Keycloak with Discourse


(Maisa Lino) #1

Hi everyone,
I’m new with Discourse and I’m trying to use it with Keycloak. But I’m not being able to set keycloak as SSO to Discourse.
What I need is: the user is authenticated on my site, through keycloak, and when try to access my Discourse instance he already be authenticated.
Could someone help me ?


(Blake Erickson) #2

Could you provide some more info about your setup please? Did you follow the sso guide? What settings did you add to keycloak? Are requests making it to Discourse?


(Maisa Lino) #3

I tried to follow the sso guide, but I got confused.
On Discouse I configured the OAuth2 plugin and my sso configuration is:
enable sso: is checked
sso url: http://mykeycloakdomain/auth/realms/myrealm/protocol/openid-connect/auth?response_type=code&scope=openid&client_id=myclientid&redirect_uri=http//mydiscoursedomain/session/sso_login
sso secret: this_is_my_secret

On Keycloak I just put this url (http://mydiscoursedomain/session/sso_login) on my client Valid Redirect URIs field.

When I login on Keycloak and it try to rediret to http://mydiscoursedomain/session/sso_login, the url redirect is http://mydiscoursedomain/session/sso_login?code=somecode and it gives me HTTP ERROR 500


(Rafael dos Santos Silva) #4

OAuth2 plugin is an auth strategy (like Facebook, Twitter, etc) while SSO is another thing.

You want one or another. You can’t use both.


(Maisa Lino) #5

I disable OAuth2 plugin, even so when Keycloak redirect to http://mydiscoursedomain/session/sso_login I get an erro 500 and the url came as http://mydiscoursedomain/session/sso_login?code=qEv3eXual_dkdMteGxeouUu0ih8Q8IGfSg-O__nMYgg.eac438e7-886d-459e-830e-857ef244a0ed
Keycloak did not return the params sso=payload and sig=sig as expected for Discourse.
This maybe has something to do with sso version ? Or do I need to configure something else on Keycloak ?
My Keycloak instance version is 3.1.0.Final


(Rafael dos Santos Silva) #6

There is a post where a user managed to get KeyCloak and the OAuth2 plugin to work together

But this is not Discourse SSO, you should disable SSO and use only the OAuth2 plugin in this case.


(Maisa Lino) #7

Actually I was able to make OAuth2 work with Keycloak. But when I do this even if the user is authenticated on my site, when they go to my Discourse instance he needs to click on “Log in” button to get access to the information on the forum.
That is why I was tring to make SSO work with Keycloak, doing so I espect that if the user is already authenticated on my site he was able to access my Discourse instance without need to log in or click on “log in” button on Discourse home.


(Rafael dos Santos Silva) #8

Actually, you can get this behavior on both OAuth2 and SSO, by checking the login_required setting.

However, this will prevent anonymous reading and search engines from listing your site.


(Maisa Lino) #9

So I’m missing some configuration, because if I enable the OAuth2 with Keycloak, authenticate myself on Keycloak and an another tab try to access my Discourse intance I’m redirect to Discourse login page and need to click on “Log In” (blue button) to Discourse verify with Keycloak that I’m already authenticated.
I really don’t want that anonymous users be able to read my Discourse instance.


(Rafael dos Santos Silva) #10

Did you check the login_required setting on Discourse?


(Maisa Lino) #11

Yes, but is still necessary to click on “Log in” button to access Discourse, even I’m already authenticated on my site.
There is no way to be authenticated on my site and when I access my Discourse instance I accesses it without the need to click on “Log in” button ?


(Dean Taylor) #12

I’m not familiar with Keycloak or this specific OAuth integration but this seems relevant to you - but depends on the solution you end up choosing SSO / OAuth etc:


(Felix Freiberger) #13

Note that the iframe won’t work if Discourse is running on an unrelated domain, as browsers will consider these cookies to be third-party cookies :cookie:

An alternative is to make sure that all links to the forum point to /session/sso while the user is authenticated in the parent site.


(Maisa Lino) #14

@DeanMarkTaylor and @fefrei, thank you for the answer.
But I’m not being able to configure Discourse SSO to work with Keycloak.
Keycloak works with SAML, OpenID and OAuth protocols.
On my SSO configuration is:
enable sso: is checked
sso url: http://mykeycloakdomain/auth/realms/myrealm/protocol/openid-connect/auth?response_type=code&scope=openid&client_id=myclientid&redirect_uri=http//mydiscoursedomain/session/sso_login
sso secret: this_is_my_secret

Where on sso url I put the redirect_uri to redirect to Discourse session/sso_login. But when Keycloak do the redirect it did not passes the param sso and sin on url as expected for Discourse, so I get an error 500. So I don’t know if I’m missing some configuration or if not able to integrate Keycloak with Discourse by sso.


(Felix Freiberger) #15

Discourse uses its own SSO protocol. If there is no Keycloak plugin that supports this yet and you don’t want to build one, you’ll have to use another authentication scheme. I’d suspect then OAuth is easiest because there already is a Discourse plugin for it :slight_smile:


(Maisa Lino) #16

Hum, it explains a lot. :slight_smile:
OAuth plugin works just fine with Keycloak, the only thing is that the user needs to click on “Log in” button when he goes from my site to my instance of Discourse. But I’ll try to find a way to do it without the user knowing or find some plugin to work with OpenID.
Thank you, very much.


(Rafael dos Santos Silva) #17

Ok, this is the last time I’m repeating this.

If you have login_required set to true AND OAuth2 is the only login strategy (disable local_logins and social logins), the user should be prompted to login without clicking on the button. Many people use this, and it works fine.


(Maisa Lino) #18

I saw what you said, but as a said before I really don’t know wich configuration I’m missing.
Here is my configuration, I checked the option login_required (true) and only option I checked was auth2 enabled (true) and still I get on login page from Discouse. Could you help me ?