Social Login (OIDC) does not work for custom IdP with error: Email not verified

mnoureldin · June 3, 2023, 3:31am

Hi, I am trying to authenticate ERPNext users using Keycloak IdP.

I configured it as shown here: oAuth client login button - #6 by revant_one

and it seems almost to be done, still, I get the error:

frappe.exceptions.ValidationError: Email not verified with Keycloak

although it is actually verified.

Server Error
Traceback (most recent call last):
  File "apps/frappe/frappe/app.py", line 66, in application
    response = frappe.api.handle()
  File "apps/frappe/frappe/api.py", line 54, in handle
    return frappe.handler.handle()
  File "apps/frappe/frappe/handler.py", line 45, in handle
    data = execute_cmd(cmd)
  File "apps/frappe/frappe/handler.py", line 83, in execute_cmd
    return frappe.call(method, **frappe.form_dict)
  File "apps/frappe/frappe/__init__.py", line 1607, in call
    return fn(*args, **newargs)
  File "apps/frappe/frappe/integrations/oauth2_logins.py", line 58, in custom
    login_via_oauth2(provider, code, state, decoder=decoder_compat)
  File "apps/frappe/frappe/utils/oauth.py", line 115, in login_via_oauth2
    info = get_info_via_oauth(provider, code, decoder)
  File "apps/frappe/frappe/utils/oauth.py", line 161, in get_info_via_oauth
    frappe.throw(_("Email not verified with {0}").format(provider.title()))
  File "apps/frappe/frappe/__init__.py", line 525, in throw
    msgprint(
  File "apps/frappe/frappe/__init__.py", line 493, in msgprint
    _raise_exception()
  File "apps/frappe/frappe/__init__.py", line 442, in _raise_exception
    raise raise_exception(msg)
frappe.exceptions.ValidationError: Email not verified with Keycloak

Here is again my configuration:

Here is a small confirmation that the user I am using for logging in in Keycloak has a verified email:

Is it a bug? What could be wrong?

revant_one · June 3, 2023, 8:16am

Someone recently posted this ERPNext and single sign on (SSO).

mnoureldin · June 3, 2023, 10:33am

This does not seem very relevant to my case.

Just to keep focus on my issue, this is what I am getting:

frappe.exceptions.ValidationError: Email not verified with Keycloak

although the Email is verified.

mnoureldin · June 3, 2023, 2:17pm

@revant_one OK, it seems I finally got it working. I will paste how in a few minutes. But now I get the following issue. It is not clear why. Should I enable general registration? Or what is the issue exactly?

I just need my IdP users to be able to login, but nobody should be able to “register”.

mnoureldin · June 3, 2023, 3:38pm

Well, apparently the message I get from ERPNext is just misleading. It turns out that the userinfo (API endpoint) was wrong, thus some information could not be found be ERPNext.

the settings that work for me are:

- Provider name: <anything you want> (in my case keycloak)

- Client ID: <from your IdP> (in my case erpnext)
- Client Secret: from your IdP

- Base URL: https://<idp domain>/realms/<realm name>

- Authorize URL: /protocol/openid-connect/auth
- Access Token URL: /protocol/openid-connect/token
- Redirect URL: /api/method/frappe.integrations.oauth2_logins.custom/<Provider name> (so for my case is /api/method/frappe.integrations.oauth2_logins.custom/keycloak)
- API Endpoint: https://<idp domain>/realms/<realm name>/protocol/openid-connect/userinfo

- Auth URL Data: {"response_type": "code", "scope": "openid profile email"}

- User ID Property: preferred_username

Now to explain what the problem exactly was:

In the previous configuration, it is important to note that most URLs are relative to the Base. However, there is also an endpoint (API Endpoint, or userinfo endpoint) which is an absolute URL. Using a relative URL instead of an absolute URL and vice versa will result in OIDC authentication not working.

In my case I used a relative path in API Endpoint instead of the absolute full path. As soon as I put the full URL in the endpoint, the problem was solved.