FM Server 19 and keycloak as oauth server

[fmbgp]

Hi there

we're currently switching from FM Server 16 to FM Server 19.5.4.400 and facing the issue that our LDAP authentication from FM Server 16 is not supported any more.

Thus we decided to setup a keycloak server using serveral tutorials on the net... A big thanks to all the authors!
We used https://www.soundsessential.com/blog/204-setting-up-a-keycloak-server-for-authenticating-to-filemaker-introduction and 

We learned a lot on the way but now we're stock.

The current setup is two separate container one running filemaker on ubuntu 20.04 and a second one (on another host) running keycloak. Both server use a wildcard ssl certificate from our domain and we have a properly working internal DNS server.
The issue we are facing is a failing call-back from the keycloak server to the fm server. When we try to "Verify Your Identity Provider" the fm server opens the keycloak login page and we can login. I the keycloak server we see the started session. But then fm server shows "Failure! Your customized OAuth IDP could not be verified."

The fm server log is very poor as it only tells me that "GET /fmi/admin/api/extauth/oauth-verify?trackingID=4df3e622- f3aa-4a22-882d-09fa63140bb2&identifier=-1&error=25026 200 - 2.238 ms"

Any idea what could be wrong in our setup?
Are there any specifics in the keycloak setup that are crutial and will lead to this fm server error?

Thanks for your help any way...
Cheers,

Victor

[Wim Decorte]

Networking between containers is always tricky and impossible to troubleshoot through a text-based medium like this one.

Start by doing a full manual test using the method we describe in one of the white papers, using oidcdebugger.com and Postman to mimic the whole login flow and inspect the JWT that is returned on the final leg.  In that JWT look for the things that FMS will be looking for (email of the user and array of groups if you are using group-based authentication in FM).