OIDC / Keycloak

fgaillard · February 4, 2019, 12:35pm

We got something working with keycloak and OIDC, by just overriding the file : oauth2_database.rb

Mostly you need to provide a link to the “userinfo” endpoint of keycloak,

class Oauth2Database < OmniAuth::Strategies::OAuth2
  option :name, 'oauth2'
  
  def initialize(app, *args, &block)
    # database lookup
    config = Setting.get('auth_oauth2_credentials') || {}
    args[0] = config['app_id']
    args[1] = config['app_secret']
    args[2][:client_options] = args[2][:client_options].merge(config.symbolize_keys)
    super
  end

  def callback_url
    full_host + script_name + callback_path
  end

  uid { raw_info['sub'] }

  info do
    {
      email:      raw_info['email'],
      username:   raw_info['name'],
      login:      raw_info['preferred_username'],
      first_name: raw_info['given_name'],
      last_name:  raw_info['family_name'],
    }
  end

  extra do
    {
    'raw_info' => raw_info
    }
  end

	def raw_info
	  @raw_info ||= begin
	    # 
	    # todo build the URI from the settings
	    #
		uri = URI.parse("https://keycloak.mydomain.org/auth/realms/REALMNAME/protocol/openid-connect/userinfo")
		request = Net::HTTP::Get.new(uri)
		request['Authorization'] = 'Bearer ' + access_token.token

		response = Net::HTTP.start(uri.host, uri.port, :use_ssl => uri.scheme == 'https') do |http|
		  http.request(request)
		end
		Rails.logger.info "RESPONSE = #{response.body}"
		JSON.parse(response.body)
	  end
	end

end

Hope it can help you.

MrGeneration · February 4, 2019, 4:42pm

Please note that changing Zammad files is not update-safe and produces further needed work on every update.

mattronix · February 4, 2019, 5:19pm

Any way you could OIDC or SAML support?

Most enterprises use either OIDC or SAML these day

Thanks!!

mattronix · February 4, 2019, 5:20pm

Oah neat will need to test it

fgaillard · February 5, 2019, 2:39pm

Yes, sure. We use Ansible to automatically deploy Zammad and override a few files.

And yes it has to be tested and validated for each upgrades.

mattronix · February 5, 2019, 10:54pm

Silly question but what is the full path to the file?

mattronix · February 5, 2019, 10:56pm

Found it /opt/zammad/vendor/lib/oauth2_database.rb

pawad · March 12, 2019, 2:54pm

Can anyone share some client settings for keycloak that work?
I’m still wrestling with this and getting vague errors from zammad.

timo · April 4, 2019, 2:14pm

I also try to figure out how to get zammad and keycloak play together. But I am little stuck…

Few basic questions

Do I need to modify oauth2_database.rb file by hand?
Can group be provided from keycloak?
Can new user login directly via Oauth2 login or do I have create user forehand to zammad?

If someone could help little bit I would be very happy

nicolas · April 12, 2019, 7:30am

Timo, did you succeed ? I also struggled to integrate Zammad with Keycloak and OIDC, but eventually got it working after modifying oauth2_database.rb as described by fgaillard, while adjusting the UserInfo endpoint URL.

timo · April 12, 2019, 8:20am

Not yet. I have modified oauth2_database.rb file like fgaillard described. But when I try to login zammad I get following error from zammad " 422: The change you wanted was rejected. Message from oauth2: invalid_credentials". I am not sure if my dev enviroment could affect to that because I don’t have https in use (only http). Next I try on our prod enviroment where we have https certificates in use

muristan · May 24, 2019, 4:10pm

Hi,

someone using actual Zammad version 2.9 with Keycloak?

I tried to do this. But after modifying the file oauth2_database.rb, zammad is not started anymore. Unfortunately no error message in the log.

Logfile:
I, [2019-05-24T18:24:44.951851 #30373-47097529438040] INFO – : Setting.set(‘product_logo’, “e1bcceb4310ab11f0703570d79d3297f.png”)
I, [2019-05-24T18:24:44.996864 #30317-47336712679260] INFO – : Setting.set(‘product_logo’, “e1bcceb4310ab11f0703570d79d3297f.png”)
I, [2019-05-24T18:24:54.541605 #30407-47368826384200] INFO – : Setting.set(‘product_logo’, “e1bcceb4310ab11f0703570d79d3297f.png”)
I, [2019-05-24T18:24:54.685129 #30439-46984700465000] INFO – : Setting.set(‘product_logo’, “e1bcceb4310ab11f0703570d79d3297f.png”)
I, [2019-05-24T18:24:54.721180 #30438-46982998912840] INFO – : Setting.set(‘product_logo’, “e1bcceb4310ab11f0703570d79d3297f.png”)
I, [2019-05-24T18:25:04.130981 #30513-47108753452880] INFO – : Setting.set(‘product_logo’, “e1bcceb4310ab11f0703570d79d3297f.png”)
I, [2019-05-24T18:25:04.356646 #30533-46946074996560] INFO – : Setting.set(‘product_logo’, “e1bcceb4310ab11f0703570d79d3297f.png”)
I, [2019-05-24T18:25:04.482935 #30571-47150401810260] INFO – : Setting.set(‘product_logo’, “e1bcceb4310ab11f0703570d79d3297f.png”)
I, [2019-05-24T18:25:13.847471 #30608-47298343087960] INFO – : Setting.set(‘product_logo’, “e1bcceb4310ab11f0703570d79d3297f.png”)
I, [2019-05-24T18:25:14.182459 #30638-47167214907240] INFO – : Setting.set(‘product_logo’, “e1bcceb4310ab11f0703570d79d3297f.png”)
I, [2019-05-24T18:25:14.332937 #30639-47454637977420] INFO – : Setting.set(‘product_logo’, “e1bcceb4310ab11f0703570d79d3297f.png”)
I, [2019-05-24T18:25:23.294963 #30707-47458085220180] INFO – : Setting.set(‘product_logo’, “e1bcceb4310ab11f0703570d79d3297f.png”)
I, [2019-05-24T18:25:23.486196 #30736-46950055022440] INFO – : Setting.set(‘product_logo’, “e1bcceb4310ab11f0703570d79d3297f.png”)
I, [2019-05-24T18:25:23.957967 #30764-47448598237020] INFO – : Setting.set(‘product_logo’, “e1bcceb4310ab11f0703570d79d3297f.png”)
I, [2019-05-24T18:25:32.788838 #30806-47069437874000] INFO – : Setting.set(‘product_logo’, “e1bcceb4310ab11f0703570d79d3297f.png”)
I, [2019-05-24T18:25:32.860718 #30805-47423005708120] INFO – : Setting.set(‘product_logo’, “e1bcceb4310ab11f0703570d79d3297f.png”)
I, [2019-05-24T18:25:33.743286 #30864-47119643750240] INFO – : Setting.set(‘product_logo’, “e1bcceb4310ab11f0703570d79d3297f.png”)
…

I’m using zammad 2.9 on Debian Stretch.
Andreas

MrGeneration · May 24, 2019, 6:41pm

Did you ensure that the formatting is correct? Ruby is very picky about that. One “Tab” would be 3 spacings. If Zammad doesn’t start, that’s a sign that formatting is wrong.

mattronix · May 24, 2019, 7:05pm

Hi All,

I can tell you its still working on version 2.9

Upgraded last week still using keycloak, happy to help where i can!

mattronix · May 24, 2019, 7:07pm

@muristan

you will need to change the keycloak url in this but here is what we are using in production:

mattronix · May 24, 2019, 7:09pm

Great work your doing on zammad!

Is it on the road map to support the oauth2 userinfo end point?

If not anyway that i could help or package this as a plugin ?

muristan · May 25, 2019, 12:25pm

Thanks for your hints! I got Keycloak with openid connect protocol to work with Zammad. Great!!
When doing the first login using Keycloak, Zammad creates a new user. Login token is not email but the Keycloak User ID. There is no way to edit this in order to give this ID to an eyxisting user. Or did I miss something?

mattronix · May 25, 2019, 12:37pm

our users seem to get linked by email address however our usernames are also our email addresses.

thorsteneckel · September 18, 2019, 1:03pm

Hey there! I just want to share the news here that Zammad 3.2 will support SAML authentication out of the box without the need to change files. We had great support from @carl2187 who verified that Keycloak integration works as expected.

system · March 15, 2020, 4:50am

This topic was automatically closed after 416 days. New replies are no longer allowed.