Keycloak / Frappe OAuth2 Identity Provider integration

Hi all,

I’m currently working on integrating a frappe OAuth client into our central IAM (Keycloak) as an Identity Provider (goal is to login to ERPNext through Keycloak). I configured frappe as well as Keycloak accordingly and the integration / login is working - however Keycloak throws an Error while trying to link the internal user with the frappe user account (Identity Provider Link).

After some debugging I found out, that Keycloak parses the ID Token that comes from frappe during OAuth token exchange and tries to process the subject of the ID Token (“sub”-claim) (keycloak/OIDCIdentityProvider.java at main · keycloak/keycloak · GitHub). According to the Spec (and the Keycloak implementation - keycloak/BrokeredIdentityContext.java at main · keycloak/keycloak · GitHub) the sub-claim should never be null.
I introspected the ID Token that is generated by frappe and found the following value:

{
  "aud": "XXX",
  "iat": 1660949297,
  "at_hash": "XXX",
  "iss": "XXX",
  "sub": null,
  "name": "Guest",
  "given_name": "Guest",
  "family_name": null,
  "email": "guest@example.com",
  "picture": null,
  "roles": [
    "Guest"
  ]
}

So I see 2 problems here:

  1. The contents of the ID Token do not correspond to the user I authenticated with and instead contains Guest user data, which is definitely wrong. If I use the issued access token from frappe and call frappes user info endpoint I receive the correct user details however.
  2. Even for the Guest user a “sub”-claim with a null value seems to be against Spec.

Any ideas on how to proceed? This blocks me from finalizing the integration.

Regards,
Max

Are you using version 13?

it is fixed on version 14.

https://github.com/frappe/frappe/pull/17266

Backport to version 13 will be available soon.

5 Likes

Thanks! That fixed it :+1:

Hello @maxkolb We need the exact requirement of what you have asked for. We got the access token from keycloak but i don’t know how to use it with Erpnext with that access token.

We need a api for ERPnext which logins from ssh keycloak.

Kindly help,

Thanks in advance

Hello here, Can anyone help me here with the full guide how to setup KeyCloak with the ERPnext. I am trying in my local but I am getting this error

2023-12-03 21:24:22,663 ERROR [org.keycloak.services] (executor-thread-115) KC-SERVICES0092: Missing parameter: response_type
2023-12-03 21:24:22,664 WARN  [org.keycloak.events] (executor-thread-115) type=LOGIN_ERROR, realmId=430ef9c9-e8b3-4278-aa6f-1e6ed90b7a30, clientId=ERPnext, userId=null, ipAddress=172.17.0.1, error=invalid_request, redirect_uri=http://erp.local:8001/

Can someone please help me on this in deep? I want to personally setup my own KeyCloak Identity Server so customers can Login With My company just like signing with google or signing with facebook.