There are many ways to setup OIDC authentication (as you mention role mappings, but also multiple realms, schemas, login workflows, scopes, scope token expirations and renewals). Centralized identity management is a platform configuration aspect unique to each deployment. Attempting to create documentation to cover even the most common use cases of OIDC would be a project on its own and beyond the scope of Mayan’s documentation.
It looks like the following isnt implemented, do you know if it is on the roadmap (or did I miss it):
Single Logout - Logging out in Mayan doesnt logout from the IDP
Role mapping - it doesnt look like the current code checks the claims for any roles
Also, is MAYAN_AUTHENTICATION_OIDC_USER_PROFILE_URL intended to take you to the IDP user page, would be https://${OIDC_HOSTNAME}/realms/$REALM/account/#/ in Keycloak?
Actually trying to reproduce the configuration OIDC to manage Mayan with Keycloak.
I have already an instance of Keycloak running.
I clone the repo and edit the .env file to add my own configuration of keycloak endpoint with a given clientId and clientSecret.
But when I try to start the environment with docker-compose up -d mayan don’t start and docker logs return the following error.
mayan: starting entrypoint.sh
Connection attempt #1 to: port postgresql:5432; Connected.
Connection attempt #1 to: port rabbitmq:5672; Connected.
Connection attempt #1 to: port redis:6379; Connected.
mayan: update_uid_gid()
usermod: no changes
mayan: os_package_installs()
mayan: pip_installs()
mayan: initial_setup()
/opt/mayan-edms/lib/python3.9/site-packages/requests/__init__.py:102: RequestsDependencyWarning: urllib3 (1.26.15) or chardet (5.1.0)/charset_normalizer (2.0.12) doesn't match a supported version!
warnings.warn("urllib3 ({}) or chardet ({})/charset_normalizer ({}) doesn't match a supported "
Traceback (most recent call last):
File "/opt/mayan-edms/bin/mayan-edms.py", line 22, in <module>
main()
File "/opt/mayan-edms/bin/mayan-edms.py", line 18, in main
execute_from_command_line(sys.argv)
File "/opt/mayan-edms/lib/python3.9/site-packages/django/core/management/__init__.py", line 419, in execute_from_command_line
utility.execute()
File "/opt/mayan-edms/lib/python3.9/site-packages/django/core/management/__init__.py", line 395, in execute
django.setup()
File "/opt/mayan-edms/lib/python3.9/site-packages/django/__init__.py", line 24, in setup
apps.populate(settings.INSTALLED_APPS)
File "/opt/mayan-edms/lib/python3.9/site-packages/django/apps/registry.py", line 122, in populate
app_config.ready()
File "/opt/mayan-edms/lib/python3.9/site-packages/mayan/apps/authentication/apps.py", line 44, in ready
AuthenticationBackend.cls_initialize()
File "/opt/mayan-edms/lib/python3.9/site-packages/mayan/apps/authentication/classes.py", line 28, in cls_initialize
backend = cls.cls_get_instance()
File "/opt/mayan-edms/lib/python3.9/site-packages/mayan/apps/authentication/classes.py", line 19, in cls_get_instance
authentication_backend_class = cls.get(
File "/opt/mayan-edms/lib/python3.9/site-packages/mayan/apps/databases/classes.py", line 79, in get
return cls._registry.get(cls, {})[name]
KeyError: 'mayan.apps.authentication_oidc.authentication_backends.AuthenticationBackendOIDC'
Your statement does not make sense at all. Having two different authentication schemes is a common use case and various applications support it. Speaking for Mayan it wouldn’t cause noteworthy effort as other mechanisms are already implemented, which is essentially the reason why I was asking.