Enabling KeyCloak
I’m trying to activate KeyCloak but I’m having a problem that I don’t know how to solve, it seems to have to do with nginx or cors.
When accessing ORTHANC: https://my.domain/orthanc/ui/app/#/
I have an error in the console log and another in the network tab of the browser.
The first indicator is the following message: Could not connect to Keycloak
The second is an error already known to the KeyCloak community:
A connection error in step1.html
, it comes with the error:
Request URL:
https://localhost/keycloak/realms/orthanc/protocol/openid-connect/3p-cookies/step1.html
Referrer policy:
strict-origin-when-cross-origin
I’m confused with this request URL since it should have my domain instead of localhost, right?
These are my settings:
Docker
Compose
services:
# Container 1: Proxy Reverso com TLS e SSL
nginx:
image: orthancteam/orthanc-nginx:24.7.2
depends_on: [ orthanc, orthanc-dicom, orthanc-auth-service, keycloak, ohif ]
restart: unless-stopped
ports: [ "443:443" ]
volumes:
- ./tls/crt.pem:/etc/nginx/tls/crt.pem:ro
- ./tls/key.pem:/etc/nginx/tls/key.pem:ro
environment:
ENABLE_ORTHANC: "true"
ENABLE_KEYCLOAK: "true"
ENABLE_ORTHANC_TOKEN_SERVICE: "false"
ENABLE_HTTPS: "true"
ENABLE_OHIF: "true"
# Container 2: Static OHIF
ohif:
image: orthancteam/ohif-v3:24.7.2
restart: unless-stopped
# Container 3: ORTHANC PACS (DICOMweb™, GUI) Layer 7: HTTPS
orthanc:
image: orthancteam/orthanc:24.8.1
restart: unless-stopped
volumes:
- ./tmp/orthancDicomWeb-logs:/logs
- ./orthancDicomWeb.json:/etc/orthanc/orthanc.json:ro
environment:
# Console Logs
VERBOSE_ENABLED: "true"
VERBOSE_STARTUP: "true"
# Logs
LOGDIR: "/logs"
ORTHANC__DE_IDENTIFY_LOGS: "false"
# Container 4: ORTHANC PACS (DISME, SPU) Layer 4: Network
orthanc-dicom:
image: orthancteam/orthanc:24.8.1
restart: unless-stopped
ports:
- "2762:4242"
volumes:
- ./tmp/orthancDicom-logs:/logs
- ./orthancDicom.json:/etc/orthanc/orthanc.json:ro
- ./tls:/tls:ro
environment:
# Console Logs
VERBOSE_ENABLED: "true"
VERBOSE_STARTUP: "true"
# Logs
LOGDIR: "/logs"
ORTHANC__DE_IDENTIFY_LOGS: "false"
# Container 5: Auth Interface Orthanc < > KeyCloak
orthanc-auth-service:
image: orthancteam/orthanc-auth-service:24.7.2
# permissions can be customized in the permissions.json file
volumes:
- ./permissions.json:/orthanc_auth_service/permissions.json
depends_on: [ keycloak ]
restart: unless-stopped
env_file:
- "./.auth.env"
# Container 6: Auth
keycloak:
image: orthancteam/orthanc-keycloak:24.7.2
restart: unless-stopped
env_file:
- "./.keycloak.env"
Env to orthanc-auth-service
SECRET_KEY="SOME-BIG-KEY-HERE"
ENABLE_KEYCLOAK="true"
ENABLE_KEYCLOAK_API_KEYS="true"
KEYCLOAK_URI: "http://keycloak:8080/realms/orthanc/"
KEYCLOAK_CLIENT_SECRET="SOME-BIG-KEY-HERE"
PUBLIC_ORTHANC_ROOT="http://localhost/orthanc/"
PUBLIC_LANDING_ROOT="http://localhost/orthanc/ui/app/token-landing.html"
PUBLIC_OHIF_ROOT="http://localhost/ohif/"
USERS={ "share-user": "share-password" }
I understand that these variables inform the interface that KeyCloak is activated and deliver some secrets to it. The URLs registered here are localhost and keycloak because from what I understand the communication is internal.
I understand that localhost does not need to be changed as demonstrated in samples.
Env to Keycloak
KEYCLOAK_ADMIN="admin"
KEYCLOAK_ADMIN_PASSWORD="SOME-BIG-PASSWORD-HERE"
KC_DB="postgres"
KC_DB_URL="jdbc:postgresql://SOME-DB-HOST:5432/keycloak"
KC_DB_USERNAME="postgres"
KC_DB_PASSWORD="SOME-BIG-PASSWORD-HERE"
KC_HOSTNAME_URL="https://localhost/keycloak"
KC_HOSTNAME_ADMIN_URL="https://localhost/keycloak"
KC_FIPS_MODE="strict"
QUARKUS_TRANSACTION_MANAGER_ENABLE_RECOVERY=true
Here are several details that I’m not sure about.
KC_HOSTNAME_URL
and KC_HOSTNAME_ADMIN_URL
must not be localhost and must be the full URL for these endpoints, for example:
https://orthanc.tera.com.br/keycloak
I enabled FIPS to increase security, even though I don’t know if this configuration is having any effect. I don’t need FIPS but I found it interesting. Anyway, to enable FIPS I should use KC_FEATURE="fips"
I think.
QUARKUS_TRANSACTION_MANAGER_ENABLE_RECOVERY=true
I enabled this since it was complaining that this was “important”.
I believe that FIPS and QUARKUS TRANSACTION MANAGER do not change the behavior for this problem of mine since with them activated or not the error behaves the same. I tested it.
Orthanc for DICOMweb
{
"Name": "Tera Telemedicina DICOMweb",
"ConcurrentJobs": 0,
"JobsEngineThreadsCount": {
"ResourceModification": 1
},
"HttpServerEnabled": true,
"HttpPort": 8042,
"HttpDescribeErrors": true,
"HttpCompressionEnabled": false,
"WebDavEnabled": false,
"DicomServerEnabled": false,
"SslEnabled": false,
"RemoteAccessAllowed": true,
"RegisteredUsers": {
"TeraADM": "Tera@123",
"ShareUser": "Share@123",
"healthcheck": "Health@123"
},
"OrthancExplorer2": {
"IsDefaultUI": true,
"UiOptions": {
"EnableShares": true,
"DefaultShareDuration": 0,
"ShareDurations": [
0,
7,
15,
30,
90,
365
],
"EnableOpenInOhifViewer3": true,
"OhifViewer3PublicRoot": "https://localhost/ohif/"
},
"Tokens": {
"InstantLinksValidity": 3600,
"ShareType": "ohif-viewer-publication"
},
"Keycloak": {
"Enable": true,
"Url": "https://localhost/keycloak/",
"Realm": "orthanc",
"ClientId": "orthanc"
}
},
"AuthenticationEnabled": false,
"Authorization": {
"WebServiceRootUrl": "http://orthanc-auth-service:8000/",
"WebServiceUsername": "share-user",
"WebServicePassword": "share-password",
"StandardConfigurations": [
"orthanc-explorer-2"
],
"TokenHttpHeaders": [
"api-key"
],
"CheckedLevel": "studies"
},
"DicomWeb": {
"Enable": true,
"PublicRoot": "/orthanc/dicom-web/"
},
"PostgreSQL": {
"EnableIndex": true,
"Host": "SOME-DB-HOST",
"Port": 5432,
"Database": "orthanc",
"Username": "postgres",
"Password": "SOME-BIG-PASSWORD",
"EnableSsl": true
},
"AwsS3Storage": {
"BucketName": "SOME-NAME",
"Region": "us-east-1",
"AccessKey": "SOME-ACCESS-KEY",
"SecretKey": "SOME-SECRET-KEY",
"StorageStructure": "flat",
"UseTransferManager": true
}
}
From what I understood in the “Keycloak” key, the json in the other “URL” key should be localhost because it didn’t say “https://mydomain.com/keycloak”, so I understood that I shouldn’t change the value.
"Keycloak": {
"Enable": true,
"Url": "https://localhost/keycloak/",
"Realm": "orthanc",
"ClientId": "orthanc"
}
The only thing I changed in the samples was that in “StandardConfigurations” I removed ohif. I didn’t understand if this was only for use in case I was using ohif as a plugin or if I was using ohif it didn’t matter, as I should put ohif there.
"StandardConfigurations": [
"orthanc-explorer-2"
],
Orthanc for Network comunication
Orthanc-dicom is just orthanc with DICOM server enabled, AET registered and TLS and nothing else.