Hi everyone,
I’m new with Discourse and I’m trying to use it with Keycloak. But I’m not being able to set keycloak as SSO to Discourse.
What I need is: the user is authenticated on my site, through keycloak, and when try to access my Discourse instance he already be authenticated.
Could someone help me ?
Could you provide some more info about your setup please? Did you follow the sso guide? What settings did you add to keycloak? Are requests making it to Discourse?
I tried to follow the sso guide, but I got confused.
On Discouse I configured the OAuth2 plugin and my sso configuration is:
enable sso: is checked
sso url: http://mykeycloakdomain/auth/realms/myrealm/protocol/openid-connect/auth?response_type=code&scope=openid&client_id=myclientid&redirect_uri=http//mydiscoursedomain/session/sso_login
sso secret: this_is_my_secret
On Keycloak I just put this url (http://mydiscoursedomain/session/sso_login) on my client Valid Redirect URIs field.
When I login on Keycloak and it try to rediret to http://mydiscoursedomain/session/sso_login, the url redirect is http://mydiscoursedomain/session/sso_login?code=somecode and it gives me HTTP ERROR 500
OAuth2 plugin is an auth strategy (like Facebook, Twitter, etc) while SSO is another thing.
You want one or another. You can’t use both.
I disable OAuth2 plugin, even so when Keycloak redirect to http://mydiscoursedomain/session/sso_login I get an erro 500 and the url came as http://mydiscoursedomain/session/sso_login?code=qEv3eXual_dkdMteGxeouUu0ih8Q8IGfSg-O__nMYgg.eac438e7-886d-459e-830e-857ef244a0ed
Keycloak did not return the params sso=payload and sig=sig as expected for Discourse.
This maybe has something to do with sso version ? Or do I need to configure something else on Keycloak ?
My Keycloak instance version is 3.1.0.Final
There is a post where a user managed to get KeyCloak and the OAuth2 plugin to work together
But this is not Discourse SSO, you should disable SSO and use only the OAuth2 plugin in this case.
Actually I was able to make OAuth2 work with Keycloak. But when I do this even if the user is authenticated on my site, when they go to my Discourse instance he needs to click on “Log in” button to get access to the information on the forum.
That is why I was tring to make SSO work with Keycloak, doing so I espect that if the user is already authenticated on my site he was able to access my Discourse instance without need to log in or click on “log in” button on Discourse home.
Actually, you can get this behavior on both OAuth2 and SSO, by checking the login_required
setting.
However, this will prevent anonymous reading and search engines from listing your site.
So I’m missing some configuration, because if I enable the OAuth2 with Keycloak, authenticate myself on Keycloak and an another tab try to access my Discourse intance I’m redirect to Discourse login page and need to click on “Log In” (blue button) to Discourse verify with Keycloak that I’m already authenticated.
I really don’t want that anonymous users be able to read my Discourse instance.
Did you check the login_required
setting on Discourse?
Yes, but is still necessary to click on “Log in” button to access Discourse, even I’m already authenticated on my site.
There is no way to be authenticated on my site and when I access my Discourse instance I accesses it without the need to click on “Log in” button ?
I’m not familiar with Keycloak or this specific OAuth integration but this seems relevant to you - but depends on the solution you end up choosing SSO / OAuth etc:
Note that the iframe
won’t work if Discourse is running on an unrelated domain, as browsers will consider these cookies to be third-party cookies
An alternative is to make sure that all links to the forum point to /session/sso
while the user is authenticated in the parent site.
@DeanMarkTaylor and @fefrei, thank you for the answer.
But I’m not being able to configure Discourse SSO to work with Keycloak.
Keycloak works with SAML, OpenID and OAuth protocols.
On my SSO configuration is:
enable sso: is checked
sso url: http://mykeycloakdomain/auth/realms/myrealm/protocol/openid-connect/auth?response_type=code&scope=openid&client_id=myclientid&redirect_uri=http//mydiscoursedomain/session/sso_login
sso secret: this_is_my_secret
Where on sso url I put the redirect_uri to redirect to Discourse session/sso_login. But when Keycloak do the redirect it did not passes the param sso and sin on url as expected for Discourse, so I get an error 500. So I don’t know if I’m missing some configuration or if not able to integrate Keycloak with Discourse by sso.
Discourse uses its own SSO protocol. If there is no Keycloak plugin that supports this yet and you don’t want to build one, you’ll have to use another authentication scheme. I’d suspect then OAuth is easiest because there already is a Discourse plugin for it
Hum, it explains a lot.
OAuth plugin works just fine with Keycloak, the only thing is that the user needs to click on “Log in” button when he goes from my site to my instance of Discourse. But I’ll try to find a way to do it without the user knowing or find some plugin to work with OpenID.
Thank you, very much.
Ok, this is the last time I’m repeating this.
If you have login_required
set to true AND OAuth2 is the only login strategy (disable local_logins and social logins), the user should be prompted to login without clicking on the button. Many people use this, and it works fine.
I saw what you said, but as a said before I really don’t know wich configuration I’m missing.
Here is my configuration, I checked the option login_required (true) and only option I checked was auth2 enabled (true) and still I get on login page from Discouse. Could you help me ?
@maisa were you ever able to achieve your goal? I’m trying to do the same. If a user is already logged into my Keycloak account and visits my Discourse, I want the user to be already logged in without having to do anything.
BTW, I had to code my own user info json endpoint to convert the token to json, you, too?
Did anyone find a solution? I’m been trying to set up SSO with keycloak but no luck