Keycloak user mapping error

Hello
We are currently using the Open OnDemand Ansible role v3 and are trying to integrate Keycloak as our OpenID provider. However, we’re having an issue after the login process. The error message we receive is Error -- failed to map user (kenny).

Additionally, the access logs show the following: kenny [22/Nov/2023:22:31:01 +0000] "GET /pun/sys/dashboard HTTP/1.1" 404 35 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36".

I have read some of the similar issue related to user mapping, but none of them solve my problem, thank you in advance for anyone could help!

some config as follow:
OIDCScope: "openid profile email"
OIDCRemoteUserClaim: "preferred_username"
user_map_match: '[\w-]+)@.*$'

This doesn’t seem to be right. You can use the lua cli to determine what this should be.

That said - your preferred_username should be the exact match you’re looking for, so i think

user_map_match: '.+'

is fine for you given Keycloak is going to return the username directly - not the email.

What you currenlty have doesn’t compile correctly, because it’s not a regular expression, their LUA Patterns (https://www.lua.org/manual/5.1/manual.html#5.4.1)

[~()]  lua
Lua 5.3.6  Copyright (C) 1994-2020 Lua.org, PUC-Rio
>  string.match('ktrout@example.edu', '[\w-]+)@.*$')
stdin:1: invalid escape sequence near ''[\w'

>  string.match('ktrout@example.edu', '([\w-]+)@.*$')
stdin:1: invalid escape sequence near ''([\w'

>  string.match('ktrout@example.edu', '([^@]+)@.*$')
ktrout

>  string.match('ktrout@example.edu', '([%w-]+)@.*$')
ktrout