OpenId Login via Keycloak
-
@olivierlambert said in OpenId Login via Keycloak:
Hmm that's weird Can anybody reproduce this?
Yes, same here.
Using it with Authelia OIDC, login works fine but the user has no username assigned (or visible).
For reference, this is the auto-discovery URL contents (redacted the domain):{ "issuer":"https://<auth-domain>", "jwks_uri":"https://<auth-domain>/jwks.json", "authorization_endpoint":"https://<auth-domain>/api/oidc/authorization", "token_endpoint":"https://<auth-domain>/api/oidc/token", "subject_types_supported":[ "public" ], "response_types_supported":[ "code", "token", "id_token", "code token", "code id_token", "token id_token", "code token id_token", "none" ], "response_modes_supported":[ "form_post", "query", "fragment" ], "scopes_supported":[ "offline_access", "openid", "profile", "groups", "email" ], "claims_supported":[ "amr", "aud", "azp", "client_id", "exp", "iat", "iss", "jti", "rat", "sub", "auth_time", "nonce", "email", "email_verified", "alt_emails", "groups", "preferred_username", "name" ], "introspection_endpoint":"https://<auth-domain>/api/oidc/introspection", "revocation_endpoint":"https://<auth-domain>/api/oidc/revocation", "code_challenge_methods_supported":[ "S256" ], "require_pushed_authorization_requests":false, "userinfo_endpoint":"https://<auth-domain>/api/oidc/userinfo", "id_token_signing_alg_values_supported":[ "RS256" ], "userinfo_signing_alg_values_supported":[ "none", "RS256" ], "request_object_signing_alg_values_supported":[ "none", "RS256" ], "request_uri_parameter_supported":false, "require_request_uri_registration":false, "claims_parameter_supported":false, "frontchannel_logout_supported":false, "frontchannel_logout_session_supported":false, "backchannel_logout_supported":false, "backchannel_logout_session_supported":false }
-
Is this user existed before?
-
@olivierlambert yes, there was a user in XO with the same name from LDAP.
I deleted both the un-named user and the existing LDAP user.
I then tried to login again with OIDC and the user had no username again... -
Okay try this:
- Login with the LDAP thing first. You should have the correct login name
- Login with the same creds with OIDC and check if you have a user name
What's weird: I tested on 2 XOAs here (lab and prob) and it worked well, I still got my username, so I'm not sure to get what's going on
-
@olivierlambert said in OpenId Login via Keycloak:
Okay try this:
- Login with the LDAP thing first. You should have the correct login name
- Login with the same creds with OIDC and check if you have a user name
What's weird: I tested on 2 XOAs here (lab and prob) and it worked well, I still got my username, so I'm not sure to get what's going on
Well, that's what I was doing at first and ended up with a correct LDAP user and an un-named OIDC user .
If it helps, Authelia reads its users from LDAP so no matter if use LDAP or OIDC, the final user being used is the same. -
Is this unnamed user is the same as the "named" one or a completely different one?
-
@olivierlambert the same user
-
Okay so hopefully it's a display issue or something. Let me ping @julien-f about this
-
@olivierlambert well, thanks for taking the time to look into this
It's not a show-stopper for me because I can still log into XO but it 'd be nice to use the nice features of OIDC like single sign-on etc.
-
Yes, maybe it's just a cosmetic issue without any other impact, but worth checking
-
@mandrav I've just pushed a fix to prevent XO from creating users with an empty name.
Most likely your problem is that the plugin does not work with the setting username field set to
email
.Please test the branch
fix-oidc-email
for a fix. Re-signing in the problematic user (if it has been created via OpenId Connect signin and has not been linked to another auth provider) should update the user name. -
@prononext @mandrav The problem of empty username has been fixed in
master
.The support of
email
for username field is currently in review in the PR linked in my previous message and will be available soonThanks for your help!