qh.SSKrSSKJr "SS\5rg)N) BaseOAuth2cT\rSrSrSrSrSrSrSrSr Sr S r S r S r S rS rSrg)KeycloakOAuth2a Keycloak OAuth2 authentication backend This backend has been tested working with a standard Keycloak installation, but you might have to specialize it and tune the parameters per your configuration. This setup specializes the OAuth2 backend which, strictly speaking, offers authorization without authentication capabilities. Keycloak does offer a full OpenID Connect implementation, but the implementation is rather labor intensive to implement. This backend is configured to get an access token instead, and assume that the access token contains the necessary user details for authentication. The integrity of the authentication process is followed by public key verification for the `access_token` along with OpenID Connect specification `aud` field checking. To set up, please take the following steps: 1. Create a new Keycloak client in the Clients section: a. Choose the `Client ID` in the `General Settings` pane. b. Select `Client authentication` and `Authorization` in the `Capability config` pane. 2. Configure the following parameters in the Client setup: Settings > Client ID (copy to settings as `KEY` value) Credentials > Client Authenticator > Use `Client Id and Secret` and copy the `Client secret` value to settings as `SECRET` value 3. For the tokens to work with the JWT setup the following configuration has to be made in Keycloak: Advanced > Fine grain OpenID Connect configuration > User Info Signed Response Algorithm > RS256 Advanced > Fine grain OpenID Connect configuration > Request Object Signature Algorithm > RS256 4. Re-enable the audience (see https://issues.redhat.com/browse/KEYCLOAK-6638 for context): Go to Client scopes > YOUR-CLIENT-ID-dedicated > Add mapper > Audience, pick a name for the mapper and select the Client ID corresponding to your client in `Included Client Audience`. 5. Get the public key (copy to settings as `PUBLIC_KEY` value) to be used with the backend: Realm Settings > Keys > Public key 6. Configure access token fields are configured via the Keycloak Client mappers: Clients > Client ID > Mappers They have to include at least the `ID_KEY` value and the dictionary keys defined in the `get_user_details` method. 7. Configure your web backend. Example setting values for Django settings could be: SOCIAL_AUTH_KEYCLOAK_KEY = 'example' SOCIAL_AUTH_KEYCLOAK_SECRET = '1234abcd-1234-abcd-1234-abcd1234adcd' SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY = 'pempublickeythatis2048bitsinbase64andhaseg392characters' SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL = 'https://sso.com/auth/realms/example/protocol/openid-connect/auth' SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL = 'https://sso.com/auth/realms/example/protocol/openid-connect/token' 8. The default behaviour is to associate users via username field, but you can change the key with e.g. SOCIAL_AUTH_KEYCLOAK_ID_KEY = 'email' Please make sure your Keycloak user database and Django user database do not conflict and that there is no risk of user account hijacking by false account association. keycloakusernameFc$URS5$)NAUTHORIZATION_URLsettingselfs O/var/www/html/env/lib/python3.13/site-packages/social_core/backends/keycloak.pyauthorization_url KeycloakOAuth2.authorization_urlfs||/00c$URS5$)NACCESS_TOKEN_URLr r s raccess_token_urlKeycloakOAuth2.access_token_urlis||.//rc$URS5$)NKEYr r s raudienceKeycloakOAuth2.audiencels||E""rc"URSSS9$)N ALGORITHMRS256)defaultr r s r algorithmKeycloakOAuth2.algorithmos||K|99rcHSRSURS5S/5$)N z-----BEGIN PUBLIC KEY----- PUBLIC_KEYz-----END PUBLIC KEY-----)joinr r s r public_keyKeycloakOAuth2.public_keyrs*yy, \**   rc[R"UUR5UR5UR 5S9$)zDecode user data from the access_token You can specialize this method to e.g. get information from the Keycloak backend if you do not want to include the user information in the access_token. )key algorithmsr)jwtdecoder%rr)r access_tokenargskwargss r user_dataKeycloakOAuth2.user_data{s5zz !~~']]_   rcURS5URS5URS5URS5URS5S.$)z/Map fields in user_data into Django User fieldspreferred_usernameemailname given_name family_name)rr3fullname first_name last_name)get)rresponses rget_user_detailsKeycloakOAuth2.get_user_detailssK! %9:\\'* V,",,|4!m4   rc8URUR5$)z>Get and associate Django User by the field indicated by ID_KEY)r:ID_KEY)rdetailsr;s r get_user_idKeycloakOAuth2.get_user_ids{{4;;''rN)__name__ __module__ __qualname____firstlineno____doc__r4r?REDIRECT_STATErrrrr%r/r<rA__static_attributes__rCrrrrsBYv D FN10#:    (rr)r*social_core.backends.oauthrrrCrrrLs 1P(ZP(r