OIDC Login Config

Hi,

I saw that OIDC was added in 4.4 and the docker compose also spins up a Keycloak instance.

Are you able to provide an example what is required in order to use keycloak to authenticate?

It looks like the AUTHENTICATION_BACKENDS and AUTHENTICATION_BACKEND_ARGUMENTS set to include the Keycloak OIDC info?

Can the environment vars in the docker image be used to configure it?
Does it support role mapping from Keycloak to Mayan?

Regards,
Joe

1 Like

Hi,

There are many ways to setup OIDC authentication (as you mention role mappings, but also multiple realms, schemas, login workflows, scopes, scope token expirations and renewals). Centralized identity management is a platform configuration aspect unique to each deployment. Attempting to create documentation to cover even the most common use cases of OIDC would be a project on its own and beyond the scope of Mayan’s documentation.

1 Like

Took a look at the config and managed to get Keycloak (using OIDC discovery URL) working using the following docker env vars:

MAYAN_AUTHENTICATION_BACKEND = 'mayan.apps.authentication_oidc.authentication_backends.AuthenticationBackendOIDC'
MAYAN_AUTHENTICATION_BACKEND_ARGUMENTS = {"oidc_discovery_url":"https://$OIDC_HOSTNAME/realms/$REALM/.well-known/openid-configuration","oidc_rp_client_id":"$OIDC_CLIENT_ID","oidc_rp_client_secret":"$OIDC_CLIENT_SECRET","oidc_rp_sign_algo":"RS256"}

It looks like the following isnt implemented, do you know if it is on the roadmap (or did I miss it):

  • Single Logout - Logging out in Mayan doesnt logout from the IDP
  • Role mapping - it doesnt look like the current code checks the claims for any roles

Also, is MAYAN_AUTHENTICATION_OIDC_USER_PROFILE_URL intended to take you to the IDP user page, would be https://${OIDC_HOSTNAME}/realms/$REALM/account/#/ in Keycloak?

Hello,

Actually trying to reproduce the configuration OIDC to manage Mayan with Keycloak.
I have already an instance of Keycloak running.
I clone the repo and edit the .env file to add my own configuration of keycloak endpoint with a given clientId and clientSecret.

Like @ballj, set in the same variables:

MAYAN_AUTHENTICATION_BACKEND = 'mayan.apps.authentication_oidc.authentication_backends.AuthenticationBackendOIDC'
MAYAN_AUTHENTICATION_BACKEND_ARGUMENTS = {...}

But when I try to start the environment with docker-compose up -d mayan don’t start and docker logs return the following error.

mayan: starting entrypoint.sh
Connection attempt #1 to: port postgresql:5432; Connected.
Connection attempt #1 to: port rabbitmq:5672; Connected.
Connection attempt #1 to: port redis:6379; Connected.
mayan: update_uid_gid()
usermod: no changes
mayan: os_package_installs()
mayan: pip_installs()
mayan: initial_setup()
/opt/mayan-edms/lib/python3.9/site-packages/requests/__init__.py:102: RequestsDependencyWarning: urllib3 (1.26.15) or chardet (5.1.0)/charset_normalizer (2.0.12) doesn't match a supported version!
  warnings.warn("urllib3 ({}) or chardet ({})/charset_normalizer ({}) doesn't match a supported "
Traceback (most recent call last):
  File "/opt/mayan-edms/bin/mayan-edms.py", line 22, in <module>
    main()
  File "/opt/mayan-edms/bin/mayan-edms.py", line 18, in main
    execute_from_command_line(sys.argv)
  File "/opt/mayan-edms/lib/python3.9/site-packages/django/core/management/__init__.py", line 419, in execute_from_command_line
    utility.execute()
  File "/opt/mayan-edms/lib/python3.9/site-packages/django/core/management/__init__.py", line 395, in execute
    django.setup()
  File "/opt/mayan-edms/lib/python3.9/site-packages/django/__init__.py", line 24, in setup
    apps.populate(settings.INSTALLED_APPS)
  File "/opt/mayan-edms/lib/python3.9/site-packages/django/apps/registry.py", line 122, in populate
    app_config.ready()
  File "/opt/mayan-edms/lib/python3.9/site-packages/mayan/apps/authentication/apps.py", line 44, in ready
    AuthenticationBackend.cls_initialize()
  File "/opt/mayan-edms/lib/python3.9/site-packages/mayan/apps/authentication/classes.py", line 28, in cls_initialize
    backend = cls.cls_get_instance()
  File "/opt/mayan-edms/lib/python3.9/site-packages/mayan/apps/authentication/classes.py", line 19, in cls_get_instance
    authentication_backend_class = cls.get(
  File "/opt/mayan-edms/lib/python3.9/site-packages/mayan/apps/databases/classes.py", line 79, in get
    return cls._registry.get(cls, {})[name]
KeyError: 'mayan.apps.authentication_oidc.authentication_backends.AuthenticationBackendOIDC'

Did I miss something in the configuration ?

Thanks

Is it possible to enable OIDC alongside standard authentication? I currently only managed to get one at a time working.

It is not possible because having both defeats the purpose of having separate authentication in the first place.

Your statement does not make sense at all. Having two different authentication schemes is a common use case and various applications support it. Speaking for Mayan it wouldn’t cause noteworthy effort as other mechanisms are already implemented, which is essentially the reason why I was asking.

This config seems to work, but Mayan redirects to http and not https. Do you know which env variable to set to fix this?

from mayan.settings.production import *

SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")

Added to override settings

Hi,

What is the callback URL you are using within Keycloak for this setup?

I think it should be:
https://MAYAN-HOSTNAME/oidc/callback/

But would be good to hear if this is correct, thanks!

kind regards,

Hakiem

for those interested, add it like this to a helm chart values.yaml file to setup the env parameter:

MAYAN_SECURE_PROXY_SSL_HEADER: “{‘HTTP_X_FORWARDED_PROTO’:‘https’}”

No need to change the code when doing it like this …

I’m afraid I spoke too soon… this param doesn’t seem to do the trick.