oAuth client login button

When activating social login e.g. with github, an additional button is shown at the login screen: https://frappe.io/docs/user/en/guides/deployment/how-to-enable-social-logins

I have been adding our own oauth identity provider (provided by keycloak):

there are only few providers supported now.

Google, Github, Facebook and Frappe.

It is built into Frappe Framework.

If you are a developer you can send a Pull Request.

Also, If you are adding one more provider to Social Login Keys, I’ll suggest to refactor the singles DocType Social Login Keys, such that users can add any providers with ease.

Now I understand: when adding an oAuth Client, it means I add a client for ERPnext acting as oAuth provider.

What I want is to add a generic oAuth identity provider (such as keycloak) as an additional social provider. So I need to extend the DocType here: frappe/social_login_key.py at develop · frappe/frappe · GitHub

refer this pull request


It is easy to add any oauth 2.0 provider, do send a PR if you add a provider.

Great, now ERPnext allows to define your own custom oAuth provider to login with. We have tried with keycloak and used the following parameters:

Authorize URL: /protocol/openid-connect/auth
Token URL: /protocol/openid-connect/token
API endpoint: /protocol/openid-connect/userinfo
Redirect URL: https://erp.ourdomain.com/api/method/frappe.www.login.login_oauth_user

When pressing the custom ID login the window pops up correctly and one can identify. However the user does not get a session, as a result we see Missing parameter with login: Status: 417.

@revant_one It seems the token is not parsed by frappe. What is the correct Redirect URL parameter for custom oAuth?

1 Like

Try the following settings:

  "data": {
    "social_login_provider": "Custom",
    "auth_url_data": "{\"scope\": \"openid email profile\", \"response_type\": \"code\"}",
    "doctype": "Social Login Key",
    "custom_base_url": 1,
    "authorize_url": "/protocol/openid-connect/auth",
    "base_url": "https://your-keycloak.domain.tld",
    "api_endpoint": "/protocol/openid-connect/userinfo",
    "provider_name": "Keycloak",
    "client_id": "************************************",
    "access_token_url": "/protocol/openid-connect/token",
    "icon": "fa fa-cloud",
    "enable_social_login": 1,
    "redirect_url": "/api/method/frappe.integrations.oauth2_logins.custom/keycloak",
    "client_secret": "****************************************************************"

Note: The provider name is converted to the_snake_case slug. If you name the provider Redhat Keycloak the redirect_url will be /api/method/frappe.integrations.oauth2_logins.custom/redhat_keycloak


Using this redriect_url seems to be the right endpoint, however the users do not seem to have the permission to start an oAuth session "

Which permissions are needed for oAuth login and where can we define it? Also we need to define somewhere the standard role for new users (like in the LDAP settings).

Do you have anything on /login query param? e.g. /login?redirect-to=/api/method/ping
After social login or normal login the redirect-to query param will be respected.

if redirect-to has certain doctype in query and the new openid connect user does not have required role in the system this may happen.

Still no clue where I could set the default login permissions.
Nothing is appended on the /login query parameter.

After authenticating in keycloak and returning to ERPnext we have the URL

The redirect URI needs to be here:
https://erp.ourdomain.net/api/method/frappe.integrations.oauth2_logins/fairlogin (not as in your example without base URL and with oauth2_logins.custom)

What is the User ID Property field for in the Social Login Key settings? Could I set a default role there?

EDIT: after upgrade from frappe/ERPnext v11 to v12 I get:

AttributeError: ‘module’ object has no attribute ‘custom’ when using


I think new users are Website User. There is no default role assigned to new users created via Social Login like LDAP

fairlogin provider is part of selection, you don’t need to modify anything.
Custom provider is used to add any provider which is not available in selection.

It is the openid profile (userinfo_endpoint) property which identifies the user’s id. It is sub by default. It has nothing to do with user roles.

It was sent in hotfix fix: add callback for allowing user added social logins by revant · Pull Request #7650 · frappe/frappe · GitHub

It was sent in hotfix fix: add callback for allowing user added social logins by revant · Pull Request #7650 · frappe/frappe · GitHub

It seems this custom outh code did not make it into v12. At least there is no /api/method/frappe.integrations.custom and def custom(code, state) in social_login_key.py.

Else we need another
"redirect_url": "/api/method/frappe.integrations.oauth2_logins.custom/keycloak"

There is no default role assigned to new users created via Social Login like LDAP

Web site user role is not sufficient for our users, who should also have the role customer to be able to do a purchase in the webshop.

Pull Request: fix: add missing code for social login key by revant · Pull Request #8720 · frappe/frappe · GitHub

instead of

for API Endpoint



open new topic for further issues