Top Menu

Jump to content
Home
    • Projects
    • Work packages
    • News
    • Getting started
    • Introduction video
      Welcome to OpenProject Community
      Get a quick overview of project management and team collaboration with OpenProject. You can restart this video from the help menu.

    • Help and support
    • User guides
    • Videos
    • Shortcuts
    • Community forum
    • Professional support

    • Additional resources
    • Data privacy and security policy
    • Digital accessibility (DE)
    • OpenProject website
    • Security alerts / Newsletter
    • OpenProject blog
    • Release notes
    • Report a bug
    • Development roadmap
    • Add and edit translations
    • API documentation
  • Sign in
      Forgot your password?
      Create a new account

      or sign in with your existing account

      Google

Side Menu

  • Overview
  • Activity
  • Roadmap
  • Work packages
  • Calendars
  • Team planners
  • Boards
  • Forums
  • Wiki
    • Table of contents
      • Expanded. Click to collapseCollapsed. Click to showDeveloper
        • Hierarchy leafAccessibility Checklist
        • Hierarchy leafCode Review Guidelines
        • Expanded. Click to collapseCollapsed. Click to showContribution
          • Hierarchy leafGit Workflow
          • Hierarchy leafTranslations
        • Expanded. Click to collapseCollapsed. Click to showDeveloping Plugins
          • Hierarchy leafDeveloping an OmniAuth Authentication Plugin
        • Hierarchy leafRelease Process
        • Hierarchy leafReport a bug
        • Hierarchy leafSecurity
        • Hierarchy leafSetting up an OpenLDAP server for testing
        • Hierarchy leafTheme Features
      • Hierarchy leafDownload
      • Expanded. Click to collapseCollapsed. Click to showFeature tour
        • Hierarchy leafRelease Notes OpenProject 30
        • Expanded. Click to collapseCollapsed. Click to showRelease Notes OpenProject 30 - Overview
          • Hierarchy leafGlossary
          • Hierarchy leafRelease Notes - Accessibility
          • Hierarchy leafRelease Notes - Accessibility changes
          • Hierarchy leafRelease Notes - Add work package queries as menu items to sidebar
          • Hierarchy leafRelease Notes - Copy projects based on Templates
          • Hierarchy leafRelease Notes - Design changes
          • Hierarchy leafRelease Notes - Fixed Bugs
          • Hierarchy leafRelease Notes - Keyboard Shortcuts
          • Hierarchy leafRelease Notes - Project settings
          • Hierarchy leafRelease Notes - Ruby&Rails Update
          • Hierarchy leafRelease Notes - Security
          • Hierarchy leafRelease Notes - Timelines
          • Hierarchy leafRelease Notes - Work packages
      • Hierarchy leafHowto create animated gifs
      • Hierarchy leafMigration Squashing
      • Hierarchy leafMod security
      • Hierarchy leafNew work package page
      • Hierarchy leafOP3 to OP4 Debian upgrade
      • Hierarchy leafOP4 Ubuntu1404 Stable with MySQL in production
      • Hierarchy leafOpenProject 40 Development Setup
      • Expanded. Click to collapseCollapsed. Click to showOpenProject Foundation
        • Hierarchy leafBoards
        • Hierarchy leafMembers
        • Hierarchy leafOPF-Meetings
        • Hierarchy leafStatutes
      • Expanded. Click to collapseCollapsed. Click to showRelease Notes
        • Hierarchy leafOpenProject released on Bitnami
      • Expanded. Click to collapseCollapsed. Click to showRelease Notes OpenProject 40 - Overview
        • Hierarchy leafRelease Notes OpenProject 40 - Accessibility improvements
        • Hierarchy leafRelease Notes OpenProject 40 - Column header functions in work package table
        • Hierarchy leafRelease Notes OpenProject 40 - Improved Design
        • Hierarchy leafRelease Notes OpenProject 40 - Integrated query title on work package page
        • Hierarchy leafRelease Notes OpenProject 40 - Integrated toolbar on work package page
        • Hierarchy leafRelease Notes OpenProject 40 - OmniAuth integration for OpenProject
        • Hierarchy leafRelease Notes OpenProject 40 - Work package details pane
      • Expanded. Click to collapseCollapsed. Click to showSecurity and privacy
        • Hierarchy leafFAQ
      • Expanded. Click to collapseCollapsed. Click to showSupport
        • Expanded. Click to collapseCollapsed. Click to showDownload and Installation
          • Hierarchy leafInstallation MacOS
          • Expanded. Click to collapseCollapsed. Click to showInstallation OpenProject 3 0
            • Hierarchy leafDebian Stable with MySQL in production
            • Hierarchy leafInstallation Ubuntu
            • Hierarchy leafInstallation Windows
            • Hierarchy leafInstallation on Centos 65 x64 with Apache and PostgreSQL 93
          • Expanded. Click to collapseCollapsed. Click to showInstallation OpenProject 40
            • Hierarchy leafOP4 Debian Stable with MySQL in production
          • Expanded. Click to collapseCollapsed. Click to showMigration paths
            • Hierarchy leafFrom Chilliproject to OpenProject
            • Hierarchy leafMigration 15 to 30
            • Hierarchy leafMigration 24 to 30
            • Hierarchy leafMigration Redmine 2x › OpenProject 30
            • Hierarchy leafOpenProject 3 Migration
          • Hierarchy leafOpenProject 40
        • Expanded. Click to collapseCollapsed. Click to showNews
          • Hierarchy leafNew OpenProject Translations Plugin
          • Hierarchy leafNew Plugin on OpenProjectorg Local Avatars
          • Hierarchy leafNew design for OpenProject
          • Hierarchy leafNews Accessibility workshop for OpenProject
          • Hierarchy leafNews Glossary for OpenProject
          • Hierarchy leafNews Heartbleed fixed
          • Hierarchy leafNews Icon Fonts
          • Hierarchy leafNews OpenProject 30 Release
          • Hierarchy leafNews Release GitHub Integration Plugin
          • Hierarchy leafNews Success Story Deutsche Telekom
          • Hierarchy leafNews Timelines
          • Hierarchy leafOpenProject 3013 released
          • Hierarchy leafOpenProject 3017 released
          • Hierarchy leafOpenProject 40 released
          • Hierarchy leafOpenProject 40 will be coming soon
          • Hierarchy leafOpenProject 405 released
          • Hierarchy leafOpenProject and pkgrio
          • Hierarchy leafOpenProject news moved to a new blog
          • Hierarchy leafOpenProjectBitnami
          • Hierarchy leafPackager version with plugins released ("Community edition")
          • Hierarchy leafRegistration OpenProject-Foundation
          • Hierarchy leafRelease OpenProject AuthPlugins
          • Hierarchy leafUpdates on OpenProject
          • Hierarchy leafWe need your feedback for the the new fullscreen view for work packages
        • Hierarchy leafOpenProject Plug-Ins
      • Hierarchy leafWiki
You are here:
  • Forums
  • Development

Content

[Solved] Autologin not working with openid and keycloak

Added by Kacper Pabian over 2 years ago

I deployed OpenProject on Kubernetes cluster creating manifests with kompose from docker-compose as recommended in the documentation and changing them here and there - using postgres database version 12. Works fine, with integration with Keycloak, although I seem not be able to set up autologin function. When I close the browser I have to log in every time. Autologin is set up for 7 days, session is stored in cache. There is not a lot of information about integration with Keycloak so I'm not sure if I'm doing something wrong. Web and proxy is set up with openproject/community:10 image. Here is Keycloak configuration:

  openid_connect:
    keycloak:
      sso: true
      prompt: login
      host: "keycloak_dns"
      identifier: "openproject_dns"
      secret: "secret"
      authorization_endpoint: "https://keycloak_dns/auth/realms/master/protocol/openid-connect/auth"
      token_endpoint: "https://keycloak_dns/auth/realms/master/protocol/openid-connect/token"
      userinfo_endpoint: "https://keycloak_dns/auth/realms/master/protocol/openid-connect/userinfo"
      end_session_endpoint: "https://keycloak_dns/auth/realms/master/protocol/openid-connect/logout"
      check_session_iframe: "https://keycloak_dns/auth/realms/master/protocol/openid-connect/login-status-iframe.html"
      discovery: false
      issuer: "https://openproject_dns/login"
      display_name: "Keycloak SSO"

  omniauth_direct_login_provider: keycloak

Replies (14)

RE: Autologin not working with openid and keycloak - Added by Niels Lindenthal over 2 years ago

Hi Kacper,

are you using the Enterprise Edition? I am asking because single-sign-on with OIDC is not available in the Community Edition.

Best

Niels

RE: Autologin not working with openid and keycloak - Added by Kacper Pabian over 2 years ago

Yes, sorry forgot to add this part. I'm using Enterprise edition.

RE: Autologin not working with openid and keycloak - Added by Niels Lindenthal over 2 years ago

Hi Kacper,

Thanks a lot for contributing to this open source project. 

I just forwardet this to the Enterprise Support. We will then update the docs accordingly.

Best

Niels

RE: Autologin not working with openid and keycloak - Added by Markus Kahl over 2 years ago

Auto login doesn't work for omni-auth-based (which includes OpenID Connect) logins right now unfortunately.
It's only applicable to password-based logins.

I have created a work package for this.

In the meantime I wonder if keyloak has no such option?
Seeing as you have the direct login provider configured you should be redirected to the keycloak authentication endpoint right away when accessing OpenProject. If you do this with Google for instance you will be returned authenticated to OpenProject straight away without Google asking you to login again. This way you don't have to bother clicking on login in OpenProject.

RE: Autologin not working with openid and keycloak - Added by Markus Kahl over 2 years ago

Ah right, can you try with prompt: none rather than prompt: login and see if that helps, please?

RE: Autologin not working with openid and keycloak - Added by Kacper Pabian over 2 years ago

Thanks for the suggestion, didn't fully resolve the issue though.
Now I have quite weird information in logs after reopening browser:
E, [2020-08-20T08:54:31.831865 #32] ERROR -- omniauth: (keycloak)
Authentication failure! invalid_credentials:
OmniAuth::Strategies::OpenIDConnect::CallbackError, login_required
invalid_credentials
Obviously I was logged in before successfully so it's not credentials,
maybe something with mapping? Screenshot attahced with Openproject view.

czw., 20 sie 2020 o 10:26 napisał(a):

RE: Autologin not working with openid and keycloak - Added by Markus Kahl over 2 years ago

I take it it works again if you change the prompt configuration back to login again?

Maybe this needs further configuration in keycloak to be allowed?

Before you change it back you could try to login again while having your browser's network tab open.
There you should see recorded a request to your keycloak server right after a request to /auth/keycloak on your OpenProject server.
Having a look at the response of the keycloak server could give us some more hints here.

RE: Autologin not working with openid and keycloak - Added by Kacper Pabian over 2 years ago

So I noticed there also that if I want to logout, there is no request to
keycloak and session is not deleted (I cannot log in to different user
unless I reopen the browser).
In the network tab interesting request is:
https://keycloak.live.publicplan.cloud/auth/realms/master/protocol/openid-connect/auth?client_id=openproject.live.publicplan.cloud&nonce=a88d83a910fcaddfdb59af67b44dfcea&prompt=none&redirect_uri=https%3A%2F%2Fopenproject.live.publicplan.cloud%2Fauth%2Fkeycloak%2Fcallback&response_type=code&scope=openid+email+profile&state=9f7637b5941a181c8145471312520641
and
https://openproject.live.publicplan.cloud/auth/keycloak/callback?error=login_required&state=9f7637b5941a181c8145471312520641
https://openproject.live.publicplan.cloud/auth/failure?message=invalid_credentials&strategy=keycloak

That may be scopes in keycloak issue, it takes openid+email+profile maybe
it requires login scope?

czw., 20 sie 2020 o 11:09 napisał(a):

RE: Autologin not working with openid and keycloak - Added by Kacper Pabian over 2 years ago

And yes, works with prompt: login, although logout issue is the same.

czw., 20 sie 2020 o 11:20 Kacper Pabian napisał(a):

RE: Autologin not working with openid and keycloak - Added by Markus Kahl over 2 years ago

Does it work when you login with prompt=login first and then after (without closing the browser) restart OpenProject with prompt=none and go on /auth/keycloak again?

The login_required response means the identity provider refuses silent authorization. So it seems it doesn't consider you logged-in already.
Maybe this requires a certain kind of configuration in keycloak.

As for the scope: I don't think login is needed. But I think you can try by overriding the scopes to be used in the configuration.
Just add the scope option in your configuration.yml if that is what you are using.

I'm not sure if you can just give a string there as in

openid_connect:
  keycloak:
    scope: openid profile email login

or if you need to make it an array of symbols like

openid_connect:
  keycloak:
    scope:
      - :openid
      - :profile
      - :email
      - :login

RE: Autologin not working with openid and keycloak - Added by Kacper Pabian over 2 years ago

First question: yes is does work like that.
Scope works if I go like this openid profile... Although adding login to
scope didn't change anything.

czw., 20 sie 2020 o 13:27 napisał(a):

RE: Autologin not working with openid and keycloak - Added by Kacper Pabian over 2 years ago

Okay, so issue with session dropping after closing the browser was
keycloak's fault (the remember me option). Although I would use some
support about the logout issue that it seems to not log out user correctly
from the session. The end session token is set up correctly, but it seems
to ignore it and doesn't call it after the logout is issued.

czw., 20 sie 2020 o 14:29 Kacper Pabian napisał(a):

RE: Autologin not working with openid and keycloak - Added by Markus Kahl over 2 years ago

Yes the logout thing is a genuine regression which we have to fix. I'll open a work package for it.

RE: Autologin not working with openid and keycloak - Added by Kacper Pabian over 2 years ago

Understood, thanks for help! Issue can be closed.

czw., 20 sie 2020 o 14:42 napisał(a):

  • (1 - 14/14)
Loading...