Discourse with Keycloak for SSO

Is there a way to setup Keycloak as auth provider for Discourse? I need this to work in SSO manner, so that my users that have created account managed by Keycloak automatically have access and are logged in into Discourse instance too.
I have read about OpenID configuration and people say that users have to login separately and create a separate account in Discourse with this setup. It’s not exactly what I am after.

Anything I could/should read about the topic?
My intention is to have Discourse and Keycloak to be setup in separate composed docker containers and I would need a seamless auth between them so that I could create posts in Discourse using my API backend on behalf of the user that is logged in in my JS frontened app, with user data managed by Keycloak.

Easiest solution I have done for users with keycloak as their enterprise IAM is to set up discourse saml

configuring keycloak saml is fairly straightforward
https://www.keycloak.org/docs/latest/server_admin/index.html#_saml

Alernatively, you can connect via openID connect as well

To let users automatically login with SAML, you’ll have to disable all other authentication methods including local login. make sure that your admin account already has a corresponding account on keycloak or you’ll be locked out of admin.

1 Like

Interesting, thanks.
Disabling all other means of login is not really an option. I want to keep using my Keycloak as the main mean of auth in my app, but, additionally, allow users to be in Discourse.
That would mean that my users need to be able to register with login/password or any social network they want and just get and account that would work for both my app and Discourse.
Is something like that possible?

PS. Just reading it through again, do you mean disable auth methods on Keycloak or in Discourse?

Social Auth or username/password would have to be done via keycloak. Plus I just realized that it doesn’t automatically log in users. what it would do is to let users directly authenticate against keycloak if they click on the login button.

So let’s say that I at first want to access everything via API. Will I still be able to?
Login is Discourse UI part.

Let’s say a new user registers on my Keycloak server and I have this SAML integration. User is logged in in my JS web-app and I have his token. Will I be able to somehow call Discourse API using just this token?
That is if I want to have a custom UI creating Posts from my web-app.

You can access all the api endpoints using API keys as far as I know.

You should be able to, nothing is stopping you from doing that.