RE: OpenId Login via Keycloak

@olivierlambert well, thanks for taking the time to look into this

It's not a show-stopper for me because I can still log into XO but it 'd be nice to use the nice features of OIDC like single sign-on etc.

@olivierlambert the same user

@olivierlambert said in OpenId Login via Keycloak:

Okay try this:

1. Login with the LDAP thing first. You should have the correct login name
2. Login with the same creds with OIDC and check if you have a user name

What's weird: I tested on 2 XOAs here (lab and prob) and it worked well, I still got my username, so I'm not sure to get what's going on

Well, that's what I was doing at first and ended up with a correct LDAP user and an un-named OIDC user .
If it helps, Authelia reads its users from LDAP so no matter if use LDAP or OIDC, the final user being used is the same.

@olivierlambert yes, there was a user in XO with the same name from LDAP.
I deleted both the un-named user and the existing LDAP user.
I then tried to login again with OIDC and the user had no username again...

@olivierlambert said in OpenId Login via Keycloak:

Hmm that's weird Can anybody reproduce this?

Yes, same here.
Using it with Authelia OIDC, login works fine but the user has no username assigned (or visible).
For reference, this is the auto-discovery URL contents (redacted the domain):

{
   "issuer":"https://<auth-domain>",
   "jwks_uri":"https://<auth-domain>/jwks.json",
   "authorization_endpoint":"https://<auth-domain>/api/oidc/authorization",
   "token_endpoint":"https://<auth-domain>/api/oidc/token",
   "subject_types_supported":[
      "public"
   ],
   "response_types_supported":[
      "code",
      "token",
      "id_token",
      "code token",
      "code id_token",
      "token id_token",
      "code token id_token",
      "none"
   ],
   "response_modes_supported":[
      "form_post",
      "query",
      "fragment"
   ],
   "scopes_supported":[
      "offline_access",
      "openid",
      "profile",
      "groups",
      "email"
   ],
   "claims_supported":[
      "amr",
      "aud",
      "azp",
      "client_id",
      "exp",
      "iat",
      "iss",
      "jti",
      "rat",
      "sub",
      "auth_time",
      "nonce",
      "email",
      "email_verified",
      "alt_emails",
      "groups",
      "preferred_username",
      "name"
   ],
   "introspection_endpoint":"https://<auth-domain>/api/oidc/introspection",
   "revocation_endpoint":"https://<auth-domain>/api/oidc/revocation",
   "code_challenge_methods_supported":[
      "S256"
   ],
   "require_pushed_authorization_requests":false,
   "userinfo_endpoint":"https://<auth-domain>/api/oidc/userinfo",
   "id_token_signing_alg_values_supported":[
      "RS256"
   ],
   "userinfo_signing_alg_values_supported":[
      "none",
      "RS256"
   ],
   "request_object_signing_alg_values_supported":[
      "none",
      "RS256"
   ],
   "request_uri_parameter_supported":false,
   "require_request_uri_registration":false,
   "claims_parameter_supported":false,
   "frontchannel_logout_supported":false,
   "frontchannel_logout_session_supported":false,
   "backchannel_logout_supported":false,
   "backchannel_logout_session_supported":false
}