Unable to Sign In with Keycloak - "Sign up closed" Error

[sigau]

Hi,

We are trying to implement Keycloak for authentication on our instance of RDMO. Our local.py is configured as follows:

ACCOUNT = True
ACCOUNT_SIGNUP = False
ACCOUNT_TERMS_OF_USE = True
SOCIALACCOUNT = True
ACCOUNT_AUTHENTICATION_METHOD = 'username_email'

INSTALLED_APPS += [
    'allauth',
    'allauth.account',
    'allauth.socialaccount',
    'allauth.socialaccount.providers.openid_connect',
]

SOCIALACCOUNT_PROVIDERS = {
    "openid_connect": {
        "EMAIL_AUTHENTICATION": True,
        "EMAIL_AUTHENTICATION_AUTO_CONNECT": True,
        "APPS": [
            {
                "provider_id": "keycloak",
                "name": "keycloak",
                "client_id": "dmp",
                "secret": os.environ['keycloak_secret'],
                "settings": {
                    "server_url": "https://ourkeycloak/auth/realms/realm/.well-known/openid-configuration",
                },
            }
        ]
    }
}

We see the Keycloak logo on the connection page, and clicking on it successfully connects to Keycloak and returns to our RDMO instance. However, we receive the following message:

Sign up closed

We are sorry, but the sign up is currently closed.

It seems we may have missed something in our local.py configuration, but we are unable to identify what is wrong.

Do you have any suggestions on how to resolve this issue?

Thank you in advance,

Gautier

[jochenklar]

Hi @sigau , I think you need to add SOCIALACCOUNT_SIGNUP = True.

[sigau]

Hello Thanks for your answer but we have the problem that some of our users already have an account on our instance, with the mail that is use in our keycloak. And when we try connecting with keycloak, when SOCIALACCOUNT_SIGNUP = True , it will fill the form with all the information of keycloak, but as the user already exist it can't be create (and we don't want to create a new one but just connect to the existing one )

[jochenklar]

Ah ok, those people need to log in using the old credentials and then use "Account connections" from the user menu (at /account/social/connections/). I think django-allauth has no means to connect those accounts automatically. This is probably also a security thing. Maybe @MyPyDavid has an idea?

[sigau]

Thanks We will try and comeback to you !

[sigau]

So we try and it's work ! Thanks

But we're still open to know if it's possible to link existing account from the connection page ! (if it's not a security problem )

[MyPyDavid]

Yes, I guess depending on the amount of users you could also do this manually (assign a user to the social account in admin) or implement a custom adapter (DefaultSocialAccountAdapter) for this. We had the same issue and I added an ExistingAccountAdapter (according to https://github.com/pennersr/django-allauth/issues/418#issuecomment-107880925) for this case in the rdmo-app.

[jochenklar]

I think the main problem is that an automatic linking would allow people who control the email address, which might or might non be as protected as the password, to overtake existing accounts. I guess for your keycloak, you can assume that nobody can just take the email of someone else to create an account there.

[jochenklar]

@MyPyDavid maybe your ExistingAccountAdapter is something for https://rdmo.readthedocs.io/en/latest/advanced/index.html.