search

apostrophecms / passport-bridge

MIT License
1 stars 0 forks source link

Help Integrating with Keycloak #6

Open chris2fr opened 2 years ago

chris2fr commented 2 years ago

Hi,

I am trying to integrate passport-bridge with keycloak and am stuck.

Keycloak uses 'sub' as an internal user id, a bit different than the standard id.

I am using the passport-openidconnect strategy.

https://www.npmjs.com/package/passport-openidconnect-keycloak-idp

I have account creation set.

The answer I get is from openidconnect, and I assume it may be an issue between openidconnect and apostrophecms-passportbridge

A login error occurred
An error occurred while logging in via openidconnect

Your credentials were not accepted, your account is not affiliated with this site, or an existing account has the same username or email address.

If you believe you are seeing this message in error please contact the administrator.

here is my modules/@apostrophecms/passport-bridge/index.js

module.exports = {
  // In modules/@apostrophecms/passport-bridge/index.js
  options: {
    create: {
      // If you wish to treat all valid google users in your domain as
      // admins of the site. See also `guest`, `contributor`, `editor`, 'admin'
      //
      role: 'guest'
    },
    strategies: [
      {
        // You must npm install --save this module in your project first
        module: 'passport-openidconnect',
        options: {
            issuer: 'https://id.lesgv.com',
            authorizationURL: 'https://id.lesgv.com/realms/master/protocol/openid-connect/auth',
            tokenURL: 'https://id.lesgv.com/realms/master/protocol/openid-connect/token',
            userProfileURL: 'https://id.lesgv.com/realms/master/protocol/openid-connect/userinfo',
            clientID: '',
            clientSecret: '',
            callbackURL: 'https://alpha.lesgv.com/auth/oauth2/login'
        },
        // Ignore users whose email address does not match this domain
        // according to the identity provider
        emailDomain: 'mann.fr',
        // Use the user's email address as their identity
        match: 'email',
        // Strategy-specific options that must be passed to the authenticate middleware.
        // See the documentation of the strategy module you are using
        authenticate: {
          // 'email' for the obvious, 'profile' for the displayName (for the create option)
          scope: [ 'email', 'profile']
          //scope: [ 'email', 'preferred_username']
          //scope: [ 'email']
        }
      }
    ]
  }
  };

Oooo, I just read See the documentation of the strategy module you are using

I guess I will also check that.

chris2fr commented 2 years ago

All I am getting now is "Forbidden"

Any ideas to help debug?