Using Keycloak SSO

hi all, I am completely new to Indico. Did anyone here configured Keycloak SSO for Indico? is it technically doable? I searched the documentation with no luck. Thank you.

Works fine with the generic authlib option and OIDC.

1 Like

Should i enable it in the indico.conf file? thanks

Try something like this.

AUTH_PROVIDERS = {
    'keycloak': {
        'type': 'authlib',
        'title': 'Keycloak',
        'authlib_args': {
            'client_id': 'xxx',
            'client_secret': 'yyy',
            'server_metadata_url': 'https://xxx/auth/realms/xxx/.well-known/openid-configuration',
            'client_kwargs': {'scope': 'openid'}
        }
    },
}

IDENTITY_PROVIDERS = {
    'keycloak': {
        'type': 'authlib',
        'title': 'Keycloak',
        'mapping': {
            'first_name': 'given_name',
            'last_name': 'family_name',
            'phone': 'phone_number',
        },
        'trusted_email': True,
        'synced_fields': {'first_name', 'last_name'}
    }
}
2 Likes

thank you soo much. You are so helpful indeed.

hi,

I just configured the Keycloak and created realms and Clients and added above
config preceded with

# Keycloak
LOCAL_IDENTITIES = 'False'
LOCAL_REGISTRATION = 'False'
EXTERNAL_REGISTRATION_URL = 'https://xxx/auth/realms/Indico/account/'

to /opt/indico/indico.conf and restarted with

systemctl restart uwsgi.service httpd.service indico-celery.service

I got Internal Server Error message but cant find any entry in the

/opt/indico/log/indico.log
/opt/indico/log/celery.log
/opt/indico/log/other.log
/opt/indico/log/apache/error.log

if i remove this config system restart fine. Can you please give me some clue what could be wrong?

thank you

Those boolean options are booleans, not strings. Remove the single quotes. Not sure if that’s what’s causing the error though, could also be a syntax error somewhere. If you run e.g. indico shell in the terminal, you get a more meaningful error and traceback.

1 Like

I dont know how to run the shell but systemctl status uwsgi.service has some clue. How to enter the indico shell plz, i searched but cant find any clue so far.

Active: active (running) since Mon 2021-03-15 22:24:56 +08; 10min ago
 Main PID: 29317 (uwsgi)
   Status: "uWSGI is ready"
   CGroup: /system.slice/uwsgi.service
           ├─29317 indico uWSGI master
           ├─29346 indico uWSGI worker 1
           ├─29348 indico uWSGI worker 2
           ├─29350 indico uWSGI worker 3
           └─29352 indico uWSGI worker 4

Mar 15 22:24:56 localhost uwsgi[29317]: Mon Mar 15 22:24:56 2021 - mem-collector thread started for worker 2
Mar 15 22:24:56 localhost uwsgi[29317]: spawned uWSGI worker 3 (pid: 29350, cores: 1)
Mar 15 22:24:56 localhost uwsgi[29317]: Mon Mar 15 22:24:56 2021 - mem-collector thread started for worker 3
Mar 15 22:24:56 localhost uwsgi[29317]: spawned uWSGI worker 4 (pid: 29352, cores: 1)
Mar 15 22:24:56 localhost uwsgi[29317]: *** Stats server enabled on /opt/indico/web/uwsgi-stats.sock fd: 20 ***
Mar 15 22:24:56 localhost uwsgi[29317]: Mon Mar 15 22:24:56 2021 - mem-collector thread started for worker 4
Mar 15 22:25:00 localhost uwsgi[29317]: --- no python application found, check your startup logs for errors ---
Mar 15 22:25:00 localhost uwsgi[29317]: --- no python application found, check your startup logs for errors ---
Mar 15 22:25:10 localhost uwsgi[29317]: --- no python application found, check your startup logs for errors ---
Mar 15 22:25:10 localhost uwsgi[29317]: --- no python application found, check your startup logs for errors ---

You simply run indico shell in your terminal (while logged in as the indico user and having activated the virtualenv with source ~/.venv/bin/activate).

1 Like

Could this be the issue? ImportError: No module named authlib.common.errors

complete error message below

 Traceback (most recent call last):`
      File "/opt/indico/.venv/bin/indico", line 8, in <module>
        sys.exit(cli())
      File "/opt/indico/.venv/lib/python2.7/site-packages/click/core.py", line 829, in __call__
        return self.main(*args, **kwargs)
      File "/opt/indico/.venv/lib/python2.7/site-packages/flask/cli.py", line 586, in main
        return super(FlaskGroup, self).main(*args, **kwargs)
      File "/opt/indico/.venv/lib/python2.7/site-packages/click/core.py", line 782, in main
        rv = self.invoke(ctx)
      File "/opt/indico/.venv/lib/python2.7/site-packages/click/core.py", line 1259, in invoke
        return _process_result(sub_ctx.command.invoke(sub_ctx))
      File "/opt/indico/.venv/lib/python2.7/site-packages/click/core.py", line 1066, in invoke
        return ctx.invoke(self.callback, **ctx.params)
      File "/opt/indico/.venv/lib/python2.7/site-packages/click/core.py", line 610, in invoke
        return callback(*args, **kwargs)
      File "/opt/indico/.venv/lib/python2.7/site-packages/click/decorators.py", line 21, in new_func
        return f(get_current_context(), *args, **kwargs)
      File "/opt/indico/.venv/lib/python2.7/site-packages/flask/cli.py", line 425, in decorator
        with __ctx.ensure_object(ScriptInfo).load_app().app_context():
      File "/opt/indico/.venv/lib/python2.7/site-packages/flask/cli.py", line 381, in load_app
        app = call_factory(self, self.create_app)
      File "/opt/indico/.venv/lib/python2.7/site-packages/flask/cli.py", line 117, in call_factory
        return app_factory(script_info)
      File "/opt/indico/.venv/lib/python2.7/site-packages/indico/cli/util.py", line 28, in _create_app
        return make_app(set_path=True)
      File "/opt/indico/.venv/lib/python2.7/site-packages/indico/web/flask/app.py", line 365, in make_app
        multipass.init_app(app)
      File "/opt/indico/.venv/lib/python2.7/site-packages/indico/core/auth.py", line 50, in init_app
        super(IndicoMultipass, self).init_app(app)
      File "/opt/indico/.venv/lib/python2.7/site-packages/flask_multipass/core.py", line 75, in init_app
        state.auth_providers = ImmutableDict(self._create_providers('AUTH', AuthProvider))
      File "/opt/indico/.venv/lib/python2.7/site-packages/flask_multipass/core.py", line 453, in _create_providers
        cls = resolve_provider_type(base, settings.pop('type'), registry)
      File "/opt/indico/.venv/lib/python2.7/site-packages/flask_multipass/util.py", line 157, in resolve_provider_type
        cls = entry_point.load()
      File "/opt/indico/.venv/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2291, in load
        return self.resolve()
      File "/opt/indico/.venv/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2297, in resolve
        module = __import__(self.module_name, fromlist=['__name__'], level=0)
      File "/opt/indico/.venv/lib/python2.7/site-packages/flask_multipass/providers/authlib.py", line 9, in <module>
        from authlib.common.errors import AuthlibBaseError
    ImportError: No module named authlib.common.errors
    (.venv) [indico@localhost ~]$ indico shell
    Traceback (most recent call last):
      File "/opt/indico/.venv/bin/indico", line 8, in <module>
        sys.exit(cli())
      File "/opt/indico/.venv/lib/python2.7/site-packages/click/core.py", line 829, in __call__
        return self.main(*args, **kwargs)
      File "/opt/indico/.venv/lib/python2.7/site-packages/flask/cli.py", line 586, in main
        return super(FlaskGroup, self).main(*args, **kwargs)
      File "/opt/indico/.venv/lib/python2.7/site-packages/click/core.py", line 782, in main
        rv = self.invoke(ctx)
      File "/opt/indico/.venv/lib/python2.7/site-packages/click/core.py", line 1259, in invoke
        return _process_result(sub_ctx.command.invoke(sub_ctx))
      File "/opt/indico/.venv/lib/python2.7/site-packages/click/core.py", line 1066, in invoke
        return ctx.invoke(self.callback, **ctx.params)
      File "/opt/indico/.venv/lib/python2.7/site-packages/click/core.py", line 610, in invoke
        return callback(*args, **kwargs)
      File "/opt/indico/.venv/lib/python2.7/site-packages/click/decorators.py", line 21, in new_func
        return f(get_current_context(), *args, **kwargs)
      File "/opt/indico/.venv/lib/python2.7/site-packages/flask/cli.py", line 425, in decorator
        with __ctx.ensure_object(ScriptInfo).load_app().app_context():
      File "/opt/indico/.venv/lib/python2.7/site-packages/flask/cli.py", line 381, in load_app
        app = call_factory(self, self.create_app)
      File "/opt/indico/.venv/lib/python2.7/site-packages/flask/cli.py", line 117, in call_factory
        return app_factory(script_info)
      File "/opt/indico/.venv/lib/python2.7/site-packages/indico/cli/util.py", line 28, in _create_app
        return make_app(set_path=True)
      File "/opt/indico/.venv/lib/python2.7/site-packages/indico/web/flask/app.py", line 365, in make_app
        multipass.init_app(app)
      File "/opt/indico/.venv/lib/python2.7/site-packages/indico/core/auth.py", line 50, in init_app
        super(IndicoMultipass, self).init_app(app)
      File "/opt/indico/.venv/lib/python2.7/site-packages/flask_multipass/core.py", line 75, in init_app
        state.auth_providers = ImmutableDict(self._create_providers('AUTH', AuthProvider))
      File "/opt/indico/.venv/lib/python2.7/site-packages/flask_multipass/core.py", line 453, in _create_providers
        cls = resolve_provider_type(base, settings.pop('type'), registry)
      File "/opt/indico/.venv/lib/python2.7/site-packages/flask_multipass/util.py", line 157, in resolve_provider_type
        cls = entry_point.load()
      File "/opt/indico/.venv/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2291, in load
        return self.resolve()
      File "/opt/indico/.venv/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2297, in resolve
        module = __import__(self.module_name, fromlist=['__name__'], level=0)
      File "/opt/indico/.venv/lib/python2.7/site-packages/flask_multipass/providers/authlib.py", line 9, in <module>
        from authlib.common.errors import AuthlibBaseError
    ImportError: No module named authlib.common.errors

Ah yes of course, authlib is not a direct dependency of Indico so I forgot to mention that you need to pip install authlib

1 Like

as root user or indico user?

indico user inside the virtualenv.

1 Like

It is done working now. I now can login with Keycloak into my Indico installation.

Thank you so much you are very helpful.

Final version of indico.conf was in case some others might have similar case.

# Keycloak
LOCAL_IDENTITIES = False
LOCAL_REGISTRATION = False
EXTERNAL_REGISTRATION_URL = 'https://xxx:8443/auth/realms/Indico/account/'

AUTH_PROVIDERS = {
    'keycloak': {
        'type': 'authlib',
        'title': 'Keycloak',
        'authlib_args': {
            'client_id': 'Indico',
            'client_secret': 'xxx',
            'server_metadata_url': 'https://xxx:8443/auth/realms/Indico/.well-known/openid-configuration',
            'client_kwargs': {'scope': 'openid'}
        }
    }
}

IDENTITY_PROVIDERS = {
    'keycloak': {
        'type': 'authlib',
        'title': 'Keycloak',
        'mapping': {
            'first_name': 'given_name',
            'last_name': 'family_name',
            'phone': 'phone_number'
        },
        'trusted_email': True,
        'synced_fields': {'first_name', 'last_name'}
    }
}

Hi, another question.
I just noticed that

  1. if I hit logout from ex Dashboard https://www/logout/?next=%2Fuser%2Fdashboard%2F is called and which I suspect causing me to stay at Keycloak login page.
  2. If I hit log out from Homepage https://wwwlogout/?next=%2F is called and I stay at the Indico homepage.

I want users to stay at the Indico homepage irrespective of from which page they click logout do you know how to achieve this? thanks.

PS: I also noticed that the logout link is keeping track of user’s last page so that when the user comes back they start from the page where they left which is also very useful.

I also noticed that the logout link is keeping track of user’s last page so that when the user comes back they start from the page where they left which is also very useful.

That actually answers your question :wink: You are redirected back to the dashboard page, but since this requires a login, it redirects you to the login, so you end up on keycloak again.

I want users to stay at the Indico homepage irrespective of from which page they click logout do you know how to achieve this? thanks.

We do not have a setting for this…

1 Like