Login error with log message "Failed to parse JSON response" and keycloak message "USER_INFO_REQUEST_ERROR"

[brickhousewindow]

Describe the bug
Might help someone in the future so I am reporting it here.
After setting up and configuring the application it is not possible to log into it. The application error log contains this message:

[2023-06-15T08:37:44.327397+00:00] request.CRITICAL: Uncaught PHP Exceptio
n UnexpectedValueException: "Failed to parse JSON response: Syntax error"
at /var/www/jitsi-admin/vendor/league/oauth2-client/src/Provider/AbstractP
rovider.php line 645 {"exception":"[object] (UnexpectedValueException(code
: 0): Failed to parse JSON response: Syntax error at /var/www/jitsi-admin/
vendor/league/oauth2-client/src/Provider/AbstractProvider.php:645)"} []

The keycloak log contains this message:

Jun 15 10:44:36 kc.sh[206642]: 2023-06-15 10:44:36,698 WARN [org.keycloak.events] (executor-thread-320) type=USER_INFO_REQUEST_ERROR, realmId=, clientId=null, userId=null, ipAddress=, error=access_denied, auth_method=validate_access_token

To Reproduce
Steps to reproduce the behavior:

1. Setup and configure application
2. Connect it to keycloak
3. Log in
4. get redirected to keycloak, provide credentials
5. error 500 is displayed, login failed

Branch or Version you using
version 0.75.5

Expected behavior
The user is logged in successfully.

Desktop (please complete the following information):

• OS: any
• Browser: any
• Version: any

Smartphone (please complete the following information):

• Device: any
• OS: any
• Browser: any
• Version: any

Solution
The openid scope is missing inside the keycloak client scope. An instruction can be found here: https://keycloak.discourse.group/t/issue-on-userinfo-endpoint-at-keycloak-20/18461/3

Steps to fix it:

1. inside keycloak go to Client scopes
2. create a new client scope under Create client scope
3. set mandatory name to openid, then save
4. go to Clients -> your client name -> Client scope
5. add the scope with Add client scopes, select openid from list as Default
6. log into the application

edit: fixed typo

[holema]

Hello @brickhousewindow,
thanks a lot for the detailed issue.
Was this happening in a docker installation or plain jitsi-admin installation?

This issue is a know issue and depends on your keycloak version.
Keycloak21, which I think you use, needs now the openid scope. This is fixed in the Version 0.76.0 which will be released soon. We are working on this version on the freeze Branch.

Below KC21 there is no issue.

So unfortunantaly this bugs is on keycloak side because they change now from an own oauth implementation to the official oauth2 implementation.

[brickhousewindow]

Hello holema,

yes, the Keycloak version is 21.x. It was tested with a plain jitsi-admin installation. It is true that the bug, or rather configuration change, is on the keycloak side. I wanted to report it as it caused a ton of head scratching. It hopefully helps other and future users resolving this kind of issue.

Please excuse me for troubling you.

[holema]

No it is great you reported it and even created a solution. I pinned it for others because this issue is realy a bad behavoir. :)