SSO alternatives to Keycloak, i.e. Authentik.io

[saschafoerster]

We are using Authentik as a OIDC-provider. I would like to connect the Datenschutzcenter directly to it, without having another keycloak-instance running just for it.

First I tried to just use Authentik, but the URLs where not fitting, as they were optimized for Keycloak:

https://DOMAIN/realms/datenschutz-center/protocol/openid-connect/auth?....
while authentik is expecting:
https://DOMAIN/application/o/datenschutz-center
It also has Github compatibility:
https://docs.goauthentik.io/docs/providers/oauth2/

But I saw this URL is not an variable but hardcoded:

open-datenschutzcenter/src/Controller/LoginControllerKeycloak.php

Line 21 in ef7cb52

$url = $this->getParameter('KEYCLOAK_URL') . '/realms/' . $this->getParameter('KEYCLOAK_REALM') . '/account';

I tried to play around myself and change the OIDC-type to "generic" and added some options for it, but then I got subsequent errors, when building the containers, for instance:

knpu_oauth2_client:
    clients:
        keycloak_main:
            # must be "keycloak" - it activates that type!
            #type: keycloak

Error:

14.47 Script cache:clear returned with error code 1
14.47 !!  
14.47 !!  In ArrayNode.php line 304:
14.47 !!                                                                                 
14.47 !!    Unrecognized options "auth_server_url, realm, access_token_url, authorizati  
14.47 !!    on_url, infos_url, scope, paths" under "knpu_oauth2_client/clients/keycloak  
14.47 !!    _main". Available options are "client_class", "client_id", "client_secret",  
14.47 !!     "provider_class", "provider_options", "redirect_params", "redirect_route",  
14.47 !!     "use_state".                                                                
14.47 !!                                                                                 
14.47 !!  
14.47 !!  
14.47 Script @auto-scripts was called via post-install-cmd
------
failed to solve: process "/bin/bash -o pipefail -c composer install" did not complete successfully: exit code: 1

So, I gave up for now, but I would love to be able to use this nice tool! :)

[cfoellmann]

For me the hardcoded keycloak requirement was also a dealbreaker so far.

I would love to have the sso interface as a configurable generic interface.
We also run authentik and if I had time I would jump in on this issue but I am only able to pitch in with testing when some start is public.

@saschafoerster can you push you changes to your fork? That way I might be able to have a look.

[holema]

Hello @cfoellmann and @saschafoerster,
We use the https://github.com/knpuniversity/oauth2-client-bundle bundle in the odc. In this repo you can find all possible adapters which are already build for oauth2. You can install you own adapter and then owork with your own oauth2 provider.
We only implemented keycloak because with kecloak you can semmlessly integrate any other Ooauth2 prvoider with one application. this was a great benefit for us, If you are interested that we help you implementing an other oauth provider feel free to contact us at [email protected]