From 1a89213c8089b2ce1f2df10d2e579d6e3618038f Mon Sep 17 00:00:00 2001
From: philipp <philipp@git.no-reply@p-schwarz.de>
Date: Sat, 16 Sep 2023 23:29:04 +0200
Subject: [PATCH] migrate from keycloak to oidc provider

Django AllAuth dropped keycloak in recent release:
https://django-allauth.readthedocs.io/en/latest/socialaccount/providers/keycloak.html
---
 README.md   |  9 ++++++---
 compose.yml | 19 +++++++++----------
 sample.env  |  9 ++++-----
 3 files changed, 19 insertions(+), 18 deletions(-)

diff --git a/README.md b/README.md
index a9f3ffd..7b98dfd 100644
--- a/README.md
+++ b/README.md
@@ -30,15 +30,18 @@ This can be required because Docker does not like ZFS and might have issues to s
 
 ### SSO
 
-The following is an example on configuring SSO using OIDC and Keycloak as IdP. See the [InvenTree SSO docs](https://docs.inventree.org/en/latest/settings/SSO) for more details.
+The following is an example on configuring SSO using OIDC and Keycloak as IdP. See the [InvenTree SSO docs](https://docs.inventree.org/en/latest/settings/SSO) as well as the [AllAuth social providers](https://django-allauth.readthedocs.io/en/latest/socialaccount/providers/index.html) for more details. Note that Keycloak is not a valid provider anymore any OIDC [should be used](https://django-allauth.readthedocs.io/en/latest/socialaccount/providers/keycloak.html).
 
 #### Keycloak
 
 1. Create a new client (Type: OpenID Connect)
 2. Enable Client authentication, Authorization, Standard flow. Disable everything else (explicitly Direct access grant)
-3. Set home URL to `https://<inventree-hostname>` and Redirect URL to `https://<inventree-hostname>/accounts/keycloak/login/callback/`.
+3. Set home URL to `https://<inventree-hostname>` and Redirect URL to `https://<inventree-hostname>/accounts/oidc/login/callback/`.
 
 #### Inventree
 
-Login as InvenTree admin user. Under `Settings > Login Settings` make sure to `Enable SSO`.
+Login as InvenTree admin user and open the admin interface.
+1. In the Admin interface, add a new group named "default" and click on "Save and edit". Disallow reading the admin settings and allow all other permissions you want a default user to have.
+2. In the `Social Accounts` block, add a new Social Application. The provider must be oidc, the name and client id can be arbitrary value. The available default site must be added.
+3. Go back to the application. Under `Settings > Login Settings` make sure to `Enable SSO` and `Enable SSO registration`. Also, set `Group on signup` to your default group.
 
diff --git a/compose.yml b/compose.yml
index 6d6dd69..dc7908c 100644
--- a/compose.yml
+++ b/compose.yml
@@ -82,17 +82,16 @@ services:
         environment:
             INVENTREE_SOCIAL_PROVIDERS: |
                 {
-                    "keycloak": {
-                        "SERVERS": [
-                            {
-                                "KEYCLOAK_URL": "${HKNG_KEYCLOAK_URL:?You must provide the 'HKNG_KEYCLOAK_URL' variable in the .env file}",
-                                "KEYCLOAK_REALM": "${HKNG_KEYCLOAK_REALM:?You must provide the 'HKNG_KEYCLOAK_REALM' variable in the .env file}",
-                                "APP": {
-                                    "client_id": "${HKNG_KEYCLOAK_CLIENT_ID:?You must provide the 'HKNG_KEYCLOAK_CLIENT_ID' variable in the .env file}",
-                                    "secret": "${HKNG_KEYCLOAK_CLIENT_SECRET:?You must provide the 'HKNG_KEYCLOAK_CLIENT_SECRET' variable in the .env file}"
-                                }
+                    "openid_connect": {
+                        "SERVERS": [{
+                            "id": "oidc",
+                            "name": "Hacknang SSO",
+                            "server_url": "${HKNG_OIDC_URL:?You must provide the 'HKNG_OIDC_URL' variable in the .env file}",
+                            "APP": {
+                                "client_id": "${HKNG_OIDC_CLIENT_ID:?You must provide the 'HKNG_OIDC_CLIENT_ID' variable in the .env file}",
+                                "secret": "${HKNG_OIDC_CLIENT_SECRET:?You must provide the 'HKNG_OIDC_CLIENT_SECRET' variable in the .env file}"
                             }
-                        ]
+                        }]
                     }
                 }
         depends_on:
diff --git a/sample.env b/sample.env
index f1bae5d..b22915b 100644
--- a/sample.env
+++ b/sample.env
@@ -60,9 +60,8 @@ INVENTREE_SECRET_KEY=some-secret-key
 ALLOWED_HOSTS=inventree.example.com,www.inventree.example.com
 
 # SSO Config
-INVENTREE_SOCIAL_BACKENDS=allauth.socialaccount.providers.keycloak
+INVENTREE_SOCIAL_BACKENDS=allauth.socialaccount.providers.openid_connect
 
-HKNG_KEYCLOAK_URL=https://keycloak.example.com
-HKNG_KEYCLOAK_REALM=master
-HKNG_KEYCLOAK_CLIENT_ID=example-client
-HKNG_KEYCLOAK_CLIENT_SECRET=example-secret
+HKNG_OIDC_URL=https://keycloak.example.com/realms/master/.well-known/openid-configuration
+HKNG_OIDC_CLIENT_ID=example-client
+HKNG_OIDC_SECRET=example-secret