Update Harbor OIDC after IDP host change

[NiklasRosenstein]

I have a small self-hosted harbor instance connected to our IPD. I rarely log into Harbor as it's running smoothly and all workflows that involve Harbor are automated. A while ago I've changed my domain names, and had to move a bunch of services to another domain, including Keycloak which was configured as OIDC for Harbor. Unfortunately I've forgot to update Harbor's OIDC settings. I've had to restart Harbor today to make an upgrade, and now I get an error and can't access Harbor anymore.

In the harbor-core Pod:

2024-06-04T22:14:33Z [ERROR] [/pkg/oidc/helper.go:151]: Failed to get OAuth configuration, error: failed to create OIDC provider, error: Get "https://keycloak.example.com/realms/main/.well-known/openid-configuration": dial tcp: lookup keycloak.example.com on 10.43.0.10:53: no such host
2024-06-04T22:14:33Z [ERROR] [/lib/http/error.go:57]: {"errors":[{"code":"INTERNAL_SERVER_ERROR","message":"failed to create OIDC provider, error: Get \"https://keycloak.example.com/realms/main/.well-known/openid-configuration\": dial tcp: lookup keycloak.example.com on 10.43.0.10:53: no such host"}]}    

And trying to access the Harbor UI redirects to the /c/oidc/login?redirect_url=/harbor/projects page which displays the exact same JSON error payload.

Any idea how I can fix this within Harbor itself? Unfortunately I no longer have access to this domain. I suppose I could play with CoreDNS to fake it temporarily? Would be great if there was a way to inject/update the OIDC settings via the Helm chart values or temporarily disable it.

Thanks 🙏

[zyyw]

Could you please try to login the Harbor using admin (db auth) and navigate to Configuration > Authentication to update the OIDC endpoint with your latest OIDC domain?

[NiklasRosenstein]

I'm not sure how I would do that because Harbor keeps trying to redirect me to https://harbor.example.com/c/oidc/login?redirect_url=/harbor/projects when I visit it. Is there a login page URL I can go directly towards that won't redirect me to OIDC?

[NiklasRosenstein]

Hey @zyyw, friendly ping. Do you know how I can get to the login page without getting redirected to https://myharbor.com/c/oidc/login?redirect_url=/harbor/projects?

[NiklasRosenstein]

I was able to fix it by updating the values in the database.

I only have one OIDC enabled, so this worked for me without additional filters. If you have multiple OIDC providers configured, you may need to add additional WHERE clauses.

UPDATE properties SET v = 'https://new-keycloak.com/realms/main' WHERE k = 'oidc_endpoint';

The subiss field in the oidc_user table also needed updating:

UPDATE oidc_user set subiss = '263e62ef-399e-447c-98fb-17ac0b81fa74https://new-keycloak.com/realms/main' where subiss = '263e62ef-399e-447c-98fb-17ac0b81fa74https://old-keycloak.com/realms/main';

[NiklasRosenstein]

I also just found this note in the OIDC configuration page:

So it seems I could've manually navigated directly to /account/sign-in to sign in with the admin user and fix the OIDC configuration from there.