Missing Parameter: 'code'

[i-am-mike-davis]

Symptom

While attempting to follow this video: SpiffWorkflow user groups from OpenID

And attempting to use Keycloak as an OpenID Provider AND setting

 SPIFFWORKFLOW_BACKEND_OPEN_ID_IS_AUTHORITY_FOR_USER_GROUPS: "true"

the following error response is received:

type	"about:blank"
title	"Bad Request"
detail	"Missing query parameter 'code'"
status	400

And further action is blocked.

Affected Versions

• v0.0.62
• v0.0.63
• others?

Additional Information

This post seems to indicate that this is an issue inside the authentication flow between Spiff and Keycloak.

This occurs in BOTH the standalone packaged development keycloak setup provided by spiff-arena AND an independently deployed keycloak installation. The independently deployed keycloack installation was configured by adapting the
Configure Okta as an OpenID Provider instructions and keycloak mapper instructions here SpiffWorkflow user groups from OpenID

IMPORTANT NOTE: When setting:

SPIFFWORKFLOW_BACKEND_OPEN_ID_IS_AUTHORITY_FOR_USER_GROUPS: "false"

the above error is NOT received and authentication via keycloak is able to proceed normally.

Attempting to set

SPIFFWORKFLOW_BACKEND_OPEN_ID_SCOPES: "openid profile email groups"

does not fix the error.

Attempting to additionally set:

SPIFFWORKFLOW_BACKEND_OPEN_ID_SERVER_INTERNAL_URL: "http://[keycloack address]/realms/[spiff realm]"

does not fix the issue.

I've scoured the internet and the SpiffWorkflow docs looking for additional information and clues but haven't found any.

Potential Root Cause and Possible Solutions

• Perhaps I'm missing an important setup step?
• Perhaps authentication_controller.py needs to send an additional code when requesting authentication and authorization information, as the error message suggests.

[burnettk]

are you running a version of spiffworkflow-backend that has this commit: 005de8a ?

:latest would not have this, potentially, but :main-latest should.

[i-am-mike-davis]

I was running with image: ghcr.io/sartography/spiffworkflow-backend:latest

So I tried using: image: ghcr.io/sartography/spiffworkflow-backend:main-latest

and setting

SPIFFWORKFLOW_BACKEND_OPEN_ID_IS_AUTHORITY_FOR_USER_GROUPS: "true"
SPIFFWORKFLOW_BACKEND_OPEN_ID_SCOPES: "openid profile email groups"

^ but that does not work and produces the aforementioned error.

But if I drop SPIFFWORKFLOW_BACKEND_OPEN_ID_SCOPES and just use

SPIFFWORKFLOW_BACKEND_OPEN_ID_IS_AUTHORITY_FOR_USER_GROUPS: "true"

I do NOT receive the error and authentication via keycloak is able to proceed.

[burnettk]

yeah, i'm guessing you are getting an error from keycloak about scopes that isn't surfaced in a transparent way. But glad you got it working.

[i-am-mike-davis]

By the way, @burnettk, I really appreciated your quick response. You helped me get moving again!

yeah, i'm guessing you are getting an error from keycloak about scopes that isn't surfaced in a transparent way. But glad you got it working.

Are there container tags that I should be using like v.0.0.63 instead of latest or should I default to always using main-latest for a deployment?

For example, should I also be running the main-latest for the spiffworkflow-frontend, spiffworkflow-backend, and spiffworkflow-connector?

[burnettk]

latest is the latest release. you could pin to a specific release as well. main-latest is the fastest moving, since there are many changes to main between each release. there are also docker tags for each main release. see https://github.com/sartography/spiff-arena/actions/runs/12721191784, for example. so you can pick whatever level of recentness / stability you might like. i'd recommend pinning to something specific, v0.0.63, ghcr.io/sartography/spiffworkflow-frontend:main-2025-01-11_04-28-39-efdf53d, etc.