Keycloak / Frappe OAuth2 Identity Provider integration

maxkolb · August 19, 2022, 11:25pm

Hi all,

I’m currently working on integrating a frappe OAuth client into our central IAM (Keycloak) as an Identity Provider (goal is to login to ERPNext through Keycloak). I configured frappe as well as Keycloak accordingly and the integration / login is working - however Keycloak throws an Error while trying to link the internal user with the frappe user account (Identity Provider Link).

After some debugging I found out, that Keycloak parses the ID Token that comes from frappe during OAuth token exchange and tries to process the subject of the ID Token (“sub”-claim) (keycloak/OIDCIdentityProvider.java at main · keycloak/keycloak · GitHub). According to the Spec (and the Keycloak implementation - keycloak/BrokeredIdentityContext.java at main · keycloak/keycloak · GitHub) the sub-claim should never be null.
I introspected the ID Token that is generated by frappe and found the following value:

{
  "aud": "XXX",
  "iat": 1660949297,
  "at_hash": "XXX",
  "iss": "XXX",
  "sub": null,
  "name": "Guest",
  "given_name": "Guest",
  "family_name": null,
  "email": "guest@example.com",
  "picture": null,
  "roles": [
    "Guest"
  ]
}

So I see 2 problems here:

The contents of the ID Token do not correspond to the user I authenticated with and instead contains Guest user data, which is definitely wrong. If I use the issued access token from frappe and call frappes user info endpoint I receive the correct user details however.
Even for the Guest user a “sub”-claim with a null value seems to be against Spec.

Any ideas on how to proceed? This blocks me from finalizing the integration.

Regards,
Max

revant_one · September 1, 2022, 7:47am

Are you using version 13?

it is fixed on version 14.

https://github.com/frappe/frappe/pull/17266

Backport to version 13 will be available soon.

maxkolb · September 20, 2022, 1:36pm

Thanks! That fixed it

Balaji_B · February 13, 2023, 10:10am

Hello @maxkolb We need the exact requirement of what you have asked for. We got the access token from keycloak but i don’t know how to use it with Erpnext with that access token.

We need a api for ERPnext which logins from ssh keycloak.

Kindly help,

Thanks in advance

Abhiraj_Tulsyan · December 3, 2023, 9:49pm

Hello here, Can anyone help me here with the full guide how to setup KeyCloak with the ERPnext. I am trying in my local but I am getting this error

2023-12-03 21:24:22,663 ERROR [org.keycloak.services] (executor-thread-115) KC-SERVICES0092: Missing parameter: response_type
2023-12-03 21:24:22,664 WARN  [org.keycloak.events] (executor-thread-115) type=LOGIN_ERROR, realmId=430ef9c9-e8b3-4278-aa6f-1e6ed90b7a30, clientId=ERPnext, userId=null, ipAddress=172.17.0.1, error=invalid_request, redirect_uri=http://erp.local:8001/

Can someone please help me on this in deep? I want to personally setup my own KeyCloak Identity Server so customers can Login With My company just like signing with google or signing with facebook.