How to Override Frappe Login

SKDragon18 · August 20, 2025, 11:14am

Hi everyone,

I am working on integrating Keycloak with a Frappe application. The current setup supports Login with Keycloak via OAuth2 / SSO, but my requirement is a bit different:

I would like to override Frappe’s login flow so that when a user enters their Keycloak username and password directly into Frappe’s login form, Frappe will validate those credentials against Keycloak.
In other words, instead of redirecting to Keycloak’s login page, I want Frappe to authenticate via Keycloak’s REST API using the submitted username/password.
After authentication, if the user exists in tabUser, they should be logged in. Otherwise, I can handle user creation or return an error.

My questions:

Is there a clean way in Frappe to override LoginManager.login() with a custom implementation?
Does Frappe provide any hook or configuration option to specify a custom LoginManager class, so I don’t have to patch the core files?
Has anyone implemented something similar (e.g., replacing the default username/password login with a Keycloak-based backend)?

I’d like to do this in a way that is upgrade-safe and follows Frappe’s best practices.

Any guidance, examples, or references would be greatly appreciated!

Thanks in advance.

bahaou · August 20, 2025, 11:51am

@SKDragon18 what you’re describing is LDAP , you can set it from LDAP Settings

SKDragon18 · August 20, 2025, 4:04pm

Hello bahaou, thank you for your support. I’ve looked into the LDAP settings, and it seems that Keycloak doesn’t really function like a LDAP server. What I’d like to do is treat Keycloak as an IdP for centralized user management (where users can log in via social login or LDAP to AD within Keycloak). At the same time, I’m interested in exploring how customizable Frappe is when it comes to authentication methods like login.