OIDC Login Config

ballj · March 6, 2023, 5:26pm

Hi,

I saw that OIDC was added in 4.4 and the docker compose also spins up a Keycloak instance.

Are you able to provide an example what is required in order to use keycloak to authenticate?

It looks like the AUTHENTICATION_BACKENDS and AUTHENTICATION_BACKEND_ARGUMENTS set to include the Keycloak OIDC info?

Can the environment vars in the docker image be used to configure it?
Does it support role mapping from Keycloak to Mayan?

Regards,
Joe

roberto.rosario · March 6, 2023, 11:50pm

Hi,

There are many ways to setup OIDC authentication (as you mention role mappings, but also multiple realms, schemas, login workflows, scopes, scope token expirations and renewals). Centralized identity management is a platform configuration aspect unique to each deployment. Attempting to create documentation to cover even the most common use cases of OIDC would be a project on its own and beyond the scope of Mayan’s documentation.

ballj · March 7, 2023, 6:09pm

Took a look at the config and managed to get Keycloak (using OIDC discovery URL) working using the following docker env vars:

MAYAN_AUTHENTICATION_BACKEND = 'mayan.apps.authentication_oidc.authentication_backends.AuthenticationBackendOIDC'
MAYAN_AUTHENTICATION_BACKEND_ARGUMENTS = {"oidc_discovery_url":"https://$OIDC_HOSTNAME/realms/$REALM/.well-known/openid-configuration","oidc_rp_client_id":"$OIDC_CLIENT_ID","oidc_rp_client_secret":"$OIDC_CLIENT_SECRET","oidc_rp_sign_algo":"RS256"}

It looks like the following isnt implemented, do you know if it is on the roadmap (or did I miss it):

Single Logout - Logging out in Mayan doesnt logout from the IDP
Role mapping - it doesnt look like the current code checks the claims for any roles

Also, is MAYAN_AUTHENTICATION_OIDC_USER_PROFILE_URL intended to take you to the IDP user page, would be https://${OIDC_HOSTNAME}/realms/$REALM/account/#/ in Keycloak?

KrakN · April 25, 2023, 1:37pm

Hello,

Actually trying to reproduce the configuration OIDC to manage Mayan with Keycloak.
I have already an instance of Keycloak running.
I clone the repo and edit the .env file to add my own configuration of keycloak endpoint with a given clientId and clientSecret.

Like @ballj, set in the same variables:

MAYAN_AUTHENTICATION_BACKEND = 'mayan.apps.authentication_oidc.authentication_backends.AuthenticationBackendOIDC'
MAYAN_AUTHENTICATION_BACKEND_ARGUMENTS = {...}

But when I try to start the environment with docker-compose up -d mayan don’t start and docker logs return the following error.

mayan: starting entrypoint.sh
Connection attempt #1 to: port postgresql:5432; Connected.
Connection attempt #1 to: port rabbitmq:5672; Connected.
Connection attempt #1 to: port redis:6379; Connected.
mayan: update_uid_gid()
usermod: no changes
mayan: os_package_installs()
mayan: pip_installs()
mayan: initial_setup()
/opt/mayan-edms/lib/python3.9/site-packages/requests/__init__.py:102: RequestsDependencyWarning: urllib3 (1.26.15) or chardet (5.1.0)/charset_normalizer (2.0.12) doesn't match a supported version!
  warnings.warn("urllib3 ({}) or chardet ({})/charset_normalizer ({}) doesn't match a supported "
Traceback (most recent call last):
  File "/opt/mayan-edms/bin/mayan-edms.py", line 22, in <module>
    main()
  File "/opt/mayan-edms/bin/mayan-edms.py", line 18, in main
    execute_from_command_line(sys.argv)
  File "/opt/mayan-edms/lib/python3.9/site-packages/django/core/management/__init__.py", line 419, in execute_from_command_line
    utility.execute()
  File "/opt/mayan-edms/lib/python3.9/site-packages/django/core/management/__init__.py", line 395, in execute
    django.setup()
  File "/opt/mayan-edms/lib/python3.9/site-packages/django/__init__.py", line 24, in setup
    apps.populate(settings.INSTALLED_APPS)
  File "/opt/mayan-edms/lib/python3.9/site-packages/django/apps/registry.py", line 122, in populate
    app_config.ready()
  File "/opt/mayan-edms/lib/python3.9/site-packages/mayan/apps/authentication/apps.py", line 44, in ready
    AuthenticationBackend.cls_initialize()
  File "/opt/mayan-edms/lib/python3.9/site-packages/mayan/apps/authentication/classes.py", line 28, in cls_initialize
    backend = cls.cls_get_instance()
  File "/opt/mayan-edms/lib/python3.9/site-packages/mayan/apps/authentication/classes.py", line 19, in cls_get_instance
    authentication_backend_class = cls.get(
  File "/opt/mayan-edms/lib/python3.9/site-packages/mayan/apps/databases/classes.py", line 79, in get
    return cls._registry.get(cls, {})[name]
KeyError: 'mayan.apps.authentication_oidc.authentication_backends.AuthenticationBackendOIDC'

Did I miss something in the configuration ?

Thanks

joh-ku · June 9, 2023, 3:15pm

Is it possible to enable OIDC alongside standard authentication? I currently only managed to get one at a time working.

izidora0k · June 14, 2023, 1:15am

It is not possible because having both defeats the purpose of having separate authentication in the first place.

joh-ku · June 22, 2023, 7:20pm

Your statement does not make sense at all. Having two different authentication schemes is a common use case and various applications support it. Speaking for Mayan it wouldn’t cause noteworthy effort as other mechanisms are already implemented, which is essentially the reason why I was asking.

jakob1379 · August 21, 2023, 12:56pm

This config seems to work, but Mayan redirects to http and not https. Do you know which env variable to set to fix this?