Keycloak social login key

RJ11 · September 6, 2020, 4:53pm

I’ve configured our keycloak server as a social login key and it seems to work ok until I get redirected back to erpnext after the user has been verified. ERPnext spits out this error:

Traceback (most recent call last):
  File "/home/erpadmin/frappe-bench/apps/frappe/frappe/app.py", line 64, in application
    response = frappe.api.handle()
  File "/home/erpadmin/frappe-bench/apps/frappe/frappe/api.py", line 59, in handle
    return frappe.handler.handle()
  File "/home/erpadmin/frappe-bench/apps/frappe/frappe/handler.py", line 24, in handle
    data = execute_cmd(cmd)
  File "/home/erpadmin/frappe-bench/apps/frappe/frappe/handler.py", line 63, in execute_cmd
    return frappe.call(method, **frappe.form_dict)
  File "/home/erpadmin/frappe-bench/apps/frappe/frappe/__init__.py", line 1055, in call
    return fn(*args, **newargs)
  File "/home/erpadmin/frappe-bench/apps/frappe/frappe/integrations/oauth2_logins.py", line 50, in custom
    login_via_oauth2(provider, code, state, decoder=decoder_compat)
  File "/home/erpadmin/frappe-bench/apps/frappe/frappe/utils/oauth.py", line 112, in login_via_oauth2
    info = get_info_via_oauth(provider, code, decoder)
  File "/home/erpadmin/frappe-bench/apps/frappe/frappe/utils/oauth.py", line 145, in get_info_via_oauth
    info = session.get(api_endpoint, params=api_endpoint_args).json()
  File "/home/erpadmin/frappe-bench/env/lib/python3.6/site-packages/requests/models.py", line 897, in json
    return complexjson.loads(self.text, **kwargs)
  File "/usr/lib/python3.6/json/__init__.py", line 354, in loads
    return _default_decoder.decode(s)
  File "/usr/lib/python3.6/json/decoder.py", line 339, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
  File "/usr/lib/python3.6/json/decoder.py", line 357, in raw_decode
    raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

The parameters that get passed back to http://erp.mydomain.org/api/method/frappe.integrations.oauth2_logins.custom/keycloak_sso are:

state
session_state
code

How do I even go about debugging this? Any direction would help. I am using Keycloak v11.0 and ERPNext v12.11.2 on Ubuntu 18.04.

Thanks,
S

lapphan · September 7, 2020, 4:53am

This is my working Keycloak integration configuration.

RJ11 · September 8, 2020, 7:20pm

Ohhh, ok I had scope set to “openid email profile”. I will try that later.

BTW, did you have to pre-create the user accounts so the login names match? Or does erpnext create a user on the fly?

revant_one · September 8, 2020, 7:29pm

ERPNext will create user if it doesn’t exist.

User will be website user without any access to desk.
Set the default role in portal settings

If user is already created and appropriate roles are assigned, it will sign in as that user.

RJ11 · September 12, 2020, 5:11pm

Ok, well I got a little further but still no luck. I didn’t get an error message after keycloak authenticates, all I got was a page that displayed this:

{}

If you got it working then at least I know it is possible somehow. I’ll try building a brand new fresh VM with erpnext. If that doesn’t work, then there must be something wrong with my keycloak configuration.

S

RJ11 · October 10, 2020, 3:33pm

Well, I officially have no idea how @lapphan got keycloak integration to work. I installed a brand new version of erpnext from scratch on ubuntu 20.04 and used the exact same settings and I still get the exact same results.

Something is definitely missing here and I’m not sure where to even start to debug this.

amine · November 1, 2020, 10:44am

Hello,
I have the same issue here. I put the same configuration of keycloak authentification provider. When I try to connect via social networks by choosing the new keycloak configuration, the connection window switches to the keycloak authentication server. after entering the user/password, the callback URL is invoked but rather than I connect on ERPNext, I get the message :
{}
displayed on the browser. any idea on this issue ?
Thanks in advance

amine · April 11, 2021, 4:14pm

Hello,
Can you please help me with this issue ?
Kind regards,

enoy · June 17, 2021, 11:44am

The redirect URL must end with the same name as the document itself.
You can find the name in the breadcrumbs (top left corner in the screenshot).

The API Endpoint needs the full URL of the userinfo endpoint, since frappe/erpnext does not prepend the baseurl: frappe/oauth.py at a5d8c7aed8785e742057e1298b37c9bfa17a10a2 · frappe/frappe · GitHub (Frappe v13.5.1)