Hi all,
I’m currently working on integrating a frappe OAuth client into our central IAM (Keycloak) as an Identity Provider (goal is to login to ERPNext through Keycloak). I configured frappe as well as Keycloak accordingly and the integration / login is working - however Keycloak throws an Error while trying to link the internal user with the frappe user account (Identity Provider Link).
After some debugging I found out, that Keycloak parses the ID Token that comes from frappe during OAuth token exchange and tries to process the subject of the ID Token (“sub”-claim) (keycloak/OIDCIdentityProvider.java at main · keycloak/keycloak · GitHub). According to the Spec (and the Keycloak implementation - keycloak/BrokeredIdentityContext.java at main · keycloak/keycloak · GitHub) the sub-claim should never be null.
I introspected the ID Token that is generated by frappe and found the following value:
{
"aud": "XXX",
"iat": 1660949297,
"at_hash": "XXX",
"iss": "XXX",
"sub": null,
"name": "Guest",
"given_name": "Guest",
"family_name": null,
"email": "guest@example.com",
"picture": null,
"roles": [
"Guest"
]
}
So I see 2 problems here:
- The contents of the ID Token do not correspond to the user I authenticated with and instead contains Guest user data, which is definitely wrong. If I use the issued access token from frappe and call frappes user info endpoint I receive the correct user details however.
- Even for the Guest user a “sub”-claim with a null value seems to be against Spec.
Any ideas on how to proceed? This blocks me from finalizing the integration.
Regards,
Max
