Hello,
I am trying to configure OpenID Connect (OIDC) authentication between Tuleap and Keycloak in a fully dockerized environment.
Environment:
- Tuleap (Docker)
- Keycloak (Docker)
- Self-signed certificates (Synchronized and trusted between containers).
- Client configured in Windows
hostsfile.
Current Status:
- The communication seems to work manually. I can curl the Keycloak discovery URL from inside the Tuleap container successfully:
curl -v https://keycloak.local:9443/realms/tuleap-realm/protocol/openid-connect/certs(Returns 200 OK and certs). - The “Login with Keycloak” button appears on the Tuleap login page.
- The redirect to Keycloak works, I can authenticate there.
The Problem: When Keycloak redirects back to Tuleap with the code, Tuleap attempts to exchange it for a token. At this point, the UI displays: “Request seems invalid, please retry”.
Logs (/var/log/tuleap/codendi_syslog): I found a blocking error related to SSRF protection:
Plaintext[error] A possible SSRF attempt was blocked: https://keycloak.local:9443/realms/tuleap-realm/protocol/openid-connect/token (Egress proxying is denied to host 'keycloak.local:9443': The destination address (172.23.0.5) was denied by rule 'Deny: Private Range'. destination address was denied by rule, see error.)
Question: It seems Tuleap’s internal HTTP client is blocking requests to private IP ranges (Docker network 172.23.x.x). How can I whitelist my Keycloak container (keycloak.local / 172.23.0.5) to allow this OIDC token exchange? Is there a specific variable in local.inc or an environment variable to bypass this SSRF check for trusted internal hosts?
Thanks in advance for your help!