Top Menu

Jump to content
Home
    • Projects
    • Work packages
    • News
    • Getting started
    • Introduction video
      Welcome to OpenProject Community
      Get a quick overview of project management and team collaboration with OpenProject. You can restart this video from the help menu.

    • Help and support
    • User guides
    • Videos
    • Shortcuts
    • Community forum
    • Professional support

    • Additional resources
    • Data privacy and security policy
    • Digital accessibility (DE)
    • OpenProject website
    • Security alerts / Newsletter
    • OpenProject blog
    • Release notes
    • Report a bug
    • Development roadmap
    • Add and edit translations
    • API documentation
  • Sign in
      Forgot your password?
      Create a new account

      or sign in with your existing account

      Google

Side Menu

  • Overview
  • Activity
  • Roadmap
  • Work packages
  • Calendars
  • Team planners
  • Boards
  • Forums
  • Wiki
    • Table of contents
      • Expanded. Click to collapseCollapsed. Click to showDeveloper
        • Hierarchy leafAccessibility Checklist
        • Hierarchy leafCode Review Guidelines
        • Expanded. Click to collapseCollapsed. Click to showContribution
          • Hierarchy leafGit Workflow
          • Hierarchy leafTranslations
        • Expanded. Click to collapseCollapsed. Click to showDeveloping Plugins
          • Hierarchy leafDeveloping an OmniAuth Authentication Plugin
        • Hierarchy leafRelease Process
        • Hierarchy leafReport a bug
        • Hierarchy leafSecurity
        • Hierarchy leafSetting up an OpenLDAP server for testing
        • Hierarchy leafTheme Features
      • Hierarchy leafDownload
      • Expanded. Click to collapseCollapsed. Click to showFeature tour
        • Hierarchy leafRelease Notes OpenProject 30
        • Expanded. Click to collapseCollapsed. Click to showRelease Notes OpenProject 30 - Overview
          • Hierarchy leafGlossary
          • Hierarchy leafRelease Notes - Accessibility
          • Hierarchy leafRelease Notes - Accessibility changes
          • Hierarchy leafRelease Notes - Add work package queries as menu items to sidebar
          • Hierarchy leafRelease Notes - Copy projects based on Templates
          • Hierarchy leafRelease Notes - Design changes
          • Hierarchy leafRelease Notes - Fixed Bugs
          • Hierarchy leafRelease Notes - Keyboard Shortcuts
          • Hierarchy leafRelease Notes - Project settings
          • Hierarchy leafRelease Notes - Ruby&Rails Update
          • Hierarchy leafRelease Notes - Security
          • Hierarchy leafRelease Notes - Timelines
          • Hierarchy leafRelease Notes - Work packages
      • Hierarchy leafHowto create animated gifs
      • Hierarchy leafMigration Squashing
      • Hierarchy leafMod security
      • Hierarchy leafNew work package page
      • Hierarchy leafOP3 to OP4 Debian upgrade
      • Hierarchy leafOP4 Ubuntu1404 Stable with MySQL in production
      • Hierarchy leafOpenProject 40 Development Setup
      • Expanded. Click to collapseCollapsed. Click to showOpenProject Foundation
        • Hierarchy leafBoards
        • Hierarchy leafMembers
        • Hierarchy leafOPF-Meetings
        • Hierarchy leafStatutes
      • Expanded. Click to collapseCollapsed. Click to showRelease Notes
        • Hierarchy leafOpenProject released on Bitnami
      • Expanded. Click to collapseCollapsed. Click to showRelease Notes OpenProject 40 - Overview
        • Hierarchy leafRelease Notes OpenProject 40 - Accessibility improvements
        • Hierarchy leafRelease Notes OpenProject 40 - Column header functions in work package table
        • Hierarchy leafRelease Notes OpenProject 40 - Improved Design
        • Hierarchy leafRelease Notes OpenProject 40 - Integrated query title on work package page
        • Hierarchy leafRelease Notes OpenProject 40 - Integrated toolbar on work package page
        • Hierarchy leafRelease Notes OpenProject 40 - OmniAuth integration for OpenProject
        • Hierarchy leafRelease Notes OpenProject 40 - Work package details pane
      • Expanded. Click to collapseCollapsed. Click to showSecurity and privacy
        • Hierarchy leafFAQ
      • Expanded. Click to collapseCollapsed. Click to showSupport
        • Expanded. Click to collapseCollapsed. Click to showDownload and Installation
          • Hierarchy leafInstallation MacOS
          • Expanded. Click to collapseCollapsed. Click to showInstallation OpenProject 3 0
            • Hierarchy leafDebian Stable with MySQL in production
            • Hierarchy leafInstallation Ubuntu
            • Hierarchy leafInstallation Windows
            • Hierarchy leafInstallation on Centos 65 x64 with Apache and PostgreSQL 93
          • Expanded. Click to collapseCollapsed. Click to showInstallation OpenProject 40
            • Hierarchy leafOP4 Debian Stable with MySQL in production
          • Expanded. Click to collapseCollapsed. Click to showMigration paths
            • Hierarchy leafFrom Chilliproject to OpenProject
            • Hierarchy leafMigration 15 to 30
            • Hierarchy leafMigration 24 to 30
            • Hierarchy leafMigration Redmine 2x › OpenProject 30
            • Hierarchy leafOpenProject 3 Migration
          • Hierarchy leafOpenProject 40
        • Expanded. Click to collapseCollapsed. Click to showNews
          • Hierarchy leafNew OpenProject Translations Plugin
          • Hierarchy leafNew Plugin on OpenProjectorg Local Avatars
          • Hierarchy leafNew design for OpenProject
          • Hierarchy leafNews Accessibility workshop for OpenProject
          • Hierarchy leafNews Glossary for OpenProject
          • Hierarchy leafNews Heartbleed fixed
          • Hierarchy leafNews Icon Fonts
          • Hierarchy leafNews OpenProject 30 Release
          • Hierarchy leafNews Release GitHub Integration Plugin
          • Hierarchy leafNews Success Story Deutsche Telekom
          • Hierarchy leafNews Timelines
          • Hierarchy leafOpenProject 3013 released
          • Hierarchy leafOpenProject 3017 released
          • Hierarchy leafOpenProject 40 released
          • Hierarchy leafOpenProject 40 will be coming soon
          • Hierarchy leafOpenProject 405 released
          • Hierarchy leafOpenProject and pkgrio
          • Hierarchy leafOpenProject news moved to a new blog
          • Hierarchy leafOpenProjectBitnami
          • Hierarchy leafPackager version with plugins released ("Community edition")
          • Hierarchy leafRegistration OpenProject-Foundation
          • Hierarchy leafRelease OpenProject AuthPlugins
          • Hierarchy leafUpdates on OpenProject
          • Hierarchy leafWe need your feedback for the the new fullscreen view for work packages
        • Hierarchy leafOpenProject Plug-Ins
      • Hierarchy leafWiki
You are here:
  • Forums
  • Plugins

Content

OpenID integration with keycloak fails

Added by Jonatan Zint over 4 years ago

Hello,

I am currently trying to integrate OpenProject to our SSO realm powered by keycloak (http://keycloak.org/). I first tried SAML, but that failed due to this issue: https://github.com/finnlabs/openproject-auth_saml/issues/1

Since keycloak is SAML and OpenID compliant i moved to https://github.com/finnlabs/openproject-openid_connect and tried that out but ended up receiving:

App 1906 stdout: E, [2018-06-09T11:38:47.525168 #1906] ERROR -- omniauth: (openid) Authentication failure! missing_code: OmniAuth::OpenIDConnect::MissingCodeError, login_required

The moment I press on the button designated for my auth method.

Weird enough once I set up my openid connection I get redirected to this page https://project.example.com/login/two_factor_authentication/_long token_ receiving this log output:

App 1013 stdout: ArgumentError (wrong number of arguments (given 2, expected 1)):
App 1013 stdout:   
App 1013 stdout: app/controllers/concerns/authentication_stages.rb:10:in `stage_success'
App 1013 stdout: app/middleware/reset_current_user.rb:47:in `call'

This is my config/configuration.yml:

default:
  openid_connect:
    openid:
      host: "auth.example.com"
      identifier: "project.example.com"
      secret: "a-secret"
      icon: "openid_connect/auth_provider-google.png"
      display_name: "example auth"
      authorization_endpoint: "https://auth.example.com/auth/realms/master/protocol/openid-connect/auth"
      token_endpoint: 'https://auth.example.com/auth/realms/master/protocol/openid-connect/token'
      userinfo_endpoint: 'https://auth.example.com/auth/realms/master/protocol/openid-connect/userinfo'
      end_session_endpoint: 'https://auth.example.com/auth/realms/master/protocol/openid-connect/logout'
      check_session_iframe: 'https://auth.example.com/auth/realms/master/protocol/openid-connect/login-status-iframe.html'
      sso: true
      issuer: 'https://project.example.com/login'
      discovery: false

Replies (12)

RE: OpenID integration with keycloak fails - Added by Markus Kahl over 4 years ago

Hey,

I found the bug in the openproject-openid_connect plugin.
Still have to test it though properly.

I take it you’re using the docker image.
The next planned release is 7.4.6 which will only come next week probably.

In the meantime I could push a hot-fixed docker image, though.
I’ll post an update here when it’s done. It should be done tomorrow.

RE: OpenID integration with keycloak fails - Added by Jonatan Zint over 4 years ago

Hey thanks, no worries we are gonna wait till release day

RE: OpenID integration with keycloak fails - Added by Markus Kahl over 4 years ago

Ok. In the meantime you can still try a normal OpenID Connect login without SSO which should work. Just set sso: false and the code with the bug won’t be executed.

Without the sso: true users won’t be logged in automatically but instead they will have to click on signin where the users then have to click on “example auth”.

You can also make this a bit quicker by using the direct_login_provider configuration in config/configuration.yml like this:

default:
  omniauth_direct_login_provider: openid

or set it via the environment:

export OMNIAUTH_DIRECT_LOGIN_PROVIDER=openid

Where openid is the OpenID Connect provider you defined.

RE: OpenID integration with keycloak fails - Added by Jonatan Zint over 4 years ago

I guess I have to bother you again.

I tried withou the sso: true setting.

While it works as long as I am authenticated with our SSO provider, it won’t when I’m not. I would expect to be redirected to our login screen, instead there is just this error message in the logs:

App 1013 stdout: I, [2018-07-03T08:13:16.323628 #1013]  INFO -- omniauth: (example) Request phase initiated.
App 1013 stdout: I, [2018-07-03T08:13:16.439629 #1013]  INFO -- omniauth: (example) Callback phase initiated.
App 1013 stdout: E, [2018-07-03T08:13:16.440033 #1013] ERROR -- omniauth: (example) Authentication failure! missing_code: OmniAuth::OpenIDConnect::MissingCodeError, login_required
App 1013 stdout: login_required

And an error screen in OpenProject. Do you have an idea why the redirect won’t work?

RE: OpenID integration with keycloak fails - Added by Markus Kahl over 4 years ago

Could you please try it again with the browser’s network tab open and print the requests (method + URL) here? Seeing as the log says “Callback phase initiated” it looks like the browser was actually sent to the SSO provider.

RE: OpenID integration with keycloak fails - Added by Jonatan Zint over 4 years ago

Since this might contain some confidential token I sent those to you via crypted mail.

Thanks in advance.

RE: RE: OpenID integration with keycloak fails - Added by Jonatan Zint over 4 years ago

Unfortunately there is a second issue: If I am already registered with my SSO and try to login, OpenProject complain that the user already exists - which is true. Is there any possibility to make OpenID match new OpenID logins with existing user records by email? I saw this behavior in a couple of other applications I integrated.

RE: OpenID integration with keycloak fails - Added by Markus Kahl over 4 years ago

OpenProject should associate existing users using the “identity_url” of a user which is the ID of the user in the auth provider. Can you please check if the users have an identity url in the database?

select id, login, mail, identity_url from users

RE: OpenID integration with keycloak fails - Added by Jonatan Zint over 4 years ago

identity_url is empty for all users unfortunately

we created those before the openconnect integration and we would expect them to match by e-mail address

RE: OpenID integration with keycloak fails - Added by Markus Kahl over 4 years ago

Unfortunately this is not how it works, however. It matches only via identity_url. But you should be able to fix it.

Please go to Admin -> Users -> Edit User and then on the top there should be a button “Send Invitation”. Click it and the user will get an email asking them to activate their account.

The user will then get an account activation email.
Clicking this they will be sent to the registration form with all their information except the password already filled in.

At the bottom of the screen there should be your auth provider under “or sign up using”. Just click on it and then the user’s identity url should be set.
After that the user will be able to login using the auth provider as expected.

You can try this for one user first and then check what the identity URL looks like.
Maybe the ID is something you can lookup yourself in keycloak?
If it is you could technically insert the respective values into the database for each user under identity_url and they wouldn’t have to do the extra steps from above.

\* * *

Also OpenProject 7.4.6 is out which now includes a prompt option by the way. I remember you mentioned that the sign-on doesn’t work but it did work when you used the same URL but with prompt=login. You can now change the default value for prompt in the configuration.yml. Just add it to the auth provider config on the same level as display_name, identifier etc.. For instance:

default:
  openid_connect:
    keycloak:
      prompt: login

This should then redirect the user to your auth provider with prompt=login.

RE: OpenID integration with keycloak fails - Added by Jonatan Zint over 4 years ago

yay! that works… thanks a lot!

was no pain to do that manually for our small user base, for a bigger rollout it would be a nice feature to have a task to resend invitations for all users simultanously.

anyway, case closed. thanks a lot for all your help

RE: OpenID integration with keycloak fails - Added by Markus Kahl over 4 years ago

I’m glad I could help!

  • (1 - 12/12)
Loading...