OpenId Login via Keycloak

prononext

Hi, I am facing the problem, that when I login via Keycloak as openid is completely configured the user gets no username assigned.

I put in the correct userinfo endpoint and the username field is "email" so it should work like any other app, thats working with my Keycloak.

Who has any experience with that and can maybe share relative urls for the additional properties, which I got for the endpoint info on my keycloak instance realm:

• Authorization URL
• Callback URL
• Issuer
• Token URL
• User info URL
• Username field

Thank you very much.

olivierlambert

Hi,

Can you be more specific on the "no username assigned" issue? What do you see?

prononext

Hi @olivierlambert,

Its like this on the login screen:

then loging in works.

When going with that newly logged in user to the profile screen, there is no username:

When checking with the admin under settings/users, also there is no username for that newly created user:

I filled all the oauth settings just like I used to in other applications where a userame is pulled without problems, but in xen orchestra the username is staying blank.

There are no specific logs about that authentification shown.

Like mentioned I am using keycloak with a oauth client and the same config that works for several other applications without issues.

Am I missing something?

olivierlambert

Hmm that's weird Can anybody reproduce this?

mandrav

@olivierlambert said in OpenId Login via Keycloak:

Hmm that's weird Can anybody reproduce this?

Yes, same here.
Using it with Authelia OIDC, login works fine but the user has no username assigned (or visible).
For reference, this is the auto-discovery URL contents (redacted the domain):

{
   "issuer":"https://<auth-domain>",
   "jwks_uri":"https://<auth-domain>/jwks.json",
   "authorization_endpoint":"https://<auth-domain>/api/oidc/authorization",
   "token_endpoint":"https://<auth-domain>/api/oidc/token",
   "subject_types_supported":[
      "public"
   ],
   "response_types_supported":[
      "code",
      "token",
      "id_token",
      "code token",
      "code id_token",
      "token id_token",
      "code token id_token",
      "none"
   ],
   "response_modes_supported":[
      "form_post",
      "query",
      "fragment"
   ],
   "scopes_supported":[
      "offline_access",
      "openid",
      "profile",
      "groups",
      "email"
   ],
   "claims_supported":[
      "amr",
      "aud",
      "azp",
      "client_id",
      "exp",
      "iat",
      "iss",
      "jti",
      "rat",
      "sub",
      "auth_time",
      "nonce",
      "email",
      "email_verified",
      "alt_emails",
      "groups",
      "preferred_username",
      "name"
   ],
   "introspection_endpoint":"https://<auth-domain>/api/oidc/introspection",
   "revocation_endpoint":"https://<auth-domain>/api/oidc/revocation",
   "code_challenge_methods_supported":[
      "S256"
   ],
   "require_pushed_authorization_requests":false,
   "userinfo_endpoint":"https://<auth-domain>/api/oidc/userinfo",
   "id_token_signing_alg_values_supported":[
      "RS256"
   ],
   "userinfo_signing_alg_values_supported":[
      "none",
      "RS256"
   ],
   "request_object_signing_alg_values_supported":[
      "none",
      "RS256"
   ],
   "request_uri_parameter_supported":false,
   "require_request_uri_registration":false,
   "claims_parameter_supported":false,
   "frontchannel_logout_supported":false,
   "frontchannel_logout_session_supported":false,
   "backchannel_logout_supported":false,
   "backchannel_logout_session_supported":false
}

olivierlambert

Is this user existed before?

mandrav

@olivierlambert yes, there was a user in XO with the same name from LDAP.
I deleted both the un-named user and the existing LDAP user.
I then tried to login again with OIDC and the user had no username again...

olivierlambert

Okay try this:

1. Login with the LDAP thing first. You should have the correct login name
2. Login with the same creds with OIDC and check if you have a user name

What's weird: I tested on 2 XOAs here (lab and prob) and it worked well, I still got my username, so I'm not sure to get what's going on

mandrav

@olivierlambert said in OpenId Login via Keycloak:

Okay try this:

1. Login with the LDAP thing first. You should have the correct login name
2. Login with the same creds with OIDC and check if you have a user name

What's weird: I tested on 2 XOAs here (lab and prob) and it worked well, I still got my username, so I'm not sure to get what's going on

Well, that's what I was doing at first and ended up with a correct LDAP user and an un-named OIDC user .
If it helps, Authelia reads its users from LDAP so no matter if use LDAP or OIDC, the final user being used is the same.

olivierlambert

Is this unnamed user is the same as the "named" one or a completely different one?

mandrav

@olivierlambert the same user

olivierlambert

Okay so hopefully it's a display issue or something. Let me ping @julien-f about this

mandrav

@olivierlambert well, thanks for taking the time to look into this

It's not a show-stopper for me because I can still log into XO but it 'd be nice to use the nice features of OIDC like single sign-on etc.

olivierlambert

Yes, maybe it's just a cosmetic issue without any other impact, but worth checking

julien-f

@mandrav I've just pushed a fix to prevent XO from creating users with an empty name.

Most likely your problem is that the plugin does not work with the setting username field set to email.

Please test the branch fix-oidc-email for a fix. Re-signing in the problematic user (if it has been created via OpenId Connect signin and has not been linked to another auth provider) should update the user name.

julien-f

@prononext @mandrav The problem of empty username has been fixed in master.

The support of email for username field is currently in review in the PR linked in my previous message and will be available soon

Thanks for your help!