How to trigger true SSO login flow (Keycloak → ERPNext) instead of only social login?

Hi everyone,

I’ve successfully configured Keycloak as a social login provider in ERPNext. That part works — I can click “Login with Keycloak” on ERPNext’s login page, and it logs me in.

However, I need a true SSO redirect flow initiated externally, not from ERPNext’s login screen.

My Use Case

I have a central SSO dashboard. From there, when I click “Open ERPNext”, I want this flow:

1. My dashboard redirects to an ERPNext SSO URL
2. ERPNext internally redirects to Keycloak’s authorization endpoint
3. Keycloak authenticates → returns code to ERPNext
4. ERPNext exchanges the code for tokens → user is logged in

The Problem

• I cannot find any dedicated ERPNext endpoint like:

/sso/login?provider=keycloak

that would initiate the OAuth2 / OIDC login redirect.

• I do have the OIDC authorization URL from Keycloak, but I cannot directly call it, because ERPNext expects a dynamic state that it generates internally.
• If I manually call Keycloak’s URL, the state and nonce are static, i don’t think that a right way

My Question

Is there an official endpoint in ERPNext to trigger OAuth2/OIDC login (with a specific provider) externally?

For example:

GET /api/method/frappe.integrations.oauth2.authorize?provider=keycloak

Or should I build a custom whitelisted method to proxy get_oauth2_authorize_url("keycloak")?

Looking for Suggestions

• Am I misunderstanding how ERPNext SSO is supposed to be initiated?
• Does ERPNext only support login from its own login form, or can we trigger authentication externally?

Any guidance or sample URLs would be greatly appreciated.

Thanks!

check how the social login button link is generated.

create custom endpoint that generates the link and redirects to it.

Thanks, I’ve already done that and it works fine. Just wondering if we have any alternative approaches.