OpenId Login via Keycloak

mandrav

@olivierlambert yes, there was a user in XO with the same name from LDAP.
I deleted both the un-named user and the existing LDAP user.
I then tried to login again with OIDC and the user had no username again...

olivierlambert

Okay try this:

1. Login with the LDAP thing first. You should have the correct login name
2. Login with the same creds with OIDC and check if you have a user name

What's weird: I tested on 2 XOAs here (lab and prob) and it worked well, I still got my username, so I'm not sure to get what's going on

mandrav

@olivierlambert said in OpenId Login via Keycloak:

Okay try this:

1. Login with the LDAP thing first. You should have the correct login name
2. Login with the same creds with OIDC and check if you have a user name

What's weird: I tested on 2 XOAs here (lab and prob) and it worked well, I still got my username, so I'm not sure to get what's going on

Well, that's what I was doing at first and ended up with a correct LDAP user and an un-named OIDC user .
If it helps, Authelia reads its users from LDAP so no matter if use LDAP or OIDC, the final user being used is the same.

olivierlambert

Is this unnamed user is the same as the "named" one or a completely different one?

mandrav

@olivierlambert the same user

olivierlambert

Okay so hopefully it's a display issue or something. Let me ping @julien-f about this

mandrav

@olivierlambert well, thanks for taking the time to look into this

It's not a show-stopper for me because I can still log into XO but it 'd be nice to use the nice features of OIDC like single sign-on etc.

olivierlambert

Yes, maybe it's just a cosmetic issue without any other impact, but worth checking

julien-f

@mandrav I've just pushed a fix to prevent XO from creating users with an empty name.

Most likely your problem is that the plugin does not work with the setting username field set to email.

Please test the branch fix-oidc-email for a fix. Re-signing in the problematic user (if it has been created via OpenId Connect signin and has not been linked to another auth provider) should update the user name.

julien-f

@prononext @mandrav The problem of empty username has been fixed in master.

The support of email for username field is currently in review in the PR linked in my previous message and will be available soon

Thanks for your help!