Top Menu

Jump to content
Home
    Modules
      • Projects
      • Activity
      • Work packages
      • Gantt charts
      • Calendars
      • Team planners
      • Boards
      • News
    • Getting started
    • Introduction video
      Welcome to OpenProject Community
      Get a quick overview of project management and team collaboration with OpenProject. You can restart this video from the help menu.

    • Help and support
    • Upgrade to Enterprise edition
    • User guides
    • Videos
    • Shortcuts
    • Community forum
    • Enterprise support

    • Additional resources
    • Data privacy and security policy
    • Digital accessibility (DE)
    • OpenProject website
    • Security alerts / Newsletter
    • OpenProject blog
    • Release notes
    • Report a bug
    • Development roadmap
    • Add and edit translations
    • API documentation
  • Sign in
      Forgot your password?

      or sign in with your existing account

      Google

Side Menu

  • Overview
  • Activity
    Activity
  • Roadmap
  • Work packages
    Work packages
  • Gantt charts
    Gantt charts
  • Calendars
    Calendars
  • Team planners
    Team planners
  • Boards
    Boards
  • News
  • Forums

Content

Development
  1. OpenProject
  2. Forums
  3. Development
  4. [Solved] Autologin not working with openid and keycloak

[Solved] Autologin not working with openid and keycloak

Added by Kacper Pabian over 4 years ago

I deployed OpenProject on Kubernetes cluster creating manifests with kompose from docker-compose as recommended in the documentation and changing them here and there - using postgres database version 12. Works fine, with integration with Keycloak, although I seem not be able to set up autologin function. When I close the browser I have to log in every time. Autologin is set up for 7 days, session is stored in cache. There is not a lot of information about integration with Keycloak so I'm not sure if I'm doing something wrong. Web and proxy is set up with openproject/community:10 image. Here is Keycloak configuration:

  openid_connect:
    keycloak:
      sso: true
      prompt: login
      host: "keycloak_dns"
      identifier: "openproject_dns"
      secret: "secret"
      authorization_endpoint: "https://keycloak_dns/auth/realms/master/protocol/openid-connect/auth"
      token_endpoint: "https://keycloak_dns/auth/realms/master/protocol/openid-connect/token"
      userinfo_endpoint: "https://keycloak_dns/auth/realms/master/protocol/openid-connect/userinfo"
      end_session_endpoint: "https://keycloak_dns/auth/realms/master/protocol/openid-connect/logout"
      check_session_iframe: "https://keycloak_dns/auth/realms/master/protocol/openid-connect/login-status-iframe.html"
      discovery: false
      issuer: "https://openproject_dns/login"
      display_name: "Keycloak SSO"

  omniauth_direct_login_provider: keycloak

Replies (14)

RE: Autologin not working with openid and keycloak - Added by Niels Lindenthal over 4 years ago

Hi Kacper,

are you using the Enterprise Edition? I am asking because single-sign-on with OIDC is not available in the Community Edition.

Best

Niels

RE: Autologin not working with openid and keycloak - Added by Kacper Pabian over 4 years ago

Yes, sorry forgot to add this part. I'm using Enterprise edition.

RE: Autologin not working with openid and keycloak - Added by Niels Lindenthal over 4 years ago

Hi Kacper,

Thanks a lot for contributing to this open source project. 

I just forwardet this to the Enterprise Support. We will then update the docs accordingly.

Best

Niels

RE: Autologin not working with openid and keycloak - Added by Markus Kahl over 4 years ago

Auto login doesn't work for omni-auth-based (which includes OpenID Connect) logins right now unfortunately.
It's only applicable to password-based logins.

I have created a work package for this.

In the meantime I wonder if keyloak has no such option?
Seeing as you have the direct login provider configured you should be redirected to the keycloak authentication endpoint right away when accessing OpenProject. If you do this with Google for instance you will be returned authenticated to OpenProject straight away without Google asking you to login again. This way you don't have to bother clicking on login in OpenProject.

RE: Autologin not working with openid and keycloak - Added by Markus Kahl over 4 years ago

Ah right, can you try with prompt: none rather than prompt: login and see if that helps, please?

RE: Autologin not working with openid and keycloak - Added by Kacper Pabian over 4 years ago

Thanks for the suggestion, didn't fully resolve the issue though.
Now I have quite weird information in logs after reopening browser:
E, [2020-08-20T08:54:31.831865 #32] ERROR -- omniauth: (keycloak)
Authentication failure! invalid_credentials:
OmniAuth::Strategies::OpenIDConnect::CallbackError, login_required
invalid_credentials
Obviously I was logged in before successfully so it's not credentials,
maybe something with mapping? Screenshot attahced with Openproject view.

czw., 20 sie 2020 o 10:26 napisał(a):

RE: Autologin not working with openid and keycloak - Added by Markus Kahl over 4 years ago

I take it it works again if you change the prompt configuration back to login again?

Maybe this needs further configuration in keycloak to be allowed?

Before you change it back you could try to login again while having your browser's network tab open.
There you should see recorded a request to your keycloak server right after a request to /auth/keycloak on your OpenProject server.
Having a look at the response of the keycloak server could give us some more hints here.

RE: Autologin not working with openid and keycloak - Added by Kacper Pabian over 4 years ago

So I noticed there also that if I want to logout, there is no request to
keycloak and session is not deleted (I cannot log in to different user
unless I reopen the browser).
In the network tab interesting request is:
https://keycloak.live.publicplan.cloud/auth/realms/master/protocol/openid-connect/auth?client_id=openproject.live.publicplan.cloud&nonce=a88d83a910fcaddfdb59af67b44dfcea&prompt=none&redirect_uri=https%3A%2F%2Fopenproject.live.publicplan.cloud%2Fauth%2Fkeycloak%2Fcallback&response_type=code&scope=openid+email+profile&state=9f7637b5941a181c8145471312520641
and
https://openproject.live.publicplan.cloud/auth/keycloak/callback?error=login_required&state=9f7637b5941a181c8145471312520641
https://openproject.live.publicplan.cloud/auth/failure?message=invalid_credentials&strategy=keycloak

That may be scopes in keycloak issue, it takes openid+email+profile maybe
it requires login scope?

czw., 20 sie 2020 o 11:09 napisał(a):

RE: Autologin not working with openid and keycloak - Added by Kacper Pabian over 4 years ago

And yes, works with prompt: login, although logout issue is the same.

czw., 20 sie 2020 o 11:20 Kacper Pabian napisał(a):

RE: Autologin not working with openid and keycloak - Added by Markus Kahl over 4 years ago

Does it work when you login with prompt=login first and then after (without closing the browser) restart OpenProject with prompt=none and go on /auth/keycloak again?

The login_required response means the identity provider refuses silent authorization. So it seems it doesn't consider you logged-in already.
Maybe this requires a certain kind of configuration in keycloak.

As for the scope: I don't think login is needed. But I think you can try by overriding the scopes to be used in the configuration.
Just add the scope option in your configuration.yml if that is what you are using.

I'm not sure if you can just give a string there as in

openid_connect:
  keycloak:
    scope: openid profile email login

or if you need to make it an array of symbols like

openid_connect:
  keycloak:
    scope:
      - :openid
      - :profile
      - :email
      - :login

RE: Autologin not working with openid and keycloak - Added by Kacper Pabian over 4 years ago

First question: yes is does work like that.
Scope works if I go like this openid profile... Although adding login to
scope didn't change anything.

czw., 20 sie 2020 o 13:27 napisał(a):

RE: Autologin not working with openid and keycloak - Added by Kacper Pabian over 4 years ago

Okay, so issue with session dropping after closing the browser was
keycloak's fault (the remember me option). Although I would use some
support about the logout issue that it seems to not log out user correctly
from the session. The end session token is set up correctly, but it seems
to ignore it and doesn't call it after the logout is issued.

czw., 20 sie 2020 o 14:29 Kacper Pabian napisał(a):

RE: Autologin not working with openid and keycloak - Added by Markus Kahl over 4 years ago

Yes the logout thing is a genuine regression which we have to fix. I'll open a work package for it.

RE: Autologin not working with openid and keycloak - Added by Kacper Pabian over 4 years ago

Understood, thanks for help! Issue can be closed.

czw., 20 sie 2020 o 14:42 napisał(a):

  • (1 - 14/14)
Loading...