Configuring Keycloak for OAuth
We recommend using Keycloak as the authentication provider for OpenSPP. This allows for a single sign-on experience for users and ensures that the authentication mechanism can evolve independently of the systems using it, thus ensuring that the authentication mechanism can be secured and act as a shield in front of the systems.
Although other OIDC-compliant providers can be used, we have only tested Keycloak.
If you are using OpenSPP’s docker-compose setup, you already have
auth_oidc from OCA installed, otherwise you will need to install
Go to the admin console of your keycloak instance
Create a new realm (if needed), in our example we use
Create a new client, in our example we use
standard flowand save.
Valid redirect URIsto be “<url of your server>/auth_oauth/signin”.
Go to the “Credentials” tab and copy the
Client secretto be used later.
Authentication OpenID Connectfrom the Apps menu.
Settings > General Settings > Integrations > oAuth Authentication > oAuth Providersand configure it as following:
Provider name: Keycloak (or any name you like that identify your keycloak provider)
Auth Flow: OpenID Connect (authorization code flow)
Client ID: the same Client ID you entered when configuring the client in Keycloak
Client Secret: found in keycloak on the client Credentials tab
Body: the link text to appear on the login page, such as Login with Keycloak
Scope: openid email
Authentication URL: The “authorization_endpoint” URL found in the OpenID Endpoint Configuration of your Keycloak realm
Token URL: The “token_endpoint” URL found in the OpenID Endpoint Configuration of your Keycloak realm
JWKS URL: The “jwks_uri” URL found in the OpenID Endpoint Configuration of your Keycloak realm
Customizing the login page (Optional)
To align with corporate branding, you can customize the login page by adding a custom logo and a custom background image.
Enable Developer Settings: “Settings” > “Activate The Developer Mode”
Edit The Login Template: “Settings” > “Technical” > “User Interface > Views” > Search for “Login”
For users that already existed before the OIDC-integration was configured, there is a need for them to go through the reset password process. This is because the password is not stored in Odoo, but in Keycloak. Depending on the configuration, the user may have to perform 2FA setup.
For new users, create their user account in OpenSPP/Odoo with the same email address used in
they will be able to login. Note that in order to be able to get past the self-service user management page,
permissions need to be set for the user.