hi all, I am completely new to Indico. Did anyone here configured Keycloak SSO for Indico? is it technically doable? I searched the documentation with no luck. Thank you.
Works fine with the generic authlib
option and OIDC.
Should i enable it in the indico.conf file? thanks
Try something like this.
AUTH_PROVIDERS = {
'keycloak': {
'type': 'authlib',
'title': 'Keycloak',
'authlib_args': {
'client_id': 'xxx',
'client_secret': 'yyy',
'server_metadata_url': 'https://xxx/auth/realms/xxx/.well-known/openid-configuration',
'client_kwargs': {'scope': 'openid'}
}
},
}
IDENTITY_PROVIDERS = {
'keycloak': {
'type': 'authlib',
'title': 'Keycloak',
'mapping': {
'first_name': 'given_name',
'last_name': 'family_name',
'phone': 'phone_number',
},
'trusted_email': True,
'synced_fields': {'first_name', 'last_name'}
}
}
thank you soo much. You are so helpful indeed.
hi,
I just configured the Keycloak and created realms and Clients and added above
config preceded with
# Keycloak
LOCAL_IDENTITIES = 'False'
LOCAL_REGISTRATION = 'False'
EXTERNAL_REGISTRATION_URL = 'https://xxx/auth/realms/Indico/account/'
to /opt/indico/indico.conf
and restarted with
systemctl restart uwsgi.service httpd.service indico-celery.service
I got Internal Server Error message but cant find any entry in the
/opt/indico/log/indico.log
/opt/indico/log/celery.log
/opt/indico/log/other.log
/opt/indico/log/apache/error.log
if i remove this config system restart fine. Can you please give me some clue what could be wrong?
thank you
Those boolean options are booleans, not strings. Remove the single quotes. Not sure if that’s what’s causing the error though, could also be a syntax error somewhere. If you run e.g. indico shell
in the terminal, you get a more meaningful error and traceback.
I dont know how to run the shell but systemctl status uwsgi.service
has some clue. How to enter the indico shell plz, i searched but cant find any clue so far.
Active: active (running) since Mon 2021-03-15 22:24:56 +08; 10min ago
Main PID: 29317 (uwsgi)
Status: "uWSGI is ready"
CGroup: /system.slice/uwsgi.service
├─29317 indico uWSGI master
├─29346 indico uWSGI worker 1
├─29348 indico uWSGI worker 2
├─29350 indico uWSGI worker 3
└─29352 indico uWSGI worker 4
Mar 15 22:24:56 localhost uwsgi[29317]: Mon Mar 15 22:24:56 2021 - mem-collector thread started for worker 2
Mar 15 22:24:56 localhost uwsgi[29317]: spawned uWSGI worker 3 (pid: 29350, cores: 1)
Mar 15 22:24:56 localhost uwsgi[29317]: Mon Mar 15 22:24:56 2021 - mem-collector thread started for worker 3
Mar 15 22:24:56 localhost uwsgi[29317]: spawned uWSGI worker 4 (pid: 29352, cores: 1)
Mar 15 22:24:56 localhost uwsgi[29317]: *** Stats server enabled on /opt/indico/web/uwsgi-stats.sock fd: 20 ***
Mar 15 22:24:56 localhost uwsgi[29317]: Mon Mar 15 22:24:56 2021 - mem-collector thread started for worker 4
Mar 15 22:25:00 localhost uwsgi[29317]: --- no python application found, check your startup logs for errors ---
Mar 15 22:25:00 localhost uwsgi[29317]: --- no python application found, check your startup logs for errors ---
Mar 15 22:25:10 localhost uwsgi[29317]: --- no python application found, check your startup logs for errors ---
Mar 15 22:25:10 localhost uwsgi[29317]: --- no python application found, check your startup logs for errors ---
You simply run indico shell
in your terminal (while logged in as the indico
user and having activated the virtualenv with source ~/.venv/bin/activate
).
Could this be the issue? ImportError: No module named authlib.common.errors
complete error message below
Traceback (most recent call last):`
File "/opt/indico/.venv/bin/indico", line 8, in <module>
sys.exit(cli())
File "/opt/indico/.venv/lib/python2.7/site-packages/click/core.py", line 829, in __call__
return self.main(*args, **kwargs)
File "/opt/indico/.venv/lib/python2.7/site-packages/flask/cli.py", line 586, in main
return super(FlaskGroup, self).main(*args, **kwargs)
File "/opt/indico/.venv/lib/python2.7/site-packages/click/core.py", line 782, in main
rv = self.invoke(ctx)
File "/opt/indico/.venv/lib/python2.7/site-packages/click/core.py", line 1259, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/opt/indico/.venv/lib/python2.7/site-packages/click/core.py", line 1066, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/opt/indico/.venv/lib/python2.7/site-packages/click/core.py", line 610, in invoke
return callback(*args, **kwargs)
File "/opt/indico/.venv/lib/python2.7/site-packages/click/decorators.py", line 21, in new_func
return f(get_current_context(), *args, **kwargs)
File "/opt/indico/.venv/lib/python2.7/site-packages/flask/cli.py", line 425, in decorator
with __ctx.ensure_object(ScriptInfo).load_app().app_context():
File "/opt/indico/.venv/lib/python2.7/site-packages/flask/cli.py", line 381, in load_app
app = call_factory(self, self.create_app)
File "/opt/indico/.venv/lib/python2.7/site-packages/flask/cli.py", line 117, in call_factory
return app_factory(script_info)
File "/opt/indico/.venv/lib/python2.7/site-packages/indico/cli/util.py", line 28, in _create_app
return make_app(set_path=True)
File "/opt/indico/.venv/lib/python2.7/site-packages/indico/web/flask/app.py", line 365, in make_app
multipass.init_app(app)
File "/opt/indico/.venv/lib/python2.7/site-packages/indico/core/auth.py", line 50, in init_app
super(IndicoMultipass, self).init_app(app)
File "/opt/indico/.venv/lib/python2.7/site-packages/flask_multipass/core.py", line 75, in init_app
state.auth_providers = ImmutableDict(self._create_providers('AUTH', AuthProvider))
File "/opt/indico/.venv/lib/python2.7/site-packages/flask_multipass/core.py", line 453, in _create_providers
cls = resolve_provider_type(base, settings.pop('type'), registry)
File "/opt/indico/.venv/lib/python2.7/site-packages/flask_multipass/util.py", line 157, in resolve_provider_type
cls = entry_point.load()
File "/opt/indico/.venv/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2291, in load
return self.resolve()
File "/opt/indico/.venv/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2297, in resolve
module = __import__(self.module_name, fromlist=['__name__'], level=0)
File "/opt/indico/.venv/lib/python2.7/site-packages/flask_multipass/providers/authlib.py", line 9, in <module>
from authlib.common.errors import AuthlibBaseError
ImportError: No module named authlib.common.errors
(.venv) [indico@localhost ~]$ indico shell
Traceback (most recent call last):
File "/opt/indico/.venv/bin/indico", line 8, in <module>
sys.exit(cli())
File "/opt/indico/.venv/lib/python2.7/site-packages/click/core.py", line 829, in __call__
return self.main(*args, **kwargs)
File "/opt/indico/.venv/lib/python2.7/site-packages/flask/cli.py", line 586, in main
return super(FlaskGroup, self).main(*args, **kwargs)
File "/opt/indico/.venv/lib/python2.7/site-packages/click/core.py", line 782, in main
rv = self.invoke(ctx)
File "/opt/indico/.venv/lib/python2.7/site-packages/click/core.py", line 1259, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/opt/indico/.venv/lib/python2.7/site-packages/click/core.py", line 1066, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/opt/indico/.venv/lib/python2.7/site-packages/click/core.py", line 610, in invoke
return callback(*args, **kwargs)
File "/opt/indico/.venv/lib/python2.7/site-packages/click/decorators.py", line 21, in new_func
return f(get_current_context(), *args, **kwargs)
File "/opt/indico/.venv/lib/python2.7/site-packages/flask/cli.py", line 425, in decorator
with __ctx.ensure_object(ScriptInfo).load_app().app_context():
File "/opt/indico/.venv/lib/python2.7/site-packages/flask/cli.py", line 381, in load_app
app = call_factory(self, self.create_app)
File "/opt/indico/.venv/lib/python2.7/site-packages/flask/cli.py", line 117, in call_factory
return app_factory(script_info)
File "/opt/indico/.venv/lib/python2.7/site-packages/indico/cli/util.py", line 28, in _create_app
return make_app(set_path=True)
File "/opt/indico/.venv/lib/python2.7/site-packages/indico/web/flask/app.py", line 365, in make_app
multipass.init_app(app)
File "/opt/indico/.venv/lib/python2.7/site-packages/indico/core/auth.py", line 50, in init_app
super(IndicoMultipass, self).init_app(app)
File "/opt/indico/.venv/lib/python2.7/site-packages/flask_multipass/core.py", line 75, in init_app
state.auth_providers = ImmutableDict(self._create_providers('AUTH', AuthProvider))
File "/opt/indico/.venv/lib/python2.7/site-packages/flask_multipass/core.py", line 453, in _create_providers
cls = resolve_provider_type(base, settings.pop('type'), registry)
File "/opt/indico/.venv/lib/python2.7/site-packages/flask_multipass/util.py", line 157, in resolve_provider_type
cls = entry_point.load()
File "/opt/indico/.venv/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2291, in load
return self.resolve()
File "/opt/indico/.venv/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2297, in resolve
module = __import__(self.module_name, fromlist=['__name__'], level=0)
File "/opt/indico/.venv/lib/python2.7/site-packages/flask_multipass/providers/authlib.py", line 9, in <module>
from authlib.common.errors import AuthlibBaseError
ImportError: No module named authlib.common.errors
Ah yes of course, authlib is not a direct dependency of Indico so I forgot to mention that you need to pip install authlib
as root user or indico user?
indico user inside the virtualenv.
It is done working now. I now can login with Keycloak into my Indico installation.
Thank you so much you are very helpful.
Final version of indico.conf
was in case some others might have similar case.
# Keycloak
LOCAL_IDENTITIES = False
LOCAL_REGISTRATION = False
EXTERNAL_REGISTRATION_URL = 'https://xxx:8443/auth/realms/Indico/account/'
AUTH_PROVIDERS = {
'keycloak': {
'type': 'authlib',
'title': 'Keycloak',
'authlib_args': {
'client_id': 'Indico',
'client_secret': 'xxx',
'server_metadata_url': 'https://xxx:8443/auth/realms/Indico/.well-known/openid-configuration',
'client_kwargs': {'scope': 'openid'}
}
}
}
IDENTITY_PROVIDERS = {
'keycloak': {
'type': 'authlib',
'title': 'Keycloak',
'mapping': {
'first_name': 'given_name',
'last_name': 'family_name',
'phone': 'phone_number'
},
'trusted_email': True,
'synced_fields': {'first_name', 'last_name'}
}
}
Hi, another question.
I just noticed that
- if I hit logout from ex Dashboard
https://www/logout/?next=%2Fuser%2Fdashboard%2F
is called and which I suspect causing me to stay at Keycloak login page. - If I hit log out from Homepage
https://wwwlogout/?next=%2F
is called and I stay at the Indico homepage.
I want users to stay at the Indico homepage irrespective of from which page they click logout do you know how to achieve this? thanks.
PS: I also noticed that the logout link is keeping track of user’s last page so that when the user comes back they start from the page where they left which is also very useful.
I also noticed that the logout link is keeping track of user’s last page so that when the user comes back they start from the page where they left which is also very useful.
That actually answers your question You are redirected back to the dashboard page, but since this requires a login, it redirects you to the login, so you end up on keycloak again.
I want users to stay at the Indico homepage irrespective of from which page they click logout do you know how to achieve this? thanks.
We do not have a setting for this…