Content
[Solved] Autologin not working with openid and keycloak
Added by Kacper Pabian over 4 years ago
I deployed OpenProject on Kubernetes cluster creating manifests with kompose from docker-compose as recommended in the documentation and changing them here and there - using postgres database version 12. Works fine, with integration with Keycloak, although I seem not be able to set up autologin function. When I close the browser I have to log in every time. Autologin is set up for 7 days, session is stored in cache. There is not a lot of information about integration with Keycloak so I'm not sure if I'm doing something wrong. Web and proxy is set up with openproject/community:10 image. Here is Keycloak configuration:
openid_connect:
keycloak:
sso: true
prompt: login
host: "keycloak_dns"
identifier: "openproject_dns"
secret: "secret"
authorization_endpoint: "https://keycloak_dns/auth/realms/master/protocol/openid-connect/auth"
token_endpoint: "https://keycloak_dns/auth/realms/master/protocol/openid-connect/token"
userinfo_endpoint: "https://keycloak_dns/auth/realms/master/protocol/openid-connect/userinfo"
end_session_endpoint: "https://keycloak_dns/auth/realms/master/protocol/openid-connect/logout"
check_session_iframe: "https://keycloak_dns/auth/realms/master/protocol/openid-connect/login-status-iframe.html"
discovery: false
issuer: "https://openproject_dns/login"
display_name: "Keycloak SSO"
omniauth_direct_login_provider: keycloak
Replies (14)
Hi Kacper,
are you using the Enterprise Edition? I am asking because single-sign-on with OIDC is not available in the Community Edition.
Best
Niels
Yes, sorry forgot to add this part. I'm using Enterprise edition.
Hi Kacper,
Thanks a lot for contributing to this open source project.
I just forwardet this to the Enterprise Support. We will then update the docs accordingly.
Best
Niels
Auto login doesn't work for omni-auth-based (which includes OpenID Connect) logins right now unfortunately.
It's only applicable to password-based logins.
I have created a work package for this.
In the meantime I wonder if keyloak has no such option?
Seeing as you have the direct login provider configured you should be redirected to the keycloak authentication endpoint right away when accessing OpenProject. If you do this with Google for instance you will be returned authenticated to OpenProject straight away without Google asking you to login again. This way you don't have to bother clicking on login in OpenProject.
Ah right, can you try with
prompt: nonerather thanprompt: loginand see if that helps, please?Thanks for the suggestion, didn't fully resolve the issue though.
Now I have quite weird information in logs after reopening browser:
E, [2020-08-20T08:54:31.831865 #32] ERROR -- omniauth: (keycloak)
Authentication failure! invalid_credentials:
OmniAuth::Strategies::OpenIDConnect::CallbackError, login_required
invalid_credentials
Obviously I was logged in before successfully so it's not credentials,
maybe something with mapping? Screenshot attahced with Openproject view.
czw., 20 sie 2020 o 10:26 napisał(a):
I take it it works again if you change the prompt configuration back to login again?
Maybe this needs further configuration in keycloak to be allowed?
Before you change it back you could try to login again while having your browser's network tab open.
There you should see recorded a request to your keycloak server right after a request to /auth/keycloak on your OpenProject server.
Having a look at the response of the keycloak server could give us some more hints here.
So I noticed there also that if I want to logout, there is no request to
keycloak and session is not deleted (I cannot log in to different user
unless I reopen the browser).
In the network tab interesting request is:
https://keycloak.live.publicplan.cloud/auth/realms/master/protocol/openid-connect/auth?client_id=openproject.live.publicplan.cloud&nonce=a88d83a910fcaddfdb59af67b44dfcea&prompt=none&redirect_uri=https%3A%2F%2Fopenproject.live.publicplan.cloud%2Fauth%2Fkeycloak%2Fcallback&response_type=code&scope=openid+email+profile&state=9f7637b5941a181c8145471312520641
and
https://openproject.live.publicplan.cloud/auth/keycloak/callback?error=login_required&state=9f7637b5941a181c8145471312520641
https://openproject.live.publicplan.cloud/auth/failure?message=invalid_credentials&strategy=keycloak
That may be scopes in keycloak issue, it takes openid+email+profile maybe
it requires login scope?
czw., 20 sie 2020 o 11:09 napisał(a):
And yes, works with prompt: login, although logout issue is the same.
czw., 20 sie 2020 o 11:20 Kacper Pabian napisał(a):
Does it work when you login with prompt=login first and then after (without closing the browser) restart OpenProject with prompt=none and go on /auth/keycloak again?
The login_required response means the identity provider refuses silent authorization. So it seems it doesn't consider you logged-in already.
Maybe this requires a certain kind of configuration in keycloak.
As for the scope: I don't think login is needed. But I think you can try by overriding the scopes to be used in the configuration.
Just add the
scopeoption in your configuration.yml if that is what you are using.I'm not sure if you can just give a string there as in
or if you need to make it an array of symbols like
First question: yes is does work like that.
Scope works if I go like this openid profile... Although adding login to
scope didn't change anything.
czw., 20 sie 2020 o 13:27 napisał(a):
Okay, so issue with session dropping after closing the browser was
keycloak's fault (the remember me option). Although I would use some
support about the logout issue that it seems to not log out user correctly
from the session. The end session token is set up correctly, but it seems
to ignore it and doesn't call it after the logout is issued.
czw., 20 sie 2020 o 14:29 Kacper Pabian napisał(a):
Yes the logout thing is a genuine regression which we have to fix. I'll open a work package for it.
Understood, thanks for help! Issue can be closed.
czw., 20 sie 2020 o 14:42 napisał(a):