Open ID Connect
33 views
Skip to first unread message
andreas...@muristan.org
May 14, 2019, 5:07:55 PM5/14/19
to OpenOLAT
I would like to use Keycloak as IDP for OpenOlat. Authentication works, but login into OpenOlat fails with message: "OAuth Login ok but the user has not an account on OpenOLAT".
User email in request token exists in an user account in OpenOlat and user name is the same. How can I configure the mapping?
Thanks and best regards
Andreas
Florian Gnaegi
May 14, 2019, 5:28:32 PM5/14/19
to open...@googlegroups.com
Hi Andreas
Which oAuth implementation are you using? OpenID Connect Implicit Flow?
In your logfile, do you also get a message "OAuth Login failed, user with user name yo...@email.address.com not found.“?
Are you sure your IDP does in fact include the users email address?
When you log in OpenOlat, open the usermanagement, lookup the user and select the authentications tab. Do you have an entry for your oAuth authentication provider?
oAuth very low level, we have different implementations for different providers that handle the details all a bit differently. LinkedIn, Twitter, Google, Facebook et.c are all oAuth2, but each of them have their specialities. We have never tested with Keycloak, no idea what this provider is doing in detail.
We can test and implement this provider and add it to the list of supported implementations. If you are interested we can send you a quote.
Cheers
Florian
--
--
Sie erhalten diese Nachricht, weil Sie Mitglied sind von Google
Groups-Gruppe "OpenOLAT".
Für das Erstellen von Beiträgen in dieser Gruppe senden Sie eine E-Mail
an open...@googlegroups.com
Um sich von dieser Gruppe abzumelden, senden Sie eine E-Mail an
openolat+u...@googlegroups.com
Weitere Optionen finden Sie in dieser Gruppe unter
http://groups.google.com/group/openolat?hl=de
-------------------------------------------------------------------------------------------------------------------
OpenOLAT - infinite learning - http://www.openolat.org
---
You received this message because you are subscribed to the Google Groups "OpenOLAT" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openolat+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/openolat/df2aed45-1eda-480b-83b1-1bc1a107c8c0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--------------------------------------------------------------------
professional services for the e-learning system OpenOLAT
hosting - operating - support - development - mobile - consulting
--------------------------------------------------------------------
frentix GmbH
Florian Gnägi, Geschäftsführer
Hardturmstrasse 76
CH-8005 Zürich, Switzerland
--------------------------------------------------------------------
andreas...@muristan.org
May 15, 2019, 6:17:32 PM5/15/19
to OpenOLAT
Hi Florian,
Keycloak supports the Open ID Connect protocoll: In OpenOlat 13.2.0 (on Debian) > Administration > Login > Social providers I found Open ID Connect Implicit Flow. So I activated an OpenOlat Client on Keycloak with Implicit Flow. Email is in the scope.
But in User Management for this user on Authentications tab: "No data found that could be displayed."
In the log is the message: Auth Login failed, user with user name c23ec5fd-0fea-4a0d-b1ca-9132e90f7cf4 not found.
In access token is user name as "preferred_username".
Greetings
Andreas
Florian Gnaegi
May 16, 2019, 1:04:04 AM5/16/19
to open...@googlegroups.com
Hi Andreas
You must send „openid“ and „email“ to make it work. This is whas the OpenID Connect provider sent when we implemented this. Can you configure Keycloak this way? If not we need to implement a specific Keycloak provider or make the scopes configurable in the code.
Cheers
Florian
--
--
Sie erhalten diese Nachricht, weil Sie Mitglied sind von Google
Groups-Gruppe "OpenOLAT".
Für das Erstellen von Beiträgen in dieser Gruppe senden Sie eine E-Mail
an open...@googlegroups.com
Um sich von dieser Gruppe abzumelden, senden Sie eine E-Mail an
openolat+u...@googlegroups.com
Weitere Optionen finden Sie in dieser Gruppe unter
http://groups.google.com/group/openolat?hl=de
-------------------------------------------------------------------------------------------------------------------
OpenOLAT - infinite learning - http://www.openolat.org
---
You received this message because you are subscribed to the Google Groups "OpenOLAT" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openolat+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/openolat/f8e91530-3bb9-4687-8a25-6ff9bfc458d5%40googlegroups.com.
andreas...@muristan.org
May 16, 2019, 1:56:33 AM5/16/19
to OpenOLAT
This is my access token:
{
"jti": "d8xxxxxx28-xxxxxxxx3-9b89-604xxxxxbaeb9",
"exp": 1557985548,
"nbf": 0,
"iat": 1557985488,
"iss": "https://idp01.muristan.org:8443/auth/realms/master",
"aud": [
"ApacheESHCalendarViewCID",
"account"
],
"sub": "cxxxxfd-0fea-4xxd-b1ca-913xxxxcf4",
"typ": "Bearer",
"azp": "OpenOlatCID",
"auth_time": 0,
"session_state": "77193ba4-b632-4c08-880a-afb638595279",
"acr": "1",
"realm_access": {
"roles": [
"offline_access",
"uma_authorization",
"Apache_ESH_Calendar_View_Role"
]
},
"resource_access": {
"ApacheESHCalendarViewCID": {
"roles": [
"Apache_ESH_Calendar_View_Role"
]
},
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
}
},
"scope": "email openid profile",
"email_verified": true,
"openid": "true",
"name": "Andreas Keller",
"preferred_username": "andreas.keller",
"given_name": "Andreas",
"family_name": "Keller",
"email": "em...@xxxxxx.com"
}
"jti": "d8xxxxxx28-xxxxxxxx3-9b89-604xxxxxbaeb9",
"exp": 1557985548,
"nbf": 0,
"iat": 1557985488,
"iss": "https://idp01.muristan.org:8443/auth/realms/master",
"aud": [
"ApacheESHCalendarViewCID",
"account"
],
"sub": "cxxxxfd-0fea-4xxd-b1ca-913xxxxcf4",
"typ": "Bearer",
"azp": "OpenOlatCID",
"auth_time": 0,
"session_state": "77193ba4-b632-4c08-880a-afb638595279",
"acr": "1",
"realm_access": {
"roles": [
"offline_access",
"uma_authorization",
"Apache_ESH_Calendar_View_Role"
]
},
"resource_access": {
"ApacheESHCalendarViewCID": {
"roles": [
"Apache_ESH_Calendar_View_Role"
]
},
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
}
},
"scope": "email openid profile",
"email_verified": true,
"openid": "true",
"name": "Andreas Keller",
"preferred_username": "andreas.keller",
"given_name": "Andreas",
"family_name": "Keller",
"email": "em...@xxxxxx.com"
}
Greetings
Andreas
Am Donnerstag, 16. Mai 2019 07:04:04 UTC+2 schrieb Florian Gnaegi:
Hi Andreas
Stéphane Rossé
May 17, 2019, 2:27:01 AM5/17/19
to OpenOLAT
Hi
The Open ID connector was made for a specific customer and is not very configurable yet. OpenOLAt use only the "sub" attribute to match the email and username in OpenOLAT.
Best regard
Stéphane
andreas...@muristan.org
May 17, 2019, 3:27:51 PM5/17/19
to OpenOLAT
Hi Stéphane,
this helped! I set sub claim to email address and it worked!
In Keycloak Administration: Clients > OpenOLAT > Mappers > Create emailOnSub: Mapper Type: User Property - Property: email - Token Claim Name: sub - Claim JSON Type: string
Thank you all for your great work on OpenOLAT!
Reply all
Reply to author
Forward
0 new messages