Content
OpenID integration with keycloak fails
Added by Jonatan Zint about 7 years ago
Hello,
I am currently trying to integrate OpenProject to our SSO realm powered by keycloak (http://keycloak.org/). I first tried SAML, but that failed due to this issue: https://github.com/finnlabs/openproject-auth_saml/issues/1
Since keycloak is SAML and OpenID compliant i moved to https://github.com/finnlabs/openproject-openid_connect and tried that out but ended up receiving:
App 1906 stdout: E, [2018-06-09T11:38:47.525168 #1906] ERROR -- omniauth: (openid) Authentication failure! missing_code: OmniAuth::OpenIDConnect::MissingCodeError, login_required
The moment I press on the button designated for my auth method.
Weird enough once I set up my openid connection I get redirected to this page https://project.example.com/login/two_factor_authentication/_long token_ receiving this log output:
App 1013 stdout: ArgumentError (wrong number of arguments (given 2, expected 1)): App 1013 stdout: App 1013 stdout: app/controllers/concerns/authentication_stages.rb:10:in `stage_success' App 1013 stdout: app/middleware/reset_current_user.rb:47:in `call'
This is my config/configuration.yml:
default:
openid_connect:
openid:
host: "auth.example.com"
identifier: "project.example.com"
secret: "a-secret"
icon: "openid_connect/auth_provider-google.png"
display_name: "example auth"
authorization_endpoint: "https://auth.example.com/auth/realms/master/protocol/openid-connect/auth"
token_endpoint: 'https://auth.example.com/auth/realms/master/protocol/openid-connect/token'
userinfo_endpoint: 'https://auth.example.com/auth/realms/master/protocol/openid-connect/userinfo'
end_session_endpoint: 'https://auth.example.com/auth/realms/master/protocol/openid-connect/logout'
check_session_iframe: 'https://auth.example.com/auth/realms/master/protocol/openid-connect/login-status-iframe.html'
sso: true
issuer: 'https://project.example.com/login'
discovery: false
Replies (12)
Hey,
I found the bug in the openproject-openid_connect plugin.
Still have to test it though properly.
I take it you’re using the docker image.
The next planned release is 7.4.6 which will only come next week probably.
In the meantime I could push a hot-fixed docker image, though.
I’ll post an update here when it’s done. It should be done tomorrow.
Hey thanks, no worries we are gonna wait till release day
Ok. In the meantime you can still try a normal OpenID Connect login without SSO which should work. Just set
sso: falseand the code with the bug won’t be executed.Without the
sso: trueusers won’t be logged in automatically but instead they will have to click on signin where the users then have to click on “example auth”.You can also make this a bit quicker by using the
direct_login_providerconfiguration inconfig/configuration.ymllike this:or set it via the environment:
Where
openidis the OpenID Connect provider you defined.I guess I have to bother you again.
I tried withou the sso: true setting.
While it works as long as I am authenticated with our SSO provider, it won’t when I’m not. I would expect to be redirected to our login screen, instead there is just this error message in the logs:
And an error screen in OpenProject. Do you have an idea why the redirect won’t work?
Could you please try it again with the browser’s network tab open and print the requests (method + URL) here? Seeing as the log says “Callback phase initiated” it looks like the browser was actually sent to the SSO provider.
Since this might contain some confidential token I sent those to you via crypted mail.
Thanks in advance.
Unfortunately there is a second issue: If I am already registered with my SSO and try to login, OpenProject complain that the user already exists - which is true. Is there any possibility to make OpenID match new OpenID logins with existing user records by email? I saw this behavior in a couple of other applications I integrated.
OpenProject should associate existing users using the “identity_url” of a user which is the ID of the user in the auth provider. Can you please check if the users have an identity url in the database?
identity_url is empty for all users unfortunately
we created those before the openconnect integration and we would expect them to match by e-mail address
Unfortunately this is not how it works, however. It matches only via identity_url. But you should be able to fix it.
Please go to Admin -> Users -> Edit User and then on the top there should be a button “Send Invitation”. Click it and the user will get an email asking them to activate their account.
The user will then get an account activation email.
Clicking this they will be sent to the registration form with all their information except the password already filled in.
At the bottom of the screen there should be your auth provider under “or sign up using”. Just click on it and then the user’s identity url should be set.
After that the user will be able to login using the auth provider as expected.
You can try this for one user first and then check what the identity URL looks like.
Maybe the ID is something you can lookup yourself in keycloak?
If it is you could technically insert the respective values into the database for each user under
identity_urland they wouldn’t have to do the extra steps from above.\* * *
Also OpenProject 7.4.6 is out which now includes a
promptoption by the way. I remember you mentioned that the sign-on doesn’t work but it did work when you used the same URL but withprompt=login. You can now change the default value forpromptin theconfiguration.yml. Just add it to the auth provider config on the same level asdisplay_name,identifieretc.. For instance:default: openid_connect: keycloak: prompt: loginThis should then redirect the user to your auth provider with
prompt=login.yay! that works… thanks a lot!
was no pain to do that manually for our small user base, for a bigger rollout it would be a nice feature to have a task to resend invitations for all users simultanously.
anyway, case closed. thanks a lot for all your help
I’m glad I could help!