infra/inventree
4
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

migrate from keycloak to oidc provider

Browse source 
Django AllAuth dropped keycloak in recent release:
https://django-allauth.readthedocs.io/en/latest/socialaccount/providers/keycloak.html
This commit is contained in:
philipp 2023-09-16 23:29:04 +02:00
parent ea308dd7b0
commit 1a89213c80
3 changed files with 19 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
README.md
View file

@ -30,15 +30,18 @@ This can be required because Docker does not like ZFS and might have issues to s
### SSO ### SSO
The following is an example on configuring SSO using OIDC and Keycloak as IdP. See the [InvenTree SSO docs](https://docs.inventree.org/en/latest/settings/SSO) for more details. The following is an example on configuring SSO using OIDC and Keycloak as IdP. See the [InvenTree SSO docs](https://docs.inventree.org/en/latest/settings/SSO) as well as the [AllAuth social providers](https://django-allauth.readthedocs.io/en/latest/socialaccount/providers/index.html) for more details. Note that Keycloak is not a valid provider anymore any OIDC [should be used](https://django-allauth.readthedocs.io/en/latest/socialaccount/providers/keycloak.html).
#### Keycloak #### Keycloak
1. Create a new client (Type: OpenID Connect) 1. Create a new client (Type: OpenID Connect)
2. Enable Client authentication, Authorization, Standard flow. Disable everything else (explicitly Direct access grant) 2. Enable Client authentication, Authorization, Standard flow. Disable everything else (explicitly Direct access grant)
3. Set home URL to `https://<inventree-hostname>` and Redirect URL to `https://<inventree-hostname>/accounts/keycloak/login/callback/`. 3. Set home URL to `https://<inventree-hostname>` and Redirect URL to `https://<inventree-hostname>/accounts/oidc/login/callback/`.
#### Inventree #### Inventree
Login as InvenTree admin user. Under `Settings > Login Settings` make sure to `Enable SSO`. Login as InvenTree admin user and open the admin interface.
1. In the Admin interface, add a new group named "default" and click on "Save and edit". Disallow reading the admin settings and allow all other permissions you want a default user to have.
2. In the `Social Accounts` block, add a new Social Application. The provider must be oidc, the name and client id can be arbitrary value. The available default site must be added.
3. Go back to the application. Under `Settings > Login Settings` make sure to `Enable SSO` and `Enable SSO registration`. Also, set `Group on signup` to your default group.

17
compose.yml
View file

@ -82,17 +82,16 @@ services:
environment: environment:
INVENTREE_SOCIAL_PROVIDERS: | INVENTREE_SOCIAL_PROVIDERS: |
{ {
"keycloak": { "openid_connect": {
"SERVERS": [ "SERVERS": [{
{ "id": "oidc",
"KEYCLOAK_URL": "${HKNG_KEYCLOAK_URL:?You must provide the 'HKNG_KEYCLOAK_URL' variable in the .env file}", "name": "Hacknang SSO",
"KEYCLOAK_REALM": "${HKNG_KEYCLOAK_REALM:?You must provide the 'HKNG_KEYCLOAK_REALM' variable in the .env file}", "server_url": "${HKNG_OIDC_URL:?You must provide the 'HKNG_OIDC_URL' variable in the .env file}",
"APP": { "APP": {
"client_id": "${HKNG_KEYCLOAK_CLIENT_ID:?You must provide the 'HKNG_KEYCLOAK_CLIENT_ID' variable in the .env file}", "client_id": "${HKNG_OIDC_CLIENT_ID:?You must provide the 'HKNG_OIDC_CLIENT_ID' variable in the .env file}",
"secret": "${HKNG_KEYCLOAK_CLIENT_SECRET:?You must provide the 'HKNG_KEYCLOAK_CLIENT_SECRET' variable in the .env file}" "secret": "${HKNG_OIDC_CLIENT_SECRET:?You must provide the 'HKNG_OIDC_CLIENT_SECRET' variable in the .env file}"
} }
} }]
]
} }
} }
depends_on: depends_on:

9
sample.env
View file

@ -60,9 +60,8 @@ INVENTREE_SECRET_KEY=some-secret-key
ALLOWED_HOSTS=inventree.example.com,www.inventree.example.com ALLOWED_HOSTS=inventree.example.com,www.inventree.example.com
# SSO Config # SSO Config
INVENTREE_SOCIAL_BACKENDS=allauth.socialaccount.providers.keycloak INVENTREE_SOCIAL_BACKENDS=allauth.socialaccount.providers.openid_connect
HKNG_KEYCLOAK_URL=https://keycloak.example.com HKNG_OIDC_URL=https://keycloak.example.com/realms/master/.well-known/openid-configuration
HKNG_KEYCLOAK_REALM=master HKNG_OIDC_CLIENT_ID=example-client
HKNG_KEYCLOAK_CLIENT_ID=example-client HKNG_OIDC_SECRET=example-secret
HKNG_KEYCLOAK_CLIENT_SECRET=example-secret