How to get OpenID working with Tandoor?

[Akruidenberg]

Issue

Some time ago, i''ve asked some help at the Authentik Github for using OpenID with Traefik. I'm using Authentik for SSO.
However, It did not work. Now with more research, the ENV is finally parsing, However, nothing changed. Are there more steps required for OpenID?
Are there people who get OpenID working with Tandooor? @vabene1111 I've posted more info this time.
Other providers like Authelia now also supporting OpenID, so examples for this are great too.

Setup Info

Version: 0.17.2
OS: OMV 5 (Debian)

ENV File:

DB_ENGINE=django.db.backends.postgresql
POSTGRES_HOST=recipes-postgres
POSTGRES_PORT=5432 
POSTGRES_PASSWORD=secret
STICKY_NAV_PREF_DEFAULT=1
POSTGRES_USER=recipes
POSTGRES_DB=recipes         
SECRET_KEY=secret
REVERSE_PROXY_AUTH=0
COMMENT_PREF_DEFAULT=1
GUNICORN_MEDIA=0
ALLOWED_HOSTS=*
COMMENT_PREF_DEFAULT=1
MEDIA_URL=/media/
STATIC_URL=/static/
SHOPPING_MIN_AUTOSYNC_INTERVAL=5
DEBUG=0
TIMEZONE=Europe/Amsterdam
SOCIALACCOUNT_PROVIDERS={ 'openid': { 'SERVERS': [ {'id':'authentik', 'name':'authentik', 'openid_url':'https://authentik.domain.com/application/o/tandoor/"'}, ]}}

  nginx-recipes:
    image: nginx:mainline-alpine
    container_name: nginx-recipes
    hostname: nginx-recipes
    restart: unless-stopped
    networks:
      - reverseproxy  
      - intern
    security_opt:
      - no-new-privileges:true         
    volumes:
      - recipes-nginx:/etc/nginx/conf.d:ro
      - recipes-config:/static     
      - recipes-media:/media
    labels:
      traefik.enable: "true"
      ## HTTP Routers
      traefik.http.routers.recipes-rtr.entrypoints: https
      ## Middlewares
      traefik.http.routers.recipes-rtr.middlewares: chain-no-auth@file  
      ## HTTP Services
      traefik.http.routers.recipes-rtr.service: recipes-svc
      traefik.http.routers.recipes-rtr.rule: Host(`recept.$DOMAINNAME`)      
      traefik.http.services.recipes-svc.loadbalancer.server.port: 80
      ## watchtower      
      com.centurylinklabs.watchtower.enable: "true"    
      diun.enable: "true"       
      
  recipes:
    image: vabene1111/recipes:0.17.2
    container_name: recipes
    restart: unless-stopped
    hostname: recipes
#    user: $PUID:$PGID
    networks:
      - reverseproxy
      - intern
    security_opt:
      - no-new-privileges:true   
    volumes:
      - recipes-config:/opt/recipes/staticfiles
      - recipes-nginx:/opt/recipes/nginx/conf.d
      - recipes-media:/opt/recipes/mediafiles    
    depends_on:
      - recipes-postgres
      - nginx-recipes
    env_file:
        - ./recipes.env 
    labels:
## watchtower      
      com.centurylinklabs.watchtower.enable: "true"       
      diun.enable: "true"       


  recipes-postgres:
    image: postgres:12-alpine
    container_name: recipes-postgres
    restart: unless-stopped
    hostname: recipes-postgres
#    user: $PUID:$PGID  
    env_file:
      - ./recipes-postgres.env 
    networks:
      - intern   
    security_opt:
      - no-new-privileges:true        
    secrets:
        - recipes_postgres  
    volumes:
      - recipes-postgres:/var/lib/postgresql/data    
      - $BACKUPDIR/recipes:/backup      
    environment:
      TZ: $TZ
    ## watchtower
    labels:
      com.centurylinklabs.watchtower.enable: "false"     
      diun.enable: "true"      

Other relevant information regarding your problem (proxies, firewalls, etc.)

• Using Traefik as reverseproxy

[vabene1111]

Hi, thanks for the detailed report.

Altough I have never tested open ID in particular it should be supported by using the allauth open ID provider.

See this for configuration details https://django-allauth.readthedocs.io/en/latest/providers.html#openid

And also the docs for how to configure it in tandoor https://docs.tandoor.dev/features/authentication/#allauth

It's not the most intuitive setup but you usually only do it once at installation so I think it should be fine. If you need help at any particular point let me know and maybe we could also include some examples in the docs so feel free to post your working config when you are done (without any password and urls of course)

[Akruidenberg]

@BeryJu provides a example for this. Env is parsed. i've edited the site url in Tandoor. I don't know what to do next.

[vabene1111]

ok i see

how have you configured the site in the django admin?

What is the error you are getting? is there no button showing up or are you getting an error message during login or what is the problem ?

[Akruidenberg]

Maybe using https://github.com/mozilla/mozilla-django-oidc would be an option? Looks promising @vabene1111

[vabene1111]

as allauth is already capable of working with openid i do not see why another package providing openID capability would be necessary.

Adding more dependencies is usually decremental to performance, maintainability and security and thus i do not want to add anything if not necessary. If you detail your issue and answer my questions i might be able to help you get open ID working for your setup and if we determine in this process that allauth is not capable of handling your use case we can evaluate whether or not adding an additional package might make sense.

[Akruidenberg]

Ok. I'm not redirecting to authentik with the parsed env. Setting the site in Tandoor to Tandoor domain itself. No strange things in the Tandoor logs. Looks like it need more configuration.

I'm not familiar with Djanjo anyway. All my other services are working fine.

[vabene1111]

hmm interesting, i am not familiar with open ID so i dont really know what you "usually" need to configure, i just know that allauth has proven to work very well for most authentication related needs.

I will need to configure a tandoor instance with some open ID provider (i see google has one for example) and see if maybe our login page lacks a button or an input field or something ..

[BeryJu]

There needs to be some way to configure a Client ID and Client Secret, See

[vabene1111]

you can do that simply by going to the django admin or by defining those directly as shown on this example in the .env file

[BeryJu]

Oh yeah I forgot that you can do that in the django admin, I haven't used allauth in a while.

[vabene1111]

so i have been playing with openid for half an hour or so and trying to understand what it actually does. Can you refer me to any website that supports open ID login ? just so i could ty it out so that i can gain an understanding on how it should work

[Terminatorthre]

I am currently having the same issue but I think I got one step further than @Akruidenberg
According to https://docs.tandoor.dev/features/authentication/ two settings need to be defined in the ENV file.

• SOCIAL_PROVIDERS=allauth.socialaccount.providers.openid loads the provider itself
• SOCIALACCOUNT_PROVIDERS={ 'openid': { 'SERVERS': [ {'id':'authentik', 'name':'authentik', 'openid_url':'https://authentik.domain.com/application/o/tandoor/"'}, ]}} configures the loaded providers

Unfortunately it seems the providers are not included in the docker image as I only receive " ModuleNotFoundError: No module named 'allauth.socialaccout'" when I try to start the container. As of my limited knowledge of docker and django, I have no idea how to install the modules inside the image. Maybe @vabene1111 can assist with that?

[vabene1111]

I am sure that I can fix the module issues but I need an answer to my previous question as I was not able (at least within some time limit) to get open ID working at all on any website. If you could refer me to any public services which I could use to actually understand this topic I am sure that we will be able to get this working in tandoor as well

[samip5]

I am sure that I can fix the module issues but I need an answer to my previous question as I was not able (at least within some time limit) to get open ID working at all on any website. If you could refer me to any public services which I could use to actually understand this topic I am sure that we will be able to get this working in tandoor as well

I believe Gitlab supports it.

[ciphermenial]

I've been trying to make it work with keycloak but am having no luck. When attempting to enable keycloak auth in the .env file recipes no longer starts.

I have keycloak working with other systems like BookStack and Apache Guacamole.

[Terminatorthre]

Yep, exactly what I tried as well. ModuleNotFoundError: No module named 'allauth.socialaccout'" as I mentioned earlier. We would need an image with the required modules included, then we could continue to test.

[vabene1111]

interestingly i enabled said modules and they were present, thats why i needed something to test with but google and some other pages i tried failed to give me working credentials or i was just to stupid to get it working (google wanted all kinds of stuff in the dev console etc.).

The thing is i still lack the understanding of how this works and cant seem to find an answer online. Allauth (the django package responsible for openid) gives me the option to enter a URL to perform authentication. But what URL do i need to add there for e.g. Gitlab ? just gitlab.com or does the URL need to contain a secret (i would think so). I created a Gitlab application and enabled the "email" permission so that OpenID should work, i got a secret and redirect URL setup but i have no idea where to go from here.

How does this usually work? is there any public page i can just go to to try this out ? or does one of you want to hop into a discord call or so with me and show it to me because i just cant seem to find any proper documentation on this, its all either oauth, super old or straitup unclear.

[ciphermenial]

I got it working by editing the settings.py with what I needed. When I tried to use the .env file it failed.

Under INSTALLED_APPS I added the line 'allauth.socialaccount.providers.keycloak',

I also replaced this section:

try:
    SOCIALACCOUNT_PROVIDERS = ast.literal_eval(
        os.getenv('SOCIALACCOUNT_PROVIDERS') if os.getenv('SOCIALACCOUNT_PROVIDERS') else '{}')
except ValueError:
    SOCIALACCOUNT_PROVIDERS = json.loads(
        os.getenv('SOCIALACCOUNT_PROVIDERS').replace("'", '"') if os.getenv('SOCIALACCOUNT_PROVIDERS') else '{}')

With this:

SOCIALACCOUNT_PROVIDERS = { 
    'keycloak': {
        'KEYCLOAK_URL': 'https://keycloak.domain.com/auth', 
        'KEYCLOAK_REALM': 'master'
    }
}

I was then able to log into the django administration web ui and add a social application. I was now able to select keycloak from a dropdown for the Provider:. I then entered the client ID and key I had configured in KeyCloak and it worked as expected.

[ciphermenial]

I read through everything a bit more and discovered my mistake was all to do with formatting.

My .env file now looks like this and everything is working:

SOCIAL_PROVIDERS=allauth.socialaccount.providers.keycloak

SOCIALACCOUNT_PROVIDERS={"keycloak":{"KEYCLOAK_URL":"https://keycloak.domain.com/auth","KEYCLOAK_REALM":"master"}}

And I set the settings.py back to default.

[vabene1111]

awesome, glad this works and thanks for posting your config 👍 the thing is that there is another provider "OpenID" which is independet of all other providers and i think some people are trying to get that to work.

[ciphermenial]

Keycloak is using OpenID for the connection. I think the Keycloak" provider simplifies configuration. In the case of using OpenID in my configuration I believe it would look something like this:

SOCIAL_PROVIDERS=allauth.socialaccount.providers.openid
SOCIALACCOUNT_PROVIDERS = {'openid':{'SERVERS':[dict(id='keycloak',name='Keycloak',openid_url='https://keycloak.domain.com/auth/realms/master/protocol/openid-connect/auth'),]}}

[Akruidenberg]

Any progress?

[tomlawesome]

@Terminatorthre Did you get this working at all with Authentik? I've tried again for another few hours and still can't get it to work.

Authentik itself works fine with lots of other openID providers.

[Terminatorthre]

@tomlawesome unfortunately not. I am therefore evaluating Nextcloud Cookbook as an alternative

[smilerz]

the ironic thing is authentik is built on django - you'd think they'd have some documentation on how to set it up.

[Akruidenberg]

We need a more general implementation, not Allauth @vabene1111, is it possible to make an test image with another library? Portainer for example is working fine with Authentik and OpenID.

[smilerz]

We need a more general implementation, not Allauth @vabene1111, is it possible to make an test image with another library? Portainer for example is working fine with Authentik and OpenID.

If you believe that there is a better authentication backend feel free to create a PR.

[vabene1111]

somebody just needs to help me understand this system, thats all there needs to happen. I wrote down the questions in this issue but i simply cannot get any of those public open ID providers to work and i dont want to spend the time setting this all up and understanding this because the resources documenting this which i have found so far are simpyl not good or contradict each other all the time

If somebody who actually know how this web standard "open ID" works and has a working auth setup i can work together with them to get alluath to work. I am pretty sure the most common and largest django auth framework will likely not have this fundamental feature broken, its likely just a configuration issue.

[vabene1111]

but sure, feel free to build yourself an image with a different library and play around, maybe there is something broken in allauth

[ikaruswill]

Thanks! Let me pull develop and test it out tonight with Authelia OIDC provider

[Akruidenberg]

Nice! Would be nice to get it working with Authentik after so long :)

[vabene1111]

looking forward to hearing your feedback on this!

[ikaruswill]

I was able to sign in!

Successfully signed in as <username>.

• Though I had to manually create a Space and UserSpace via the admin UI. (I'm starting from a fresh install). Not sure if I misconfigured anything about automatic creation of Spaces, but it seems like no spaces were automatically created, both for the admin user and for the OIDC-created user.
• I had to set ENABLE_SIGNUP=1. Is there a way we can see this as a sign in rather than a sign up? Just thinking out loud.
• I had to manually provide an email address. One suggestion moving forward is to populate the email field here for the user, with the value obtained from email claim in the OpenID connect email scope that's commonly provided.

[vabene1111]

awesome, glad it worked.

• you should always (no matter which signup) be promted to create a space if you dont have any.
• hmm thats possible that you have to set this. this could probably be fixed but i would need to really understand all that and set it up, so probably not for a while (or someone contributes the proper fix)
• the email adress is not really required for anything so dont really need to populate it but there is probably a way to pass that trough when signing up.

[ikaruswill]

On point 1, I must have misconfigured something somewhere. Let me figure that out or discuss it separately since it's unrelated to OIDC.

Valid points for 2 and 3. 👍. I'm somewhat conversant in Django so I might be able to help. Let me dig through the code base first.

[vabene1111]

Awesome, Feel free to give it a try, if you have any questions let me knwk, probably best in a new issue.

[spaddex]

Using the "beta" image in docker, with oauth (authelia).
Like ikaruswill said, I had to set ENABLE_SIGNUP=1.
After logging in, I was presented with the options to either join a space via token or create a new space though.

Config for tandoor:

SOCIALACCOUNT_PROVIDERS = { "openid_connect": { "SERVERS": [ { "id": "tandoor", "name": "Authelia", "server_url": "https://mydomain.com", "token_auth_method": "client_secret_basic", "APP": { "client_id": "tandoor", "secret": "<super_secret>", }, } ] }}
SOCIAL_PROVIDERS=allauth.socialaccount.providers.openid_connect

Config for authelia:

...
      - id: tandoor
        description: tandoor
        secret: <super_secret>
        public: false
        authorization_policy: two_factor
        audience: []
        scopes:
          - openid
          - groups
          - email
          - profile
        redirect_uris:
          - https://mydomain.com/accounts/tandoor/login/callback/
        grant_types:
          - refresh_token
          - authorization_code
        response_types:
          - code
        response_modes:
          - form_post
          - query
          - fragment
        userinfo_signing_algorithm: none

[rheaalleen]

Since the original topic was Authentik here is the part for it

The formatting of the providers string doesnt matter. Replace the server_url with your application, my slug is called recipes

SOCIALACCOUNT_PROVIDERS={ "openid_connect": { "SERVERS": [{ "id": "authentik", "name": "Authentik", "server_url": "https://domain.tld/application/o/recipes/.well-known/openid-configuration", "token_auth_method": "client_secret_basic", "APP": { "client_id": "YXZ", "secret": "YXZ" } } ] } }

SOCIAL_PROVIDERS=allauth.socialaccount.providers.openid_connect

You have to add your mail on first login, there could be a way to automatically read it from supplied scopes but I didn't check further

[nicedevil007]

Since the original topic was Authentik here is the part for it

The formatting of the providers string doesnt matter. Replace the server_url with your application, my slug is called recipes

SOCIALACCOUNT_PROVIDERS={ "openid_connect": { "SERVERS": [{ "id": "authentik", "name": "Authentik", "server_url": "https://domain.tld/application/o/recipes/.well-known/openid-configuration", "token_auth_method": "client_secret_basic", "APP": { "client_id": "YXZ", "secret": "YXZ" } } ] } }

SOCIAL_PROVIDERS=allauth.socialaccount.providers.openid_connect

You have to add your mail on first login, there could be a way to automatically read it from supplied scopes but I didn't check further

First thank you for the 2 env variables that we have to setup :)
Can you share the settings we have to create under the provider entry in authentik as well?

[danaelg]

You only have to create an OAuth2/OpenID Provider.

You have to define https://tandoor.example.org/accounts/authentik/login/callback/ as Redirect URIs/Origins

NOTE
Change tandoor.example.org to your tandoor URL.

Take note of the Client ID and the Client Secret

[nicedevil007]

accounts/authentik/login/callback/

ok it seems to work, ty very much. what if I have already my local users in tandoor and they match the same username from authentik.

It seems that authentik trys to create new users and the old ones have to be deleted, is that right?

EDIT: Ok, login with local user and find the social authentication login there :)

[kristof-mattei]

I ran into the following issue: I had to encode the %. My key contained %sh somewhere and this was the error in Authelia:

time="2023-04-08T20:56:53-07:00" level=error msg="Access Request failed with error: The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. The client secret in the HTTP authorization header could not be decoded from 'application/x-www-form-urlencoded'. invalid URL escape '%sh'" method=POST path=/api/oidc/token remote_ip=172.19.0.1 stack=

After putting the secret key through escape("...") it all worked.

[koseduhemak]

I also configured OIDC with Authentik and Tandoor! Thanks for the examples :).

I was wondering if there is a way to completely disable local user login (username + password)... And in best case automatically redirect to Authentik login when accessing tandoor...

[itsmejoeeey]

+1 on the suggestions from @ikaruswill and @koseduhemak to:

• Allow new users to sign-in via social provider without ENABLE_SIGNUP=1.
• Populate the email field here for the user, with the value obtained from email claim in the OpenID connect email scope that's commonly provided.
• Allow the disabling of local user login + automatic redirect to the social provider.

In the meantime I will be resorting to using reverse proxy (header) authentication to simulate this behaviour.

---

As a side-note, the following quote from the docs caught me off-guard seeing as ENABLE_SIGNUP=1 would be required (and so users can sign up locally without using a public social provider anyways):

If you choose Google, Github or any other publicly available service as your authentication provider anyone with an account on that site can create an account on your installation. A new account does not have any permission but it is still not recommended to give public access to your installation.

[tedstriker]

For those of you still struggeling, it might be because you use a self signed certifcate.
If this is the case, make sure you added it to the host properly. (Example for Debian)
Bind the certificate store file under volumes of the web_recipes container with something like this:

volumes:
      - staticfiles:/opt/recipes/staticfiles
      - nginx_config:/opt/recipes/nginx/conf.d
      - mediafiles:/opt/recipes/mediafiles
      - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro

and add this environment variable to your docker-compose file:
REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
This makes python recognize the systems certificate store.
After that, I was able to login via OIDC.

[AutoGitr]

+1 to implementing exactly what @itsmejoeeey suggested.

[nicedevil007]

You only have to create an OAuth2/OpenID Provider.

You have to define https://tandoor.example.org/accounts/authentik/login/callback/ as Redirect URIs/Origins

NOTE
Change tandoor.example.org to your tandoor URL.

Take note of the Client ID and the Client Secret

this callback URL seems not to work anymore, maybe someone else got a hint for that?

[bpbradley]

You only have to create an OAuth2/OpenID Provider.
You have to define https://tandoor.example.org/accounts/authentik/login/callback/ as Redirect URIs/Origins

NOTE
Change tandoor.example.org to your tandoor URL.

Take note of the Client ID and the Client Secret

this callback URL seems not to work anymore, maybe someone else got a hint for that?

I got mine working with the following redirect uri: https://tandoor.example.com/accounts/oidc/authentik/login/callback/

[cbc02009]

@bpbradley Thank you so much! I've been trying to figure out all morning why my new set up wasn't working.

[zodac]

Hello all. I'm coming into this a bit late, but was hoping to get some assistance with getting Tandoor integrated with Authentik. When I successfully log in, I am redirected to the Authentik application page, not Tandoor.

I've added the following environment variables to my docker-compose:

      SOCIAL_PROVIDERS: "allauth.socialaccount.providers.openid_connect"
      SOCIALACCOUNT_PROVIDERS: '{ "openid_connect": { "SERVERS": [ { "id": "authentik", "name": "Authentik", "server_url": "https://my.authentik.url/application/o/tandoor/.well-known/openid-configuration", "token_auth_method": "client_secret_basic", "APP": { "client_id": "clientId", "secret": "clientSecret" } } ] } }'

In my Authentik provider, I have set the following as my redirect URI:

https://my.tandoor.url/accounts/authentik/login/callback/

However, I get a 404 when I try and access the /accounts/authentik/login/callback/ URL directly, so I'm thinking that is the issue? I've seen some comments about setting things up in the Django admin UI, but I'm not sure exactly what to update - sites/social accounts?

Would appreciate any pointers. :)

[j007bond007]

https://my.tandoor.url/accounts/authentik/login/callback/

I ran into this too.... add in oidc as per below:
https://my.tandoor.url/accounts/oidc/authentik/login/callback/

[zodac]

https://my.tandoor.url/accounts/authentik/login/callback/

I ran into this too.... add in oidc as per below: https://my.tandoor.url/accounts/oidc/authentik/login/callback/

Thanks @j007bond007 , that's definitely helped. I also needed to add these environment variables to the tandoor container:

      REMOTE_USER_AUTH: "1"
      SOCIAL_DEFAULT_ACCESS: "1"
      SOCIAL_DEFAULT_GROUP: "guest"

But once that was done, I was able to register new accounts through Authentik without too many issues. Thanks so much! :)

[Avsynthe]

You only have to create an OAuth2/OpenID Provider.

You have to define https://tandoor.example.org/accounts/authentik/login/callback/ as Redirect URIs/Origins

NOTE
Change tandoor.example.org to your tandoor URL.

Take note of the Client ID and the Client Secret

To anyone else finding their way here from the future who saw this and noticed they already that this correct Redirect URI but recently started getting Redirect URI Errors, this has recently changed. I deleted this field and saved it to see if it populated itself and it did

As others have stated, it is in fact now "https://tandoor.example.org/accounts/oidc/authentik/login/callback/" the /oidc/ directory is new. I was looking right at it in this thread and scratching my head not realising I wasn't looking at the same URL and wondered why everyone was repeating themselves haha. This is somewhat of a recent change as it worked without this for about a year or so.

tl;dr don't be me and rush

[lgwapnitsky]

Since the original topic was Authentik here is the part for it

The formatting of the providers string doesnt matter. Replace the server_url with your application, my slug is called recipes

SOCIALACCOUNT_PROVIDERS={ "openid_connect": { "SERVERS": [{ "id": "authentik", "name": "Authentik", "server_url": "https://domain.tld/application/o/recipes/.well-known/openid-configuration", "token_auth_method": "client_secret_basic", "APP": { "client_id": "YXZ", "secret": "YXZ" } } ] } }

SOCIAL_PROVIDERS=allauth.socialaccount.providers.openid_connect

You have to add your mail on first login, there could be a way to automatically read it from supplied scopes but I didn't check further

Your reply says "SERVERS", but the documentation says "APPS". What should go there?

Thank you

[zodac]

Your reply says "SERVERS", but the documentation says "APPS". What should go there?

Thank you

Mine is also 'SERVERS'.

[lgwapnitsky]

modified, still not working with keycloak. opened a ticket #3406

[ciphermenial]

It does work with Keycloak. I use Keycloak and it works perfectly.

SOCIAL_PROVIDERS=allauth.socialaccount.providers.openid_connect
SOCIALACCOUNT_PROVIDERS = "{ 'openid_connect': { 'OAUTH_PKCE_ENABLED': True, 'APPS': [ { 'provider_id': 'oidc', 'name': 'Keycloak', 'client_id': 'recipes', 'secret': '12345678-90ab-cdef-1234-567890abcdef', 'settings': { 'server_url': 'https://keycloak.example.net/realms/master/.well-known/openid-configuration' } } ] } }"

This is literally the information from the documentation under Third-party authentication example.

[lgwapnitsky]

The example in the docs doesn't have the PKCE portion. I will try later on with that added in

…

On Sun, Nov 24, 2024, 23:58 Cipher Menial ***@***.***> wrote: It does work with Keycloak. I use Keycloak and it works perfectly. SOCIAL_PROVIDERS=allauth.socialaccount.providers.openid_connect SOCIALACCOUNT_PROVIDERS = "{ 'openid_connect': { 'OAUTH_PKCE_ENABLED': True, 'APPS': [ { 'provider_id': 'oidc', 'name': 'Keycloak', 'client_id': 'recipes', 'secret': '12345678-90ab-cdef-1234-567890abcdef', 'settings': { 'server_url': 'https://keycloak.example.net/realms/master/.well-known/openid-configuration' } } ] } }" This is literally the information from the documentation <https://docs.tandoor.dev/features/authentication/> under *Third-party authentication example*. — Reply to this email directly, view it on GitHub <#970 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAE6CFDFXQVUOGBTFIWD6YL2CKVAPAVCNFSM5GNIWGGKU5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TENBZGY4DIMBSGE4A> . You are receiving this because you commented.Message ID: ***@***.***>

[lgwapnitsky]

It does work with Keycloak. I use Keycloak and it works perfectly.

SOCIAL_PROVIDERS=allauth.socialaccount.providers.openid_connect
SOCIALACCOUNT_PROVIDERS = "{ 'openid_connect': { 'OAUTH_PKCE_ENABLED': True, 'APPS': [ { 'provider_id': 'oidc', 'name': 'Keycloak', 'client_id': 'recipes', 'secret': '12345678-90ab-cdef-1234-567890abcdef', 'settings': { 'server_url': 'https://keycloak.example.net/realms/master/.well-known/openid-configuration' } } ] } }"

This is literally the information from the documentation under Third-party authentication example.

tried this, and still receiving the same errors.

New tandoor installation
new keycloak installation. Other apps auth no issue