OIDC Login Config


I saw that OIDC was added in 4.4 and the docker compose also spins up a Keycloak instance.

Are you able to provide an example what is required in order to use keycloak to authenticate?

It looks like the AUTHENTICATION_BACKENDS and AUTHENTICATION_BACKEND_ARGUMENTS set to include the Keycloak OIDC info?

Can the environment vars in the docker image be used to configure it?
Does it support role mapping from Keycloak to Mayan?



There are many ways to setup OIDC authentication (as you mention role mappings, but also multiple realms, schemas, login workflows, scopes, scope token expirations and renewals). Centralized identity management is a platform configuration aspect unique to each deployment. Attempting to create documentation to cover even the most common use cases of OIDC would be a project on its own and beyond the scope of Mayan’s documentation.

Took a look at the config and managed to get Keycloak (using OIDC discovery URL) working using the following docker env vars:

MAYAN_AUTHENTICATION_BACKEND = 'mayan.apps.authentication_oidc.authentication_backends.AuthenticationBackendOIDC'
MAYAN_AUTHENTICATION_BACKEND_ARGUMENTS = {"oidc_discovery_url":"https://$OIDC_HOSTNAME/realms/$REALM/.well-known/openid-configuration","oidc_rp_client_id":"$OIDC_CLIENT_ID","oidc_rp_client_secret":"$OIDC_CLIENT_SECRET","oidc_rp_sign_algo":"RS256"}

It looks like the following isnt implemented, do you know if it is on the roadmap (or did I miss it):

  • Single Logout - Logging out in Mayan doesnt logout from the IDP
  • Role mapping - it doesnt look like the current code checks the claims for any roles

Also, is MAYAN_AUTHENTICATION_OIDC_USER_PROFILE_URL intended to take you to the IDP user page, would be https://${OIDC_HOSTNAME}/realms/$REALM/account/#/ in Keycloak?