search

robrotheram / taiga-contrib-openid-auth

Taiga plugin for openid authentication
45 stars 24 forks source link

invalid login type #27

Closed karezza closed 3 years ago

karezza commented 3 years ago

I have taiga6 redirecting to keycloak, allowing me to login, and redirecting back to taiga6.

At that point I see "invalid login type" and am presented with the taiga6 login prompt again.

I suspect this may be due to the client I created in keycloak and am using in taiga6. Could you show the steps of creating a client in keycloak for the purpose of use with taiga6 which I can duplicate? There must be an option required that I need to turn on or something ... not sure what that would be as I'm not seeing any error output.

URL is similar to:

GET /login?session_state=dd9467a4-149c-4a6e-8d7b-87d7fcdfa035&code=dd9467a4-149c-4a6e-8d7b-87d7fcdfa035.dd9467a4-149c-4a6e-8d7b-87d7fcdfa035.dd9467a4-149c-4a6e-8d7b-87d7fcdfa035

This is the method I used to install/configure: https://github.com/robrotheram/taiga-contrib-openid-auth/issues/26

robrotheram commented 3 years ago

Hi sorry for the late reply I think its a almost default setup. But I have attached screenshots of my setup.

Screenshot 2021-07-03 at 20-54-07 Keycloak Admin Console

Screenshot 2021-07-03 at 20-55-57 Keycloak Admin Console

Screenshot 2021-07-03 at 20-58-11 Keycloak Admin Console

karezza commented 3 years ago

Thank you so much! This got me unstuck and I think I'm just about there.

michzimny commented 2 years ago

@karezza, could you please share what exactly solved your issue?

lknite commented 2 years ago

Time has passed since this ticket. I can't remember what fixed it back then, I think just reviewing the manual steps and ensuring they were implemented perfectly fixed it along with setting up keycloak like above.

Since then though, just last week, I reinstalled taiga and I was unable to get the manual steps of the taiga-contrib-openid-auth to work ... what eventually worked was asking for updated images which the maintainer produced. Then, using those images along with the right environment variables I was able to get a working setup. My environment variables were like so:

back

        - name: ENABLE_OPENID
          value: "True"
        - name: PUBLIC_REGISTER_ENABLED
          value: "True"
        - name: OPENID_USER_URL 
          value: "https://<urltokeycloak>/auth/realms/<realm>/protocol/openid-connect/userinfo"
        - name: OPENID_TOKEN_URL 
          value: "https://<urltokeycloak>/auth/realms/<realm>/protocol/openid-connect/token"
        - name: OPENID_CLIENT_ID 
          value: "taiga.k-dev.harmony.net"
        - name: OPENID_CLIENT_SECRET
          value: "<hidden>"
        - name: OPENID_SCOPE
          value: "openid email"

front

        - name: ENABLE_OPENID
          value: "true"
        - name: PUBLIC_REGISTER_ENABLED
          value: "true"
        - name: OPENID_URL
          value: "https://<urltokeycloak>/auth/realms/<realm>/protocol/openid-connect/auth"
        - name: OPENID_CLIENT_ID
          value: "taiga.k-dev.harmony.net"
        - name: OPENID_NAME
          value: "keycloak"
        - name: OPENID_SCOPE
          value: "openid email"

I believe the default for PUBLIC_REGISTER_ENABLED has changed with the latest release and so we must specify to enable it before things will work. Also there is an issue with being able to validate the certificate of the keycloak server, you'll need to add the necessary ca certificate chain to taiga-back by getting the ca chain in PEM/DER format and appending it like so:

cat /tmp/ca/cacert.pem >> /opt/venv/lib/python3.7/site-packages/certifi/cacert.pem