KeyCloak error step1.html (RESOLVED)

Enabling KeyCloak

I’m trying to activate KeyCloak but I’m having a problem that I don’t know how to solve, it seems to have to do with nginx or cors.

When accessing ORTHANC: https://my.domain/orthanc/ui/app/#/ I have an error in the console log and another in the network tab of the browser.

The first indicator is the following message: Could not connect to Keycloak

The second is an error already known to the KeyCloak community:

A connection error in step1.html, it comes with the error:

Request URL:
https://localhost/keycloak/realms/orthanc/protocol/openid-connect/3p-cookies/step1.html

Referrer policy:
strict-origin-when-cross-origin

I’m confused with this request URL since it should have my domain instead of localhost, right?

These are my settings:

Docker

Compose

services:
	# Container 1: Proxy Reverso com TLS e SSL
	nginx:
		image:  orthancteam/orthanc-nginx:24.7.2
		depends_on: [ orthanc, orthanc-dicom, orthanc-auth-service, keycloak, ohif ]
		restart:  unless-stopped
		ports: [ "443:443" ]
		volumes:
			-  ./tls/crt.pem:/etc/nginx/tls/crt.pem:ro
			-  ./tls/key.pem:/etc/nginx/tls/key.pem:ro
		environment:
			ENABLE_ORTHANC:  "true"
			ENABLE_KEYCLOAK:  "true"
			ENABLE_ORTHANC_TOKEN_SERVICE:  "false"
			ENABLE_HTTPS:  "true"
			ENABLE_OHIF:  "true"

	# Container 2: Static OHIF
	ohif:
		image:  orthancteam/ohif-v3:24.7.2
		restart:  unless-stopped

	# Container 3: ORTHANC PACS (DICOMweb™, GUI) Layer 7: HTTPS
	orthanc:
		image:  orthancteam/orthanc:24.8.1
		restart:  unless-stopped
		volumes:
			-  ./tmp/orthancDicomWeb-logs:/logs
			-  ./orthancDicomWeb.json:/etc/orthanc/orthanc.json:ro
		environment:
			# Console Logs
			VERBOSE_ENABLED:  "true"
			VERBOSE_STARTUP:  "true"
			# Logs
			LOGDIR:  "/logs"
			ORTHANC__DE_IDENTIFY_LOGS:  "false"

	# Container 4: ORTHANC PACS (DISME, SPU) Layer 4: Network
	orthanc-dicom:
		image:  orthancteam/orthanc:24.8.1
		restart:  unless-stopped
		ports:
			-  "2762:4242"
		volumes:
			-  ./tmp/orthancDicom-logs:/logs
			-  ./orthancDicom.json:/etc/orthanc/orthanc.json:ro
			-  ./tls:/tls:ro
		environment:
			# Console Logs
			VERBOSE_ENABLED:  "true"
			VERBOSE_STARTUP:  "true"
			# Logs
			LOGDIR:  "/logs"
			ORTHANC__DE_IDENTIFY_LOGS:  "false"

	  

	# Container 5: Auth Interface Orthanc < > KeyCloak
	orthanc-auth-service:
		image:  orthancteam/orthanc-auth-service:24.7.2
		# permissions can be customized in the permissions.json file
		volumes:
			-  ./permissions.json:/orthanc_auth_service/permissions.json
		depends_on: [ keycloak ]
		restart:  unless-stopped
		env_file:
			-  "./.auth.env"

	# Container 6: Auth
	keycloak:
		image:  orthancteam/orthanc-keycloak:24.7.2
		restart:  unless-stopped
		env_file:
			-  "./.keycloak.env"

Env to orthanc-auth-service

SECRET_KEY="SOME-BIG-KEY-HERE"
ENABLE_KEYCLOAK="true"
ENABLE_KEYCLOAK_API_KEYS="true"
KEYCLOAK_URI: "http://keycloak:8080/realms/orthanc/"
KEYCLOAK_CLIENT_SECRET="SOME-BIG-KEY-HERE"
PUBLIC_ORTHANC_ROOT="http://localhost/orthanc/"
PUBLIC_LANDING_ROOT="http://localhost/orthanc/ui/app/token-landing.html"
PUBLIC_OHIF_ROOT="http://localhost/ohif/"
USERS={ "share-user": "share-password" }

I understand that these variables inform the interface that KeyCloak is activated and deliver some secrets to it. The URLs registered here are localhost and keycloak because from what I understand the communication is internal.

I understand that localhost does not need to be changed as demonstrated in samples.

Env to Keycloak

KEYCLOAK_ADMIN="admin"
KEYCLOAK_ADMIN_PASSWORD="SOME-BIG-PASSWORD-HERE"
KC_DB="postgres"
KC_DB_URL="jdbc:postgresql://SOME-DB-HOST:5432/keycloak"
KC_DB_USERNAME="postgres"
KC_DB_PASSWORD="SOME-BIG-PASSWORD-HERE"
KC_HOSTNAME_URL="https://localhost/keycloak"
KC_HOSTNAME_ADMIN_URL="https://localhost/keycloak"
KC_FIPS_MODE="strict"
QUARKUS_TRANSACTION_MANAGER_ENABLE_RECOVERY=true

Here are several details that I’m not sure about.

KC_HOSTNAME_URL and KC_HOSTNAME_ADMIN_URL must not be localhost and must be the full URL for these endpoints, for example:

https://orthanc.tera.com.br/keycloak

I enabled FIPS to increase security, even though I don’t know if this configuration is having any effect. I don’t need FIPS but I found it interesting. Anyway, to enable FIPS I should use KC_FEATURE="fips" I think.

QUARKUS_TRANSACTION_MANAGER_ENABLE_RECOVERY=true I enabled this since it was complaining that this was “important”.

I believe that FIPS and QUARKUS TRANSACTION MANAGER do not change the behavior for this problem of mine since with them activated or not the error behaves the same. I tested it.

Orthanc for DICOMweb

{
    "Name": "Tera Telemedicina DICOMweb",
    "ConcurrentJobs": 0,
    "JobsEngineThreadsCount": {
        "ResourceModification": 1
    },
    "HttpServerEnabled": true,
    "HttpPort": 8042,
    "HttpDescribeErrors": true,
    "HttpCompressionEnabled": false,
    "WebDavEnabled": false,
    "DicomServerEnabled": false,
    "SslEnabled": false,
    "RemoteAccessAllowed": true,
    "RegisteredUsers": {
        "TeraADM": "Tera@123",
        "ShareUser": "Share@123",
        "healthcheck": "Health@123"
    },
    "OrthancExplorer2": {
        "IsDefaultUI": true,
        "UiOptions": {
            "EnableShares": true,
            "DefaultShareDuration": 0,
            "ShareDurations": [
                0,
                7,
                15,
                30,
                90,
                365
            ],
            "EnableOpenInOhifViewer3": true,
            "OhifViewer3PublicRoot": "https://localhost/ohif/"
        },
        "Tokens": {
            "InstantLinksValidity": 3600,
            "ShareType": "ohif-viewer-publication"
        },
        "Keycloak": {
            "Enable": true,
            "Url": "https://localhost/keycloak/",
            "Realm": "orthanc",
            "ClientId": "orthanc"
        }
    },
    "AuthenticationEnabled": false,
    "Authorization": {
        "WebServiceRootUrl": "http://orthanc-auth-service:8000/",
        "WebServiceUsername": "share-user",
        "WebServicePassword": "share-password",
        "StandardConfigurations": [
            "orthanc-explorer-2"
        ],
        "TokenHttpHeaders": [
            "api-key"
        ],
        "CheckedLevel": "studies"
    },
    "DicomWeb": {
        "Enable": true,
        "PublicRoot": "/orthanc/dicom-web/"
    },
    "PostgreSQL": {
        "EnableIndex": true,
        "Host": "SOME-DB-HOST",
        "Port": 5432,
        "Database": "orthanc",
        "Username": "postgres",
        "Password": "SOME-BIG-PASSWORD",
        "EnableSsl": true
    },
    "AwsS3Storage": {
        "BucketName": "SOME-NAME",
        "Region": "us-east-1",
        "AccessKey": "SOME-ACCESS-KEY",
        "SecretKey": "SOME-SECRET-KEY",
        "StorageStructure": "flat",
        "UseTransferManager": true
    }
}

From what I understood in the “Keycloak” key, the json in the other “URL” key should be localhost because it didn’t say “https://mydomain.com/keycloak”, so I understood that I shouldn’t change the value.

"Keycloak": {
            "Enable": true,
            "Url": "https://localhost/keycloak/",
            "Realm": "orthanc",
            "ClientId": "orthanc"
        }

The only thing I changed in the samples was that in “StandardConfigurations” I removed ohif. I didn’t understand if this was only for use in case I was using ohif as a plugin or if I was using ohif it didn’t matter, as I should put ohif there.

"StandardConfigurations": [
            "orthanc-explorer-2"
        ],

Orthanc for Network comunication

Orthanc-dicom is just orthanc with DICOM server enabled, AET registered and TLS and nothing else.

This is not correct:

Here are the correct values:

PUBLIC_ORTHANC_ROOT="https://orthanc.tera.com.br/orthanc/"
PUBLIC_LANDING_ROOT="https://orthanc.tera.com.br/orthanc/ui/app/token-landing.html"
PUBLIC_OHIF_ROOT="https://orthanc.tera.com.br/ohif/"

Same for this:

Here are the correct values:

KC_HOSTNAME_URL="https://orthanc.tera.com.br/keycloak"
KC_HOSTNAME_ADMIN_URL="https://orthanc.tera.com.br/keycloak"


Regarding FIPS and QUARKUS… stuff, I have no idea, Keycloak doc could help…

I don’t understand what you is the “DICOMweb” part in your post…

HTH,

I have two Orthanc, one to operate via Rest API using DICOMweb and another to operate via network layer. I think that these devices that behave in this layer are called DISME or SPU servers that receive SPC requests. That’s what I understood from my research.

Anyway, this DICOMweb server is also the one that will have REMOTE ACCESS so I can access Orthanc from within.

I’ll correct the values ​​right now.