OIDC / Keycloak


#1

Hello All,

I would like to request or suggest OIDC provider for authentication or the support of SAML, this would allow authentication with Keycloak or Enterprise SSO such as ADFS, One-login or Okta without having to pay for a really expensive OAUTH2 license.

Thank you for reading! :slight_smile:


SAML, OIDC, Third-Party-Authentication
#2

We got something working with keycloak and OIDC, by just overriding the file : oauth2_database.rb

Mostly you need to provide a link to the “userinfo” endpoint of keycloak,

class Oauth2Database < OmniAuth::Strategies::OAuth2
  option :name, 'oauth2'
  
  def initialize(app, *args, &block)
    # database lookup
    config = Setting.get('auth_oauth2_credentials') || {}
    args[0] = config['app_id']
    args[1] = config['app_secret']
    args[2][:client_options] = args[2][:client_options].merge(config.symbolize_keys)
    super
  end

  def callback_url
    full_host + script_name + callback_path
  end

  uid { raw_info['sub'] }

  info do
    {
      email:      raw_info['email'],
      username:   raw_info['name'],
      login:      raw_info['preferred_username'],
      first_name: raw_info['given_name'],
      last_name:  raw_info['family_name'],
    }
  end

  extra do
    {
    'raw_info' => raw_info
    }
  end

	def raw_info
	  @raw_info ||= begin
	    # 
	    # todo build the URI from the settings
	    #
		uri = URI.parse("https://keycloak.mydomain.org/auth/realms/REALMNAME/protocol/openid-connect/userinfo")
		request = Net::HTTP::Get.new(uri)
		request['Authorization'] = 'Bearer ' + access_token.token

		response = Net::HTTP.start(uri.host, uri.port, :use_ssl => uri.scheme == 'https') do |http|
		  http.request(request)
		end
		Rails.logger.info "RESPONSE = #{response.body}"
		JSON.parse(response.body)
	  end
	end

end

Hope it can help you.


#3

Please note that changing Zammad files is not update-safe and produces further needed work on every update.


#4

Any way you could OIDC or SAML support?

Most enterprises use either OIDC or SAML these day :frowning:

Thanks!!


#5

Oah neat :slight_smile: will need to test it


#6

Yes, sure. We use Ansible to automatically deploy Zammad and override a few files.

And yes it has to be tested and validated for each upgrades.


#7

Silly question but what is the full path to the file?


#8

Found it /opt/zammad/vendor/lib/oauth2_database.rb


#9

Can anyone share some client settings for keycloak that work?
I’m still wrestling with this and getting vague errors from zammad.


#10

I also try to figure out how to get zammad and keycloak play together. But I am little stuck…

Few basic questions

  • Do I need to modify oauth2_database.rb file by hand?
  • Can group be provided from keycloak?
  • Can new user login directly via Oauth2 login or do I have create user forehand to zammad?

If someone could help little bit I would be very happy :slight_smile:


#11

Timo, did you succeed ? I also struggled to integrate Zammad with Keycloak and OIDC, but eventually got it working after modifying oauth2_database.rb as described by fgaillard, while adjusting the UserInfo endpoint URL.


#12

Not yet. I have modified oauth2_database.rb file like fgaillard described. But when I try to login zammad I get following error from zammad " 422: The change you wanted was rejected. Message from oauth2: invalid_credentials". I am not sure if my dev enviroment could affect to that because I don’t have https in use (only http). Next I try on our prod enviroment where we have https certificates in use :slight_smile:


#13

Hi,

someone using actual Zammad version 2.9 with Keycloak?

I tried to do this. But after modifying the file oauth2_database.rb, zammad is not started anymore. Unfortunately no error message in the log.

Logfile:
I, [2019-05-24T18:24:44.951851 #30373-47097529438040] INFO – : Setting.set(‘product_logo’, “e1bcceb4310ab11f0703570d79d3297f.png”)
I, [2019-05-24T18:24:44.996864 #30317-47336712679260] INFO – : Setting.set(‘product_logo’, “e1bcceb4310ab11f0703570d79d3297f.png”)
I, [2019-05-24T18:24:54.541605 #30407-47368826384200] INFO – : Setting.set(‘product_logo’, “e1bcceb4310ab11f0703570d79d3297f.png”)
I, [2019-05-24T18:24:54.685129 #30439-46984700465000] INFO – : Setting.set(‘product_logo’, “e1bcceb4310ab11f0703570d79d3297f.png”)
I, [2019-05-24T18:24:54.721180 #30438-46982998912840] INFO – : Setting.set(‘product_logo’, “e1bcceb4310ab11f0703570d79d3297f.png”)
I, [2019-05-24T18:25:04.130981 #30513-47108753452880] INFO – : Setting.set(‘product_logo’, “e1bcceb4310ab11f0703570d79d3297f.png”)
I, [2019-05-24T18:25:04.356646 #30533-46946074996560] INFO – : Setting.set(‘product_logo’, “e1bcceb4310ab11f0703570d79d3297f.png”)
I, [2019-05-24T18:25:04.482935 #30571-47150401810260] INFO – : Setting.set(‘product_logo’, “e1bcceb4310ab11f0703570d79d3297f.png”)
I, [2019-05-24T18:25:13.847471 #30608-47298343087960] INFO – : Setting.set(‘product_logo’, “e1bcceb4310ab11f0703570d79d3297f.png”)
I, [2019-05-24T18:25:14.182459 #30638-47167214907240] INFO – : Setting.set(‘product_logo’, “e1bcceb4310ab11f0703570d79d3297f.png”)
I, [2019-05-24T18:25:14.332937 #30639-47454637977420] INFO – : Setting.set(‘product_logo’, “e1bcceb4310ab11f0703570d79d3297f.png”)
I, [2019-05-24T18:25:23.294963 #30707-47458085220180] INFO – : Setting.set(‘product_logo’, “e1bcceb4310ab11f0703570d79d3297f.png”)
I, [2019-05-24T18:25:23.486196 #30736-46950055022440] INFO – : Setting.set(‘product_logo’, “e1bcceb4310ab11f0703570d79d3297f.png”)
I, [2019-05-24T18:25:23.957967 #30764-47448598237020] INFO – : Setting.set(‘product_logo’, “e1bcceb4310ab11f0703570d79d3297f.png”)
I, [2019-05-24T18:25:32.788838 #30806-47069437874000] INFO – : Setting.set(‘product_logo’, “e1bcceb4310ab11f0703570d79d3297f.png”)
I, [2019-05-24T18:25:32.860718 #30805-47423005708120] INFO – : Setting.set(‘product_logo’, “e1bcceb4310ab11f0703570d79d3297f.png”)
I, [2019-05-24T18:25:33.743286 #30864-47119643750240] INFO – : Setting.set(‘product_logo’, “e1bcceb4310ab11f0703570d79d3297f.png”)

I’m using zammad 2.9 on Debian Stretch.
Andreas


#14

Did you ensure that the formatting is correct? Ruby is very picky about that. One “Tab” would be 3 spacings. If Zammad doesn’t start, that’s a sign that formatting is wrong.


#15

Hi All,

I can tell you its still working on version 2.9 :slight_smile:

Upgraded last week still using keycloak, happy to help where i can!


#16

@muristan

you will need to change the keycloak url in this but here is what we are using in production:


#17

Great work your doing on zammad!

Is it on the road map to support the oauth2 userinfo end point?

If not anyway that i could help or package this as a plugin ?