Documentation

[makakken]

Hey guys, is there any documentation anywhere on how to configure this plugin?

• i mean where do i set the keycloak-credentials?
• how to tell pretix to onl let keycloak-authorised users in?

[jlucasp25]

Hello! Most of the variables you need to configure in your Pretix settings file can be found in the auth.py file of this repository.

Most of the variables are the same as the ones used in the mozilla-django-oidc package.

This documentation for customizing the settings of a Pretix installation, may also help.

We will try to provide documentation at a later point. If you still have any questions, feel free to contact me or submit another issue.

[makakken]

so do i have to add settings like "OIDC_OP_TOKEN_ENDPOINT" under the [django] - section in pretix.cfg?

[jlucasp25]

Yes, or as an environment variable.

[makakken]

well, i think i need some more help... i think i've managed to install the plugin, as shown in the screenshot from my pretix license-check page:

i've set most of the environment variables to meet the requirements of my keycloak instance.

[django]
OIDC_OP_TOKEN_ENDPOINT=https://keylcoak.ow.org/realms/example/protocol/openid-connect/token
OIDC_OP_USER_ENDPOINT=https://keycloak.ow.org/realms/example/protocol/openid-connect/userinfo
OIDC_OP_JWKS_ENDPOINT=https://keycloak.ow.org/realms/example/protocol/openid-connect/certs
OIDC_RP_CLIENT_ID=pretix
OIDC_RP_CLIENT_SECRET=N***********t
OIDC_RP_SIGN_ALGO=RS256
OIDC_RP_IDP_SIGN_KEY=

but i still only see the standard login screen:

in admin configuration there are no oidc related options i could activate or something...

what am i doing wrong? how can i be sure the plugin is working? how to activate login via keycloak oidc?

[jlucasp25]

In oretix.cfg there is a Authentication Backends setting. Have you set it to point to this backend? Check Here

[makakken]

no i dont ;) is this setting correct?

[pretix]
auth_backends=pretix.base.auth.NativeAuthBackend,authentication_url

(so i can use user-password-auth and keycloak-auth)

[jlucasp25]

replace the authentication_url and use the Python path to the backend:

pretix_oidc.auth.OIDCAuthBackend

You can double-check the path via the source-code

[makakken]

okay... we're getting forward ;)

when using this:

[django]
OIDC_OP_TOKEN_ENDPOINT=https://keylcoak.ow.org/realms/example/protocol/openid-connect/token
OIDC_OP_USER_ENDPOINT=https://keycloak.ow.org/realms/example/protocol/openid-connect/userinfo
OIDC_OP_JWKS_ENDPOINT=https://keycloak.ow.org/realms/example/protocol/openid-connect/certs
OIDC_RP_CLIENT_ID=pretix
OIDC_RP_CLIENT_SECRET=N***********t
OIDC_RP_SIGN_ALGO=RS256
OIDC_RP_IDP_SIGN_KEY=

i get the following error: configparser.NoSectionError: No section: 'pretix_oidc'

so i tryed this:

[pretix_oidc]
OIDC_OP_TOKEN_ENDPOINT=https://keylcoak.ow.org/realms/example/protocol/openid-connect/token
OIDC_OP_USER_ENDPOINT=https://keycloak.ow.org/realms/example/protocol/openid-connect/userinfo
OIDC_OP_JWKS_ENDPOINT=https://keycloak.ow.org/realms/example/protocol/openid-connect/certs
OIDC_RP_CLIENT_ID=pretix
OIDC_RP_CLIENT_SECRET=N***********t
OIDC_RP_SIGN_ALGO=RS256
OIDC_RP_IDP_SIGN_KEY=

but this doesn't seem to fix it: django.urls.exceptions.NoReverseMatch: 'pretix_oidc' is not a registered namespace inside 'plugins'

i'm sorry, im not a python developer, i just want to setup pretix with keycloak ;) if we can get succesfully through this, i'll write a little documenation i think....

[makakken]

here's the complete stacktrace:

pretix_app | ERROR 2023-11-10 11:08:25,037 django.request log Internal Server Error: /control/login
pretix_app | Traceback (most recent call last):
pretix_app |   File "/usr/local/lib/python3.11/site-packages/django/core/handlers/exception.py", line 55, in inner
pretix_app |     response = get_response(request)
pretix_app |                ^^^^^^^^^^^^^^^^^^^^^
pretix_app |   File "/usr/local/lib/python3.11/site-packages/django/core/handlers/base.py", line 197, in _get_response
pretix_app |     response = wrapped_callback(request, *callback_args, **callback_kwargs)
pretix_app |                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
pretix_app |   File "/pretix/src/pretix/control/views/auth.py", line 100, in login
pretix_app |     backenddict = get_auth_backends()
pretix_app |                   ^^^^^^^^^^^^^^^^^^^
pretix_app |   File "/pretix/src/pretix/base/auth.py", line 48, in get_auth_backends
pretix_app |     b = getattr(import_module(mod), name)()
pretix_app |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
pretix_app |   File "/usr/local/lib/python3.11/site-packages/pretix_oidc/auth.py", line 40, in __init__
pretix_app |     self.OIDC_OP_TOKEN_ENDPOINT = self.get_settings("OIDC_OP_TOKEN_ENDPOINT")
pretix_app |                                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
pretix_app |   File "/usr/local/lib/python3.11/site-packages/pretix_oidc/auth.py", line 76, in get_settings
pretix_app |     return import_from_settings(attr, *args)
pretix_app |            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
pretix_app |   File "/usr/local/lib/python3.11/site-packages/pretix_oidc/utils.py", line 33, in import_from_settings
pretix_app |     return config.get(plugin, attr)
pretix_app |            ^^^^^^^^^^^^^^^^^^^^^^^^
pretix_app |   File "/pretix/src/pretix/helpers/config.py", line 39, in get
pretix_app |     return self.cp.get(section, option, raw=raw, vars=vars, fallback=fallback)
pretix_app |            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
pretix_app |   File "/usr/local/lib/python3.11/configparser.py", line 797, in get
pretix_app |     d = self._unify_values(section, vars)
pretix_app |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
pretix_app |   File "/usr/local/lib/python3.11/configparser.py", line 1168, in _unify_values
pretix_app |     raise NoSectionError(section) from None
pretix_app | configparser.NoSectionError: No section: 'pretix_oidc'
pretix_app | ERROR 2023-11-10 11:08:25,037 django.request log Internal Server Error: /control/login
pretix_app | Traceback (most recent call last):
pretix_app |   File "/usr/local/lib/python3.11/site-packages/django/core/handlers/exception.py", line 55, in inner
pretix_app |     response = get_response(request)
pretix_app |                ^^^^^^^^^^^^^^^^^^^^^
pretix_app |   File "/usr/local/lib/python3.11/site-packages/django/core/handlers/base.py", line 197, in _get_response
pretix_app |     response = wrapped_callback(request, *callback_args, **callback_kwargs)
pretix_app |                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
pretix_app |   File "/pretix/src/pretix/control/views/auth.py", line 100, in login
pretix_app |     backenddict = get_auth_backends()
pretix_app |                   ^^^^^^^^^^^^^^^^^^^
pretix_app |   File "/pretix/src/pretix/base/auth.py", line 48, in get_auth_backends
pretix_app |     b = getattr(import_module(mod), name)()
pretix_app |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
pretix_app |   File "/usr/local/lib/python3.11/site-packages/pretix_oidc/auth.py", line 40, in __init__
pretix_app |     self.OIDC_OP_TOKEN_ENDPOINT = self.get_settings("OIDC_OP_TOKEN_ENDPOINT")
pretix_app |                                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
pretix_app |   File "/usr/local/lib/python3.11/site-packages/pretix_oidc/auth.py", line 76, in get_settings
pretix_app |     return import_from_settings(attr, *args)
pretix_app |            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
pretix_app |   File "/usr/local/lib/python3.11/site-packages/pretix_oidc/utils.py", line 33, in import_from_settings
pretix_app |     return config.get(plugin, attr)
pretix_app |            ^^^^^^^^^^^^^^^^^^^^^^^^
pretix_app |   File "/pretix/src/pretix/helpers/config.py", line 39, in get
pretix_app |     return self.cp.get(section, option, raw=raw, vars=vars, fallback=fallback)
pretix_app |            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
pretix_app |   File "/usr/local/lib/python3.11/configparser.py", line 797, in get
pretix_app |     d = self._unify_values(section, vars)
pretix_app |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
pretix_app |   File "/usr/local/lib/python3.11/configparser.py", line 1168, in _unify_values
pretix_app |     raise NoSectionError(section) from None
pretix_app | configparser.NoSectionError: No section: 'pretix_oidc'

[makakken]

is there any [pretix_oidc] - specific config i have to set in pretix.cfg? it seems OIDCOP and OIDCRP keys are correct under the [django]-section... right?

[makakken]

after short source-check i think

[pretix_oidc]
OIDC_OP_TOKEN_ENDPOINT=https://keylcoak.ow.org/realms/example/protocol/openid-connect/token
OIDC_OP_USER_ENDPOINT=https://keycloak.ow.org/realms/example/protocol/openid-connect/userinfo
OIDC_OP_JWKS_ENDPOINT=https://keycloak.ow.org/realms/example/protocol/openid-connect/certs
OIDC_RP_CLIENT_ID=pretix
OIDC_RP_CLIENT_SECRET=N***********t
OIDC_RP_SIGN_ALGO=RS256
OIDC_RP_IDP_SIGN_KEY=

is the right way to go ;)

[makakken]

so i think this is the error i don't understand now:

pretix_app | Traceback (most recent call last):
pretix_app |   File "/usr/local/lib/python3.11/site-packages/django/urls/base.py", line 71, in reverse
pretix_app |     extra, resolver = resolver.namespace_dict[ns]
pretix_app |                       ~~~~~~~~~~~~~~~~~~~~~~~^^^^
pretix_app | KeyError: 'pretix_oidc'
pretix_app | 
pretix_app | During handling of the above exception, another exception occurred:
pretix_app | 
pretix_app | Traceback (most recent call last):
pretix_app |   File "/usr/local/lib/python3.11/site-packages/django/core/handlers/exception.py", line 55, in inner
pretix_app |     response = get_response(request)
pretix_app |                ^^^^^^^^^^^^^^^^^^^^^
pretix_app |   File "/usr/local/lib/python3.11/site-packages/django/core/handlers/base.py", line 197, in _get_response
pretix_app |     response = wrapped_callback(request, *callback_args, **callback_kwargs)
pretix_app |                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
pretix_app |   File "/pretix/src/pretix/control/views/auth.py", line 106, in login
pretix_app |     b.url = b.authentication_url(request)
pretix_app |             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
pretix_app |   File "/usr/local/lib/python3.11/site-packages/pretix_oidc/auth.py", line 69, in authentication_url
pretix_app |     authenticate_url = reverse("plugins:pretix_oidc:oidc_authentication_init")
pretix_app |                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
pretix_app |   File "/usr/local/lib/python3.11/site-packages/django/urls/base.py", line 77, in reverse
pretix_app |     raise NoReverseMatch(
pretix_app | django.urls.exceptions.NoReverseMatch: 'pretix_oidc' is not a registered namespace inside 'plugins'
pretix_app | ERROR 2023-11-10 11:21:41,440 django.request log Internal Server Error: /control/login
pretix_app | Traceback (most recent call last):
pretix_app |   File "/usr/local/lib/python3.11/site-packages/django/urls/base.py", line 71, in reverse
pretix_app |     extra, resolver = resolver.namespace_dict[ns]
pretix_app |                       ~~~~~~~~~~~~~~~~~~~~~~~^^^^
pretix_app | KeyError: 'pretix_oidc'
pretix_app | 
pretix_app | During handling of the above exception, another exception occurred:
pretix_app | 
pretix_app | Traceback (most recent call last):
pretix_app |   File "/usr/local/lib/python3.11/site-packages/django/core/handlers/exception.py", line 55, in inner
pretix_app |     response = get_response(request)
pretix_app |                ^^^^^^^^^^^^^^^^^^^^^
pretix_app |   File "/usr/local/lib/python3.11/site-packages/django/core/handlers/base.py", line 197, in _get_response
pretix_app |     response = wrapped_callback(request, *callback_args, **callback_kwargs)
pretix_app |                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
pretix_app |   File "/pretix/src/pretix/control/views/auth.py", line 106, in login
pretix_app |     b.url = b.authentication_url(request)
pretix_app |             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
pretix_app |   File "/usr/local/lib/python3.11/site-packages/pretix_oidc/auth.py", line 69, in authentication_url
pretix_app |     authenticate_url = reverse("plugins:pretix_oidc:oidc_authentication_init")
pretix_app |                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
pretix_app |   File "/usr/local/lib/python3.11/site-packages/django/urls/base.py", line 77, in reverse
pretix_app |     raise NoReverseMatch(
pretix_app | django.urls.exceptions.NoReverseMatch: 'pretix_oidc' is not a registered namespace inside 'plugins'

[jlucasp25]

So it seems pretix isn't finding the plugin default URLs... Have you changed URL settings on Pretix? You installed the plugin via the Marketplace or inserted the code in your installation? Are you in DEBUG/Development mode?

[makakken]

Have you changed URL settings on Pretix? not that i know, its a fresh docker-container of pretix You installed the plugin via the Marketplace or inserted the code in your installation? I've used this method: https://docs.pretix.eu/en/latest/admin/installation/docker_smallscale.html#install-a-plugin Are you in DEBUG/Development mode? No

[jlucasp25]

You're almost there! Thats a weird error, ill try to simulate your environment and check if I get to that error too. But in theory thats all the configuration you need to do.

The roles on keycloak will be mapped to teams inside pretix.

[makakken]

i don't know if this is relevant, but i use pretix behind a traefik-proxy...

[jlucasp25]

This is a Django error you're getting. Some kind of installation step failed or configuration mismatch.

[makakken]

is there anything i can do to hunt the error down?

[makakken]

okay, i didn't come any further, but i think i wrote down the steps i already accomplished: https://github.com/adevolutio/pretix-oidc/pull/3 -> README.dm

can anyone help with getting this up and running?

[makakken]

You're almost there! Thats a weird error, ill try to simulate your environment and check if I get to that error too. But in theory thats all the configuration you need to do.

The roles on keycloak will be mapped to teams inside pretix.

@jlucasp25 where you able to recreate the error?

[makakken]

@jlucasp25 ping! i can you recheck my configuration? i'm not sure if everyhting i did is right, and i'm still not able to solve the problem... i'll attach my pretix.cfg

[pretix]
instance_name=ptx.test.org
url=https://ptx.test.org 
currency=EUR
; DO NOT change the following value, it has to be set to the location of the
; directory *inside* the docker container
datadir=/data
registration=off
auth_backends=pretix.base.auth.NativeAuthBackend,pretix_oidc.auth.OIDCAuthBackend

[pretix_oidc]
OIDC_OP_TOKEN_ENDPOINT=https://keycloak-test.org/realms/test/protocol/openid-connect/token
OIDC_OP_USER_ENDPOINT=https://keycloak-test.org/realms/test/protocol/openid-connect/userinfo
OIDC_OP_JWKS_ENDPOINT=https://keycloak-test.org/realms/test/protocol/openid-connect/certs
OIDC_RP_CLIENT_ID=test-pretix
OIDC_RP_CLIENT_SECRET=N**********************t
OIDC_RP_SIGN_ALGO=RS256
OIDC_RP_IDP_SIGN_KEY=

[locale]
default=de
timezone=Europe/Berlin

[database]
backend=postgresql
name=pretix
user=pretix
password=u*******6
host=dbtest

[mail]
from=pretix@test.org  
host=mailhog
user=        
password=      
port=1025
tls=on
ssl=off

[redis]
location=redis://redis/0
; Remove the following line if you are unsure about your redis'security
; to reduce impact if redis gets compromised.
sessions=true

[celery]
backend=redis://redis/1
broker=redis://redis/2