Add ldap and keycloack as AUTH_PROVIDERS

Good morning,

Currently, user authentication is done through LDAP, but we want to add Keycloak as AUTH_PROVIDER. The current configuration is as follows:

LOCAL_IDENTITIES = False
LOCAL_REGISTRATION = False
EXTERNAL_REGISTRATION_URL = 'https://MMMMMM/new-user-request/'

_ldap_config = {
    'uri': 'ldaps://CCCCCCC',
    'bind_dn': 'ZZZZZZZZZZZZZZZZZZZZ',
    'bind_password': 'XXXXXXXXXXXXXXXXXXX',
    'timeout': 30,
    'verify_cert': True,
    'page_size': 1500,

    'uid': 'uid',
    'user_base': 'DC=mmm,DC=es',
    'user_filter': '(objectClass=person)',

    'gid': 'cn',
    'group_base': 'CN=XXXX',
    'group_filter': '(objectClass=groupOfNames)',
    'member_of_attr': 'memberOf',
    'ad_group_style': False,
}

AUTH_PROVIDERS = {
    'ldap': {
        'type': 'ldap',
        'title': 'IFCA LDAP',
        'ldap': _ldap_config,
        'default': True
    },

    'keycloak': {
        'type': 'authlib',
        'title': 'Keycloak',
        'authlib_args': {
            'client_id': 'ZZZZZZZZZZ',
            'client_secret': 'XXXXXXXXXXXXXXXX',
            'server_metadata_url': 'YYYYYYYYYYYYYYYYYY',
            'client_kwargs': {'scope': 'openid'}
        }
    }
}
IDENTITY_PROVIDERS = {
    'ldap': {
        'type': 'ldap',
        'title': 'LDAP',
        'ldap': _ldap_config,
        'mapping': {
            'first_name': 'givenName',
            'last_name': 'sn',
            'email': 'mail',
            'affiliation': 'O',
        },
        'trusted_email': True,
        'default_group_provider': True,
        'synced_fields': {'first_name', 'last_name', 'email', 'affiliation'}
    },

    'keycloak': {
        'type': 'authlib',
        'title': 'Keycloak',
        'mapping': {
            'first_name': 'givenName',
            'last_name': 'sn',
            'email': 'mail',
            'affiliation': 'O',
        },
        'trusted_email': True,
        'default_group_provider': True,
        'synced_fields': {'first_name', 'last_name', 'email', 'affiliation'}
    }
}
PROVIDER_MAP = {
    'ldap': 'ldap'
}

but the systems is on “internal Server Error”, looking at indico shell:

(indico) indico@indico:~$ indico shell
Traceback (most recent call last):
  File "/opt/indico/.venv/bin/indico", line 8, in <module>
    sys.exit(cli())
             ^^^^^
  File "/opt/indico/.venv/lib/python3.12/site-packages/click/core.py", line 1157, in __call__
    return self.main(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/indico/.venv/lib/python3.12/site-packages/click/core.py", line 1078, in main
    rv = self.invoke(ctx)
         ^^^^^^^^^^^^^^^^
  File "/opt/indico/.venv/lib/python3.12/site-packages/click/core.py", line 1688, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/indico/.venv/lib/python3.12/site-packages/click/core.py", line 1434, in invoke
    return ctx.invoke(self.callback, **ctx.params)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/indico/.venv/lib/python3.12/site-packages/click/core.py", line 783, in invoke
    return __callback(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/indico/.venv/lib/python3.12/site-packages/click/decorators.py", line 33, in new_func
    return f(get_current_context(), *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/indico/.venv/lib/python3.12/site-packages/flask/cli.py", line 383, in decorator
    app = ctx.ensure_object(ScriptInfo).load_app()
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/indico/.venv/lib/python3.12/site-packages/flask/cli.py", line 328, in load_app
    app: Flask | None = self.create_app()
                        ^^^^^^^^^^^^^^^^^
  File "/opt/indico/.venv/lib/python3.12/site-packages/indico/cli/util.py", line 26, in _create_app
    return make_app()
           ^^^^^^^^^^
  File "/opt/indico/.venv/lib/python3.12/site-packages/indico/web/flask/app.py", line 420, in make_app
    multipass.init_app(app)
  File "/opt/indico/.venv/lib/python3.12/site-packages/indico/core/auth.py", line 80, in init_app
    super().init_app(app)
  File "/opt/indico/.venv/lib/python3.12/site-packages/flask_multipass/core.py", line 80, in init_app
    validate_provider_map(state)
  File "/opt/indico/.venv/lib/python3.12/site-packages/flask_multipass/util.py", line 171, in validate_provider_map
    raise ValueError('Auth providers not linked to identity providers: ' + ', '.join(invalid_keys))
ValueError: Auth providers not linked to identity providers: keycloak

Any idea?
Regards, I

Either remove the PROVIDER_MAP to get it implicitly, or add the new one:

PROVIDER_MAP = {
    'ldap': 'ldap',
    'keycloak': 'keycloak',
}

Hi I just add and now i get:
File “/opt/indico/.venv/lib/python3.12/site-packages/indico/web/flask/app.py”, line 420, in make_app
multipass.init_app(app)
File “/opt/indico/.venv/lib/python3.12/site-packages/indico/core/auth.py”, line 82, in init_app
self._check_default_provider()
File “/opt/indico/.venv/lib/python3.12/site-packages/indico/core/auth.py”, line 88, in _check_default_provider
raise ValueError(‘There can only be one sync provider.’)
ValueError: There can only be one sync provider.

File “/opt/indico/.indico.conf”, line 136
‘keycloak’: ‘keycloak’,

you can only enable sync for one identity provided