ERPNext and single sign on (SSO)

Hi everyone!

Does anyone already have experience in linking ErpNext and any SSO?
If yes could you please guide me a bit which way to look?

It’s quite strange and funny, but I couldn’t find any relevant and up-to-date info on this topic.

I saw several messages with different ideas like: create separate python-app for SSO or using Keycloak and try to connect to ErpNext but no any detailed and confirmed info.

Do we have in ErpNext any SSO options out-of-box?

If no then could you please recommend me how I can do it by myself?
Or do we have plan to add such functionality?

I have found several links for ErpNext integrations like

and several topic on this forum

but nothing specific and worth.

hi there!
I found out that looks like it’s possible to link Keycloack and Erpnext via Custom Social Login.
And I tried to connect them together.

But I faced a strange problem and got an error.
I tried it quite a few times with different settings but every time I faced similar error.


Traceback (most recent call last):
  File "apps/frappe/frappe/website/", line 18, in get_response
    response = renderer_instance.render()
  File "apps/frappe/frappe/website/page_renderers/", line 84, in render
    html = self.get_html()
  File "apps/frappe/frappe/website/", line 510, in cache_html_decorator
    html = func(*args, **kwargs)
  File "apps/frappe/frappe/website/page_renderers/", line 95, in get_html
  File "apps/frappe/frappe/website/page_renderers/", line 163, in update_context
    data = self.run_pymodule_method("get_context")
  File "apps/frappe/frappe/website/page_renderers/", line 225, in run_pymodule_method
    return method(self.context)
  File "apps/frappe/frappe/www/", line 82, in get_context
    "auth_url": get_oauth2_authorize_url(, redirect_to),
  File "apps/frappe/frappe/utils/", line 63, in get_oauth2_authorize_url
    flow = get_oauth2_flow(provider)
  File "apps/frappe/frappe/utils/", line 91, in get_oauth2_flow
    oauth2_providers = get_oauth2_providers()
  File "apps/frappe/frappe/utils/", line 42, in get_oauth2_providers
    out[]["auth_url_data"] = json.loads(provider.auth_url_data)
  File "/usr/local/lib/python3.10/json/", line 346, in loads
    return _default_decoder.decode(s)
  File "/usr/local/lib/python3.10/json/", line 337, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
  File "/usr/local/lib/python3.10/json/", line 355, in raw_decode
    raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

Here my social login settings:

Maybe someone has ideas how I can deal with it?

I found different links but didn’t find an answer:

PS: I already have experience in linking NextCloud and Keycloak and I thought that it should be similar but I couldn’t.

1 Like

Looks like I have found a root of problem.

In my ANOTHER social login provider were errors in Auth URL Data and python couldn’t parse it.

now I could login via keycloak.

Everything if fine.

Topic can be closed


Hello there

I am getting this error after setting up KeyCloak server. I can see sessions getting created on my KeyCloak Server

Hello there,
Can you help me with the KeyCloak settings in it?
What is exactly “opened email profile” in scope setting in Auth URL data?

Those key/value pair will be added as query params in oauth2 authorization request.

e.g. /authorize?scope=openid%20email%20profile&response_type=code

Thanks for this.

I have configured KeyCloak and ERPNext as in the documentations and here in forums, but I am getting Session Expired Error in ERPnext.(Status 401)

Any help on it please?

I did it quite long ago, but if I am not mistaken then settings on my screen are correct and you need
just set similar ones but with Links from your keycloak system.
Also you should set up keycloak properly

Usually status 401 means like:

401 Unauthorized response status code indicates that the client request has not been completed because it lacks valid authentication credentials for the requested resource .

It shows that looks like some credentials are incorrect.
Did you try to connect keycloak to any other app? (not ERPNext)
Do you have experience in it? (or just first time?)

Also did you check logs in Erpnext? Usually you can find what’s wrong from them.

Hello @zamis
This is my first time in ERPnext and first time in configuring KeyCloak Server.

raceback (most recent call last):
19:29:20 web.1         |   File "apps/frappe/frappe/", line 110, in application
19:29:20 web.1         |     response = frappe.api.handle(request)
19:29:20 web.1         |   File "apps/frappe/frappe/api/", line 49, in handle
19:29:20 web.1         |     data = endpoint(**arguments)
19:29:20 web.1         |   File "apps/frappe/frappe/api/", line 36, in handle_rpc_call
19:29:20 web.1         |     return frappe.handler.handle()
19:29:20 web.1         |   File "apps/frappe/frappe/", line 49, in handle
19:29:20 web.1         |     data = execute_cmd(cmd)
19:29:20 web.1         |   File "apps/frappe/frappe/", line 85, in execute_cmd
19:29:20 web.1         |     return, **frappe.form_dict)
19:29:20 web.1         |   File "apps/frappe/frappe/", line 1689, in call
19:29:20 web.1         |     return fn(*args, **newargs)
19:29:20 web.1         |   File "apps/frappe/frappe/utils/", line 31, in wrapper
19:29:20 web.1         |     return func(*args, **kwargs)
19:29:20 web.1         |   File "apps/frappe/frappe/integrations/", line 43, in login_via_fairlogin
19:29:20 web.1         |     login_via_oauth2("fairlogin", code, state, decoder=decoder_compat)
19:29:20 web.1         |   File "apps/frappe/frappe/utils/", line 114, in login_via_oauth2
19:29:20 web.1         |     info = get_info_via_oauth(provider, code, decoder)
19:29:20 web.1         |   File "apps/frappe/frappe/utils/", line 131, in get_info_via_oauth
19:29:20 web.1         |     flow = get_oauth2_flow(provider)
19:29:20 web.1         |   File "apps/frappe/frappe/utils/", line 88, in get_oauth2_flow
19:29:20 web.1         |     params = get_oauth_keys(provider)
19:29:20 web.1         |   File "apps/frappe/frappe/utils/", line 57, in get_oauth_keys
19:29:20 web.1         |     "client_secret": get_decrypted_password("Social Login Key", provider, "client_secret"),
19:29:20 web.1         |   File "apps/frappe/frappe/utils/", line 41, in get_decrypted_password
19:29:20 web.1         |     frappe.throw(
19:29:20 web.1         |   File "apps/frappe/frappe/", line 577, in throw
19:29:20 web.1         |     msgprint(
19:29:20 web.1         |   File "apps/frappe/frappe/", line 549, in msgprint
19:29:20 web.1         |     _raise_exception()
19:29:20 web.1         |   File "apps/frappe/frappe/", line 500, in _raise_exception
19:29:20 web.1         |     raise exc
19:29:20 web.1         | frappe.exceptions.AuthenticationError: Password not found for Social Login Key fairlogin client_secret
19:29:20 web.1         | 
19:29:20 web.1         | - - [04/Dec/2023 19:29:20] "GET /api/method/frappe.integrations.oauth2_logins.login_via_fairlogin?state=eyJzaXRlIjogImh0dHA6Ly9lcnAubG9jYWw6ODAwMSIsICJ0b2tlbiI6ICI3MDQ3M2I3OTM0YjQwMGI1YzdkODk0NmUyMjY2NTMzZTg1YTVkOThlODNjYzcxOTM5YjRmYmI4NyIsICJyZWRpcmVjdF90byI6IG51bGx9&session_state=41cdc34a-6647-43e5-98ab-79d95e52550a&iss=http://localhost:8080/realms/test&code=e4b67a1f-a044-4e13-b681-0543baf64056.41cdc34a-6647-43e5-98ab-79d95e52550a.fa89d494-8d14-4e54-85a2-ecdd3aed8ac0 HTTP/1.1" 401 -

This is the error I am getting. I don’t know what does it mean by Password Not Found For Social Login Key.

what instructions did you use for keycloak?
looks like this error comes from wrong keycloak settings.
or you just put wrong links in erpnext settings

Hi @Abhiraj_Tulsyan , Did you solve this issue ?
session expires after connecting to keycloak
I’m currently facing exact situation,
Any fix?

No I was not able to solve it.
Do let me know if you are able to solve it.