search

robrotheram / taiga-contrib-openid-auth

Taiga plugin for openid authentication
45 stars 25 forks source link

keycloak OIDC, works but with problems. #53

Open Khyretos opened 2 months ago

Khyretos commented 2 months ago

I have been able to make it work partially.

my registered users can authenticate BUT they first i redirected back to the log in page showing the error "Oops, something went wrong... Our Oompa Loompas have not been able to get your credentials from OpenID" and if i click the login button again i can log in.

i also get an error when a user logs in a mail is send to example@example.com and i so not have it specified anywhere in my compose or env file.

here a gif of what happens: error

this is my .env file

# Taiga's URLs - Variables to define where Taiga should be served
TAIGA_SCHEME=https # serve Taiga using "http" or "https" (secured) connection
TAIGA_DOMAIN=projects.kreative-kompas.com  # Taiga's base URL
SUBPATH="" # it'll be appended to the TAIGA_DOMAIN (use either "" or a "/subpath")
WEBSOCKETS_SCHEME=wss  # events connection protocol (use either "ws" or "wss")

# Taiga's Secret Key - Variable to provide cryptographic signing
SECRET_KEY=<SECRET_KEY>  # Please, change it to an unpredictable value!!

# Taiga's Database settings - Variables to create the Taiga database and connect to it
POSTGRES_USER=taiga  # user to connect to PostgreSQL
POSTGRES_PASSWORD=<POSTGRES_PASSWORD>  # database user's password

# Taiga's SMTP settings - Variables to send Taiga's emails to the users
EMAIL_BACKEND=smtp # use an SMTP server or display the emails in the console (either "smtp" or "console")
EMAIL_HOST=smtp.gmail.com  # SMTP server address
EMAIL_PORT=587  # default SMTP port
EMAIL_HOST_USER=kreativekompas@gmail.com  # user to connect the SMTP server
EMAIL_HOST_PASSWORD=<EMAIL_HOST_PASSWORD> # SMTP user's password
EMAIL_DEFAULT_FROM=kreativekompas@gmail.com  # default email address for the automated emails
# EMAIL_USE_TLS/EMAIL_USE_SSL are mutually exclusive (only set one of those to True)
EMAIL_USE_TLS=True  # use TLS (secure) connection with the SMTP server
EMAIL_USE_SSL=False  # use implicit TLS (secure) connection with the SMTP server

# Taiga's RabbitMQ settings - Variables to leave messages for the realtime and asynchronous events
RABBITMQ_USER=kreativekompas  # user to connect to RabbitMQ
RABBITMQ_PASS=<RABBITMQ_PASS>  # RabbitMQ user's password
RABBITMQ_VHOST=taiga  # RabbitMQ container name
RABBITMQ_ERLANG_COOKIE=<RABBITMQ_ERLANG_COOKIE> # unique value shared by any connected instance of RabbitMQ

# Taiga's Attachments - Variable to define how long the attachments will be accesible
ATTACHMENTS_MAX_AGE=360  # token expiration date (in seconds)

# Taiga's Telemetry - Variable to enable or disable the anonymous telemetry
ENABLE_TELEMETRY=True

this is my docker-compose.yml file:

x-environment:
  &default-back-environment
  # These environment variables will be used by taiga-back and taiga-async.
  # Database settings
  POSTGRES_DB: "taiga"
  POSTGRES_USER: "${POSTGRES_USER}"
  POSTGRES_PASSWORD: "${POSTGRES_PASSWORD}"
  POSTGRES_HOST: "taiga-db"
  # Taiga settings
  TAIGA_SECRET_KEY: "${SECRET_KEY}"
  TAIGA_SITES_SCHEME: "${TAIGA_SCHEME}"
  TAIGA_SITES_DOMAIN: "${TAIGA_DOMAIN}"
  TAIGA_SUBPATH: ""
  # Email settings.
  EMAIL_BACKEND: "django.core.mail.backends.${EMAIL_BACKEND}.EmailBackend"
  DEFAULT_FROM_EMAIL: "${EMAIL_DEFAULT_FROM}"
  EMAIL_USE_TLS: "${EMAIL_USE_TLS}"
  EMAIL_USE_SSL: "${EMAIL_USE_SSL}"
  EMAIL_HOST: "${EMAIL_HOST}"
  EMAIL_PORT: "${EMAIL_PORT}"
  EMAIL_HOST_USER: "${EMAIL_HOST_USER}"
  EMAIL_HOST_PASSWORD: "${EMAIL_HOST_PASSWORD}"
  # Rabbitmq settings
  RABBITMQ_USER: "${RABBITMQ_USER}"
  RABBITMQ_PASS: "${RABBITMQ_PASS}"
  # Telemetry settings
  ENABLE_TELEMETRY: "${ENABLE_TELEMETRY}"
  # ...your customizations go here
  CELERY_BROKER_URL: "amqp://taiga:taiga@taiga-async-rabbitmq:5672/taiga"
  EVENTS_PUSH_BACKEND: "taiga.events.backends.rabbitmq.EventsPushBackend"
  EVENTS_PUSH_BACKEND_URL: "amqp://taiga:taiga@taiga-events-rabbitmq:5672/taiga"

  # Enable OpenID to allow to register users if they do not exist. Set to false to disable all signups
  PUBLIC_REGISTER_ENABLED: "True"

  # OpenID settings
  ENABLE_OPENID: "True"
  OPENID_USER_URL : "https://keycloak.kreative-kompas.com/realms/kreative-kompas/protocol/openid-connect/userinfo"
  OPENID_TOKEN_URL : "https://keycloak.kreative-kompas.com/realms/kreative-kompas/protocol/openid-connect/token"
  OPENID_CLIENT_ID : "taiga"
  OPENID_CLIENT_SECRET : "<OPENID_CLIENT_SECRET >"
  OPENID_SCOPE: "openid email"
  OPENID_ID_FIELD: "username"
  OPENID_USERNAME_FIELD: "username"
  OPENID_FULLNAME_FIELD: "first_name"

x-volumes:
  &default-back-volumes
  # These volumens will be used by taiga-back and taiga-async.
  - ./taiga-static-data:/taiga-back/static
  - ./taiga-media-data:/taiga-back/media
  #- ./config.py:/taiga-back/settings/config.py

services:
  taiga-db:
    image: postgres:12.3
    environment:
      POSTGRES_DB: "taiga"
      POSTGRES_USER: "${POSTGRES_USER}"
      POSTGRES_PASSWORD: "${POSTGRES_PASSWORD}"
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER}"]
      interval: 2s
      timeout: 15s
      retries: 5
      start_period: 3s
    volumes:
      - ./taiga-db-data:/var/lib/postgresql/data
    networks:
      - taiga
      - outside

  taiga-back:
    image: robrotheram/taiga-back-openid
    #image: taigaio/taiga-back:latest
    environment: *default-back-environment
    volumes: *default-back-volumes
    networks:
      - taiga
    depends_on:
      taiga-db:
        condition: service_healthy
      taiga-events-rabbitmq:
        condition: service_started
      taiga-async-rabbitmq:
        condition: service_started

  taiga-async:
    image: taigaio/taiga-back:latest
    entrypoint: ["/taiga-back/docker/async_entrypoint.sh"]
    environment: *default-back-environment
    volumes: *default-back-volumes
    networks:
      - taiga
      - outside
    depends_on:
      taiga-db:
        condition: service_healthy
      taiga-events-rabbitmq:
        condition: service_started
      taiga-async-rabbitmq:
        condition: service_started

  taiga-async-rabbitmq:
    image: rabbitmq:3.8-management-alpine
    environment:
      RABBITMQ_ERLANG_COOKIE: "${RABBITMQ_ERLANG_COOKIE}"
      RABBITMQ_DEFAULT_USER: "${RABBITMQ_USER}"
      RABBITMQ_DEFAULT_PASS: "${RABBITMQ_PASS}"
      RABBITMQ_DEFAULT_VHOST: "${RABBITMQ_VHOST}"
    hostname: "taiga-async-rabbitmq"
    volumes:
      - ./taiga-async-rabbitmq-data:/var/lib/rabbitmq
    networks:
      - taiga
      - outside

  taiga-front:
    image: robrotheram/taiga-front-openid
    #image: taigaio/taiga-front:latest
    environment:
      TAIGA_URL: "${TAIGA_SCHEME}://${TAIGA_DOMAIN}"
      TAIGA_WEBSOCKETS_URL: "${WEBSOCKETS_SCHEME}://${TAIGA_DOMAIN}"
      TAIGA_SUBPATH: "${SUBPATH}"
      ENABLE_OPENID: "true"
      OPENID_URL : "https://keycloak.kreative-kompas.com/realms/kreative-kompas/protocol/openid-connect/auth"
      OPENID_CLIENT_ID : "taiga"
      OPENID_NAME: "Kreative Kompas"
      # ...your customizations go here
      PUBLIC_REGISTER_ENABLED: "true"
    networks:
      - taiga
      - outside

  taiga-events:
    image: taigaio/taiga-events:latest
    environment:
      RABBITMQ_USER: "${RABBITMQ_USER}"
      RABBITMQ_PASS: "${RABBITMQ_PASS}"
      TAIGA_SECRET_KEY: "${SECRET_KEY}"
    networks:
      - taiga
      - outside
    depends_on:
      taiga-events-rabbitmq:
        condition: service_started

  taiga-events-rabbitmq:
    image: rabbitmq:3.8-management-alpine
    environment:
      RABBITMQ_ERLANG_COOKIE: "${RABBITMQ_ERLANG_COOKIE}"
      RABBITMQ_DEFAULT_USER: "${RABBITMQ_USER}"
      RABBITMQ_DEFAULT_PASS: "${RABBITMQ_PASS}"
      RABBITMQ_DEFAULT_VHOST: "${RABBITMQ_VHOST}"
    hostname: "taiga-events-rabbitmq"
    volumes:
      - ./taiga-events-rabbitmq-data:/var/lib/rabbitmq
    networks:
      - taiga
      - outside

  taiga-protected:
    image: taigaio/taiga-protected:latest
    environment:
      MAX_AGE: "${ATTACHMENTS_MAX_AGE}"
      SECRET_KEY: "${SECRET_KEY}"
    networks:
      - taiga
      - outside

  taiga-gateway:
    image: nginx:1.19-alpine
    ports:
      - "9000:80"
    volumes:
      - ./taiga-gateway/taiga.conf:/etc/nginx/conf.d/default.conf
      - ./taiga-static-data:/taiga/static
      - ./taiga-media-data:/taiga/media
    networks:
      - taiga
      - outside
    depends_on:
      - taiga-front
      - taiga-back
      - taiga-events

volumes:
  taiga-static-data:
  taiga-media-data:
  taiga-db-data:
  taiga-async-rabbitmq-data:
  taiga-events-rabbitmq-data:

networks:
  taiga:
  outside:
    external: true
    name: nginx-reverse-proxy_default

i dont know what i am doing wrong. but my users can log in (after the error) and also get the mail (after the first mail that is send to example@example.com).

I am almost there. excuse my ignorance if i fail to see something simple, i'm still new to this. And thanks to the developer!