rdmo icon indicating copy to clipboard operation
rdmo copied to clipboard
verified publisher icon rdmorganiser

Unable to Sign In with Keycloak - "Sign up closed" Error

Open sigau opened this issue 1 year ago • 8 comments

Hi,

We are trying to implement Keycloak for authentication on our instance of RDMO. Our local.py is configured as follows:

ACCOUNT = True
ACCOUNT_SIGNUP = False
ACCOUNT_TERMS_OF_USE = True
SOCIALACCOUNT = True
ACCOUNT_AUTHENTICATION_METHOD = 'username_email'

INSTALLED_APPS += [
    'allauth',
    'allauth.account',
    'allauth.socialaccount',
    'allauth.socialaccount.providers.openid_connect',
]

SOCIALACCOUNT_PROVIDERS = {
    "openid_connect": {
        "EMAIL_AUTHENTICATION": True,
        "EMAIL_AUTHENTICATION_AUTO_CONNECT": True,
        "APPS": [
            {
                "provider_id": "keycloak",
                "name": "keycloak",
                "client_id": "dmp",
                "secret": os.environ['keycloak_secret'],
                "settings": {
                    "server_url": "https://ourkeycloak/auth/realms/realm/.well-known/openid-configuration",
                },
            }
        ]
    }
}

We see the Keycloak logo on the connection page, and clicking on it successfully connects to Keycloak and returns to our RDMO instance. However, we receive the following message:

Sign up closed

We are sorry, but the sign up is currently closed.

It seems we may have missed something in our local.py configuration, but we are unable to identify what is wrong.

Do you have any suggestions on how to resolve this issue?

Thank you in advance,

Gautier

sigau avatar Jun 18 '24 07:06 sigau

Hi @sigau , I think you need to add SOCIALACCOUNT_SIGNUP = True.

jochenklar avatar Jun 18 '24 08:06 jochenklar

Hello Thanks for your answer but we have the problem that some of our users already have an account on our instance, with the mail that is use in our keycloak. And when we try connecting with keycloak, when SOCIALACCOUNT_SIGNUP = True , it will fill the form with all the information of keycloak, but as the user already exist it can't be create (and we don't want to create a new one but just connect to the existing one )

sigau avatar Jun 18 '24 09:06 sigau

Ah ok, those people need to log in using the old credentials and then use "Account connections" from the user menu (at /account/social/connections/). I think django-allauth has no means to connect those accounts automatically. This is probably also a security thing. Maybe @MyPyDavid has an idea?

jochenklar avatar Jun 18 '24 09:06 jochenklar

Thanks We will try and comeback to you !

sigau avatar Jun 18 '24 09:06 sigau

So we try and it's work ! Thanks

But we're still open to know if it's possible to link existing account from the connection page ! (if it's not a security problem )

sigau avatar Jun 18 '24 09:06 sigau

Yes, I guess depending on the amount of users you could also do this manually (assign a user to the social account in admin) or implement a custom adapter (DefaultSocialAccountAdapter) for this. We had the same issue and I added an ExistingAccountAdapter (according to https://github.com/pennersr/django-allauth/issues/418#issuecomment-107880925) for this case in the rdmo-app.

MyPyDavid avatar Jun 18 '24 09:06 MyPyDavid

I think the main problem is that an automatic linking would allow people who control the email address, which might or might non be as protected as the password, to overtake existing accounts. I guess for your keycloak, you can assume that nobody can just take the email of someone else to create an account there.

jochenklar avatar Jun 18 '24 10:06 jochenklar

@MyPyDavid maybe your ExistingAccountAdapter is something for https://rdmo.readthedocs.io/en/latest/advanced/index.html.

jochenklar avatar Jun 18 '24 10:06 jochenklar