OIDC / Keycloak

Hello All,

I would like to request or suggest OIDC provider for authentication or the support of SAML, this would allow authentication with Keycloak or Enterprise SSO such as ADFS, One-login or Okta without having to pay for a really expensive OAUTH2 license.

Thank you for reading! :slight_smile:

4 Likes

We got something working with keycloak and OIDC, by just overriding the file : oauth2_database.rb

Mostly you need to provide a link to the “userinfo” endpoint of keycloak,

class Oauth2Database < OmniAuth::Strategies::OAuth2
  option :name, 'oauth2'
  
  def initialize(app, *args, &block)
    # database lookup
    config = Setting.get('auth_oauth2_credentials') || {}
    args[0] = config['app_id']
    args[1] = config['app_secret']
    args[2][:client_options] = args[2][:client_options].merge(config.symbolize_keys)
    super
  end

  def callback_url
    full_host + script_name + callback_path
  end

  uid { raw_info['sub'] }

  info do
    {
      email:      raw_info['email'],
      username:   raw_info['name'],
      login:      raw_info['preferred_username'],
      first_name: raw_info['given_name'],
      last_name:  raw_info['family_name'],
    }
  end

  extra do
    {
    'raw_info' => raw_info
    }
  end

	def raw_info
	  @raw_info ||= begin
	    # 
	    # todo build the URI from the settings
	    #
		uri = URI.parse("https://keycloak.mydomain.org/auth/realms/REALMNAME/protocol/openid-connect/userinfo")
		request = Net::HTTP::Get.new(uri)
		request['Authorization'] = 'Bearer ' + access_token.token

		response = Net::HTTP.start(uri.host, uri.port, :use_ssl => uri.scheme == 'https') do |http|
		  http.request(request)
		end
		Rails.logger.info "RESPONSE = #{response.body}"
		JSON.parse(response.body)
	  end
	end

end

Hope it can help you.

3 Likes

Please note that changing Zammad files is not update-safe and produces further needed work on every update.

Any way you could OIDC or SAML support?

Most enterprises use either OIDC or SAML these day :frowning:

Thanks!!

Oah neat :slight_smile: will need to test it

Yes, sure. We use Ansible to automatically deploy Zammad and override a few files.

And yes it has to be tested and validated for each upgrades.

2 Likes

Silly question but what is the full path to the file?

Found it /opt/zammad/vendor/lib/oauth2_database.rb

Can anyone share some client settings for keycloak that work?
I’m still wrestling with this and getting vague errors from zammad.

I also try to figure out how to get zammad and keycloak play together. But I am little stuck…

Few basic questions

  • Do I need to modify oauth2_database.rb file by hand?
  • Can group be provided from keycloak?
  • Can new user login directly via Oauth2 login or do I have create user forehand to zammad?

If someone could help little bit I would be very happy :slight_smile:

Timo, did you succeed ? I also struggled to integrate Zammad with Keycloak and OIDC, but eventually got it working after modifying oauth2_database.rb as described by fgaillard, while adjusting the UserInfo endpoint URL.

Not yet. I have modified oauth2_database.rb file like fgaillard described. But when I try to login zammad I get following error from zammad " 422: The change you wanted was rejected. Message from oauth2: invalid_credentials". I am not sure if my dev enviroment could affect to that because I don’t have https in use (only http). Next I try on our prod enviroment where we have https certificates in use :slight_smile:

Hi,

someone using actual Zammad version 2.9 with Keycloak?

I tried to do this. But after modifying the file oauth2_database.rb, zammad is not started anymore. Unfortunately no error message in the log.

Logfile:
I, [2019-05-24T18:24:44.951851 #30373-47097529438040] INFO – : Setting.set(‘product_logo’, “e1bcceb4310ab11f0703570d79d3297f.png”)
I, [2019-05-24T18:24:44.996864 #30317-47336712679260] INFO – : Setting.set(‘product_logo’, “e1bcceb4310ab11f0703570d79d3297f.png”)
I, [2019-05-24T18:24:54.541605 #30407-47368826384200] INFO – : Setting.set(‘product_logo’, “e1bcceb4310ab11f0703570d79d3297f.png”)
I, [2019-05-24T18:24:54.685129 #30439-46984700465000] INFO – : Setting.set(‘product_logo’, “e1bcceb4310ab11f0703570d79d3297f.png”)
I, [2019-05-24T18:24:54.721180 #30438-46982998912840] INFO – : Setting.set(‘product_logo’, “e1bcceb4310ab11f0703570d79d3297f.png”)
I, [2019-05-24T18:25:04.130981 #30513-47108753452880] INFO – : Setting.set(‘product_logo’, “e1bcceb4310ab11f0703570d79d3297f.png”)
I, [2019-05-24T18:25:04.356646 #30533-46946074996560] INFO – : Setting.set(‘product_logo’, “e1bcceb4310ab11f0703570d79d3297f.png”)
I, [2019-05-24T18:25:04.482935 #30571-47150401810260] INFO – : Setting.set(‘product_logo’, “e1bcceb4310ab11f0703570d79d3297f.png”)
I, [2019-05-24T18:25:13.847471 #30608-47298343087960] INFO – : Setting.set(‘product_logo’, “e1bcceb4310ab11f0703570d79d3297f.png”)
I, [2019-05-24T18:25:14.182459 #30638-47167214907240] INFO – : Setting.set(‘product_logo’, “e1bcceb4310ab11f0703570d79d3297f.png”)
I, [2019-05-24T18:25:14.332937 #30639-47454637977420] INFO – : Setting.set(‘product_logo’, “e1bcceb4310ab11f0703570d79d3297f.png”)
I, [2019-05-24T18:25:23.294963 #30707-47458085220180] INFO – : Setting.set(‘product_logo’, “e1bcceb4310ab11f0703570d79d3297f.png”)
I, [2019-05-24T18:25:23.486196 #30736-46950055022440] INFO – : Setting.set(‘product_logo’, “e1bcceb4310ab11f0703570d79d3297f.png”)
I, [2019-05-24T18:25:23.957967 #30764-47448598237020] INFO – : Setting.set(‘product_logo’, “e1bcceb4310ab11f0703570d79d3297f.png”)
I, [2019-05-24T18:25:32.788838 #30806-47069437874000] INFO – : Setting.set(‘product_logo’, “e1bcceb4310ab11f0703570d79d3297f.png”)
I, [2019-05-24T18:25:32.860718 #30805-47423005708120] INFO – : Setting.set(‘product_logo’, “e1bcceb4310ab11f0703570d79d3297f.png”)
I, [2019-05-24T18:25:33.743286 #30864-47119643750240] INFO – : Setting.set(‘product_logo’, “e1bcceb4310ab11f0703570d79d3297f.png”)

I’m using zammad 2.9 on Debian Stretch.
Andreas

Did you ensure that the formatting is correct? Ruby is very picky about that. One “Tab” would be 3 spacings. If Zammad doesn’t start, that’s a sign that formatting is wrong.

Hi All,

I can tell you its still working on version 2.9 :slight_smile:

Upgraded last week still using keycloak, happy to help where i can!

@muristan

you will need to change the keycloak url in this but here is what we are using in production:

Great work your doing on zammad!

Is it on the road map to support the oauth2 userinfo end point?

If not anyway that i could help or package this as a plugin ?

Thanks for your hints! I got Keycloak with openid connect protocol to work with Zammad. Great!! :slight_smile:
When doing the first login using Keycloak, Zammad creates a new user. Login token is not email but the Keycloak User ID. There is no way to edit this in order to give this ID to an eyxisting user. Or did I miss something?

1 Like

our users seem to get linked by email address however our usernames are also our email addresses.

Hey there! I just want to share the news here that Zammad 3.2 will support SAML authentication out of the box without the need to change files. We had great support from @carl2187 who verified that Keycloak integration works as expected.