc_op_token_endpoint=keycloak_mydomain_com/auth/realms/master/protocol/openid-connect/token

    # The OpenID provider user info endpoint
    oidc_op_user_endpoint=keycloak_mydomain_com/auth/realms/master/protocol/openid-connect/userinfo

    # The OpenID provider signing key in PEM or DER format
    ## oidc_rp_idp_sign_key=/path/to/key_file

    # The OpenID provider authoriation endpoint
    oidc_op_jwks_endpoint=keycloak_mydomain_com/auth/realms/master/protocol/openid-connect/certs

    # Whether Hue as OpenID Connect client verify SSL cert
    oidc_verify_ssl=false

    # As relay party Hue URL path to redirect to after login
    login_redirect_url=hue_mydomain_com/oidc/callback

    # The OpenID provider URL path to redirect to after logout
    logout_redirect_url=keycloak_mydomain_com/auth/realms/master/protocol/openid-connect/logout

    # As relay party Hue URL path to redirect to after login
    login_redirect_url_failure=hue_mydomain_com/hue/oidc_failed

    # Create a new user from OpenID Connect on login if it doesn't exist
    create_users_on_login=true

    # When creating a new user, which 'claims' attribute from the OIDC provider to be used for creating the username.
    #      Default to 'preferred_username'. Possible values include: 'email'
    oidc_username_attribute=preferred_username

    # The group of users will be created and updated as superuser. To use this feature, setup in Keycloak:
    # 1. add the name of the group here
    # 2. in Keycloak, go to your_realm --> your_clients --> Mappers, add a mapper
    #      Mapper Type: Group Membership (this is predefined mapper type)
    #      Token Claim Name: group_membership (required exact string)
    superuser_group=hue_superusers


    [hadoop]
    [[hdfs_clusters]]
    [[[default]]]
    fs_defaultfs=hdfs-namenode:8020
    webhdfs_url=hdfs-namenode:50070/webhdfs/v1

Do I need an extra configuration on keycloak side related to roles and permissions?
Thanks a lot in advance for any support and suggestion

Best regards