Openid-Connect with Keycloak - blank page after login {}

ERPNext
1

Dear Frappe Community,

I am struggeling for a long time, to get OpenID-Connect (via Keycloak) to work with ERPNext.

Some guys already had that problems in a old discussion, which did not had any solution:

My system has following details:

ERPNext: v14.18.3 (version-14)
Frappe Framework: v14.28.2 (version-14)
FrappeDesk: v0.6.5 (main)
Frappe HR: v14.1.2 (version-14)
Payments: v0.0.1 (develop)

I am using Keycloak on several other setups without any problems and now wanted to use the Social Login Key functionality on ERPNext on:

https://erp. example.com/app/social-login-key/

I was following this documentation in detail:

https://docs.erpnext.com/docs/v14/user/manual/en/erpnext_integration/fairlogin-integration
(!! be aware that the documentation is for a outdated Keycloak version under v20 which uses different URLs. I use v20+ and used the correct urls respectively. )

I used following settings in ERPNext Social Login Key Settings:

Client ID id from openid-connect client copied from my keycloak
Client Secret secret from from openid-connect client copied from my keycloak
Base URL https://keycloak.example.com/realms/myrealm
Authorize URL /protocol/openid-connect/auth
Access Token URL/protocol/openid-connect/token
Redirect URL /api/method/frappe.integrations.oauth2_logins.custom/myrealm
API Endpoint https://keycloak.example.com/realms/myrealm/protocol/openid-connect/userinfo
Auth URL Data {“response_type”: “code”, “scope”: “openid”}

I used following settings in my Keycloak Client setup:

Home URL https://erp.example.com
Root URL https://erp.example.com
Valid redirect URIs https://erp.example.com/*

ERROR

(strangely without error logs or messages in the logs)

  1. I go to my Login page https://erp.example.com/#login
  2. I click on Login with Keycloak
  3. My Keycloak login openes and I login (successful login log in Keycloak)
  4. Keycloak redirects to ERPNext and a blank page with only “{}” is displayed

URL in Browser
https://erp. example.com/api/method/frappe.integrations.oauth2_logins.custom?state=xxxxxxxxxxxxxxx&code=xxxxxxxxxxxxxxxxxxxxxxxx

frappe.log content
Site: erp.example.com
Form Dict: {‘state’: ‘xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx’, ‘session_state’: ‘xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx’, ‘cmd’: ‘frappe.integrations.oauth2_logins.custom’}

i cannot open any other url on my ERPNext instance and get right back to the ERPNext Login Page

It seems like ERPNext is not finalizing the login correctly…

Does anybody have a idea how to solve it, please?

2

this user (Profile - lapphan - Frappe Forum) was able to use keycloak. I don’t know if the user is still active

3

Yes that is 3 years ago. Keycloak is not some niche Auth provider and especially on authentification in ERPNext there must be some logs for controlling purposes which I could not find anywhere.

I tried to reach Profile - lapphan - Frappe Forum him but he has been last seen 2 years ago…

I would be really happy to finally get it working and then supply a generalized and up to date documentation for the Frappe Docs, which is not based on some outdated fairkom setup on ERPNext v14 version.

Thank you very much.

4

provide test access to keycloak if you can, I’ll try setting up locally or also provide test access to your ERPNext setup.

5

I tried to configure keycloak for ERPnext using some setting and when i get redirected it takes me to the right url etc but it gives me this error:

Traceback (most recent call last):
  File "env/lib/python3.10/site-packages/rauth/service.py", line 21, in process_token_request
    return tuple(data[key] for key in args)
  File "env/lib/python3.10/site-packages/rauth/service.py", line 21, in <genexpr>
    return tuple(data[key] for key in args)
KeyError: 'access_token'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "apps/frappe/frappe/app.py", line 94, in application
    response = frappe.api.handle()
  File "apps/frappe/frappe/api.py", line 54, in handle
    return frappe.handler.handle()
  File "apps/frappe/frappe/handler.py", line 47, in handle
    data = execute_cmd(cmd)
  File "apps/frappe/frappe/handler.py", line 85, in execute_cmd
    return frappe.call(method, **frappe.form_dict)
  File "apps/frappe/frappe/__init__.py", line 1620, in call
    return fn(*args, **newargs)
  File "apps/frappe/frappe/integrations/oauth2_logins.py", line 58, in custom
    login_via_oauth2(provider, code, state, decoder=decoder_compat)
  File "apps/frappe/frappe/utils/oauth.py", line 113, in login_via_oauth2
    info = get_info_via_oauth(provider, code, decoder)
  File "apps/frappe/frappe/utils/oauth.py", line 144, in get_info_via_oauth
    session = flow.get_auth_session(**args)
  File "env/lib/python3.10/site-packages/rauth/service.py", line 556, in get_auth_session
    session = self.get_session(self.get_access_token(method, **kwargs))
  File "env/lib/python3.10/site-packages/rauth/service.py", line 542, in get_access_token
    access_token, = process_token_request(r, decoder, key)
  File "env/lib/python3.10/site-packages/rauth/service.py", line 24, in process_token_request
    raise KeyError(PROCESS_TOKEN_ERROR.format(key=bad_key, raw=r.content))
KeyError: 'Decoder failed to handle access_token with data as returned by provider. A different decoder may be needed. Provider returned: b\'{"error":"unauthorized_client","error_description":"Invalid client or Invalid client credentials"}\''

These are my setting in ERPnext for Social Login Key

baseurl: http://xyz.at:28080/realms/master
auth url: /protocol/openid-connect/auth
token url: /protocol/openid-connect/token
redirect url: http://erpnext.local:8080/api/method/frappe.integrations.oauth2_logins.custom/keycloak_sso
api_endpoint: /protocol/openid-connect/userinfo

Auth URL Data

{“scope”:“openid”, “response_type”:“code”}

Not sure whats wrong but as per the message the client ID or secret has a problem, i tried resetting them multiple times in keycloak but no go.

6

Try full url here instead of only the path. E.g. http://xyz.at:28080/realms/master/protocol/openid-connect/userinfo

7

Redirect URL /api/method/frappe.integrations.oauth2_logins.custom/myrealm

Here “myrealm” should be the ID of your [Social Login Key] in frappe

8

Finally got it working with this settings. Custom Keycloak instance and ERPNext working together.

9

What are your keylcloak settings? My logins work fine but when I logout, user never get logged out of keycloak and then i get redirected to 502 in ERPNEXT.
Could you please share your logout URL ? or all the settings in keycloak for ERP client ?

10

That’s not available. You cannot single logout with social login. It is only for single sign on.

Login with Google will not logout of Google.

11

But this works fine with other apps(portainer, dockerhub, github etc.). The problem is logout URI, is there a logout endpoint or valid URI i can mention in keycloak for ERPNEXT?