Closed karezza closed 3 years ago
Hi sorry for the late reply I think its a almost default setup. But I have attached screenshots of my setup.
Thank you so much! This got me unstuck and I think I'm just about there.
@karezza, could you please share what exactly solved your issue?
Time has passed since this ticket. I can't remember what fixed it back then, I think just reviewing the manual steps and ensuring they were implemented perfectly fixed it along with setting up keycloak like above.
Since then though, just last week, I reinstalled taiga and I was unable to get the manual steps of the taiga-contrib-openid-auth to work ... what eventually worked was asking for updated images which the maintainer produced. Then, using those images along with the right environment variables I was able to get a working setup. My environment variables were like so:
back
- name: ENABLE_OPENID
value: "True"
- name: PUBLIC_REGISTER_ENABLED
value: "True"
- name: OPENID_USER_URL
value: "https://<urltokeycloak>/auth/realms/<realm>/protocol/openid-connect/userinfo"
- name: OPENID_TOKEN_URL
value: "https://<urltokeycloak>/auth/realms/<realm>/protocol/openid-connect/token"
- name: OPENID_CLIENT_ID
value: "taiga.k-dev.harmony.net"
- name: OPENID_CLIENT_SECRET
value: "<hidden>"
- name: OPENID_SCOPE
value: "openid email"
front
- name: ENABLE_OPENID
value: "true"
- name: PUBLIC_REGISTER_ENABLED
value: "true"
- name: OPENID_URL
value: "https://<urltokeycloak>/auth/realms/<realm>/protocol/openid-connect/auth"
- name: OPENID_CLIENT_ID
value: "taiga.k-dev.harmony.net"
- name: OPENID_NAME
value: "keycloak"
- name: OPENID_SCOPE
value: "openid email"
I believe the default for PUBLIC_REGISTER_ENABLED has changed with the latest release and so we must specify to enable it before things will work. Also there is an issue with being able to validate the certificate of the keycloak server, you'll need to add the necessary ca certificate chain to taiga-back by getting the ca chain in PEM/DER format and appending it like so:
cat /tmp/ca/cacert.pem >> /opt/venv/lib/python3.7/site-packages/certifi/cacert.pem
I have taiga6 redirecting to keycloak, allowing me to login, and redirecting back to taiga6.
At that point I see "invalid login type" and am presented with the taiga6 login prompt again.
I suspect this may be due to the client I created in keycloak and am using in taiga6. Could you show the steps of creating a client in keycloak for the purpose of use with taiga6 which I can duplicate? There must be an option required that I need to turn on or something ... not sure what that would be as I'm not seeing any error output.
URL is similar to:
This is the method I used to install/configure: https://github.com/robrotheram/taiga-contrib-openid-auth/issues/26