oAuth client login button

rasos · October 7, 2017, 11:26am

When activating social login e.g. with github, an additional button is shown at the login screen: https://frappe.io/docs/user/en/guides/deployment/how-to-enable-social-logins

I have been adding our own oauth identity provider (provided by keycloak):

What is the correct URI to call the provider (“service initiated”, https://id.company.com/auth)?
What is the correct URI to call ERPnext (“IdP initiated”, something like https://provider.com/api/method/frappe.integrations.oauth2.get_token)
How do I get a button on the login page, ideally with the name or logo of the custom id provider?

revant_one · October 8, 2017, 8:11am

there are only few providers supported now.

Google, Github, Facebook and Frappe.

It is built into Frappe Framework.

github.com

frappe/frappe/blob/develop/frappe/www/login.html

{% extends "templates/web.html" %}

{% macro email_login_body() -%}
{% if not disable_user_pass_login or (ldap_settings and ldap_settings.enabled) %}
<div class="page-card-body">
	<div class="form-group">
		<label class="form-label sr-only" for="login_email">{{ login_label or _("Email")}}</label>
		<div class="email-field">
			<input type="text" id="login_email" class="form-control"
				placeholder="{% if login_name_placeholder %}{{ login_name_placeholder  }}{% else %}{{ _('jane@example.com') }}{% endif %}"
				required autofocus autocomplete="username">

			<svg class="field-icon email-icon" width="16" height="16" viewBox="0 0 16 16" fill="none"
				xmlns="http://www.w3.org/2000/svg">
				<use class="es-lock" href="#es-line-email"></use>
			</svg>
		</div>
	</div>

	<div class="form-group">

This file has been truncated. show original

github.com

frappe/frappe/blob/develop/frappe/www/login.py

# Copyright (c) 2015, Frappe Technologies Pvt. Ltd. and Contributors
# License: MIT. See LICENSE

import frappe
import frappe.utils
from frappe import _
from frappe.auth import LoginManager
from frappe.rate_limiter import rate_limit
from frappe.utils import cint, get_url
from frappe.utils.data import escape_html
from frappe.utils.html_utils import get_icon_html
from frappe.utils.jinja import guess_is_path
from frappe.utils.oauth import get_oauth2_authorize_url, get_oauth_keys, redirect_post_login
from frappe.utils.password import get_decrypted_password
from frappe.website.utils import get_home_page

no_cache = True


def get_context(context):

This file has been truncated. show original

If you are a developer you can send a Pull Request.

Also, If you are adding one more provider to Social Login Keys, I’ll suggest to refactor the singles DocType Social Login Keys, such that users can add any providers with ease.

rasos · May 12, 2018, 8:34am

Now I understand: when adding an oAuth Client, it means I add a client for ERPnext acting as oAuth provider.

What I want is to add a generic oAuth identity provider (such as keycloak) as an additional social provider. So I need to extend the DocType here: frappe/social_login_key.py at develop · frappe/frappe · GitHub

revant_one · May 12, 2018, 8:40am

refer this pull request

https://github.com/frappe/frappe/pull/4819/files

It is easy to add any oauth 2.0 provider, do send a PR if you add a provider.

rasos · September 11, 2019, 11:52am

Great, now ERPnext allows to define your own custom oAuth provider to login with. We have tried with keycloak and used the following parameters:

Authorize URL: /protocol/openid-connect/auth
Token URL: /protocol/openid-connect/token
API endpoint: /protocol/openid-connect/userinfo
Redirect URL: https://erp.ourdomain.com/api/method/frappe.www.login.login_oauth_user

When pressing the custom ID login the window pops up correctly and one can identify. However the user does not get a session, as a result we see Missing parameter with login: Status: 417.

@revant_one It seems the token is not parsed by frappe. What is the correct Redirect URL parameter for custom oAuth?

revant_one · September 11, 2019, 4:27pm

Try the following settings:

{
  "data": {
    "social_login_provider": "Custom",
    "auth_url_data": "{\"scope\": \"openid email profile\", \"response_type\": \"code\"}",
    "doctype": "Social Login Key",
    "custom_base_url": 1,
    "authorize_url": "/protocol/openid-connect/auth",
    "base_url": "https://your-keycloak.domain.tld",
    "api_endpoint": "/protocol/openid-connect/userinfo",
    "provider_name": "Keycloak",
    "client_id": "************************************",
    "access_token_url": "/protocol/openid-connect/token",
    "icon": "fa fa-cloud",
    "enable_social_login": 1,
    "redirect_url": "/api/method/frappe.integrations.oauth2_logins.custom/keycloak",
    "client_secret": "****************************************************************"
  }
}

Note: The provider name is converted to the_snake_case slug. If you name the provider Redhat Keycloak the redirect_url will be /api/method/frappe.integrations.oauth2_logins.custom/redhat_keycloak

rasos · September 12, 2019, 5:42am

Using this redriect_url seems to be the right endpoint, however the users do not seem to have the permission to start an oAuth session "

Which permissions are needed for oAuth login and where can we define it? Also we need to define somewhere the standard role for new users (like in the LDAP settings).

revant_one · September 12, 2019, 6:52am

Do you have anything on /login query param? e.g. /login?redirect-to=/api/method/ping
After social login or normal login the redirect-to query param will be respected.

if redirect-to has certain doctype in query and the new openid connect user does not have required role in the system this may happen.

rasos · September 13, 2019, 7:25pm

Still no clue where I could set the default login permissions.
Nothing is appended on the /login query parameter.

After authenticating in keycloak and returning to ERPnext we have the URL
https://erp.ourdomain.net/api/method/frappe.integrations.oauth2_logins/fairlogin?state=longkeyhere

The redirect URI needs to be here:
https://erp.ourdomain.net/api/method/frappe.integrations.oauth2_logins/fairlogin (not as in your example without base URL and with oauth2_logins.custom)

What is the User ID Property field for in the Social Login Key settings? Could I set a default role there?

EDIT: after upgrade from frappe/ERPnext v11 to v12 I get:

AttributeError: ‘module’ object has no attribute ‘custom’ when using

https://erp.ourdomain.net/api/method/frappe.integrations.oauth2_logins.custom/fairlogin

revant_one · September 15, 2019, 4:29pm

I think new users are Website User. There is no default role assigned to new users created via Social Login like LDAP

fairlogin provider is part of selection, you don’t need to modify anything.
Custom provider is used to add any provider which is not available in selection.

It is the openid profile (userinfo_endpoint) property which identifies the user’s id. It is sub by default. It has nothing to do with user roles.

It was sent in hotfix fix: add callback for allowing user added social logins by revant · Pull Request #7650 · frappe/frappe · GitHub

rasos · September 15, 2019, 4:55pm

It was sent in hotfix fix: add callback for allowing user added social logins by revant · Pull Request #7650 · frappe/frappe · GitHub

It seems this custom outh code did not make it into v12. At least there is no /api/method/frappe.integrations.custom and def custom(code, state) in social_login_key.py.

Else we need another
"redirect_url": "/api/method/frappe.integrations.oauth2_logins.custom/keycloak"

There is no default role assigned to new users created via Social Login like LDAP

Web site user role is not sufficient for our users, who should also have the role customer to be able to do a purchase in the webshop.

revant_one · October 30, 2019, 2:56pm

Pull Request: fix: add missing code for social login key by revant · Pull Request #8720 · frappe/frappe · GitHub

revant_one · December 3, 2019, 7:50am

try
https://example.com/auth/realms/vgsid/protocol/openid-connect/userinfo
instead of
/protocol/openid-connect/userinfo

for API Endpoint

revant_one · December 3, 2019, 7:55am

open new topic for further issues