Social Login (OIDC) does not work for custom IdP with error: Email not verified

[MohammedNoureldin]

Information about bug

Hi, I am trying to authenticate ERPNext users using Keycloak IdP.

I configured it as shown here: https://discuss.frappe.io/t/oauth-client-login-button/29152/6?u=mnoureldin

and it seems almost to be done, still, I get an error that the E-Mail is not verified in Keycloak, although it is actually verified.

Server Error
Traceback (most recent call last):
  File "apps/frappe/frappe/app.py", line 66, in application
    response = frappe.api.handle()
  File "apps/frappe/frappe/api.py", line 54, in handle
    return frappe.handler.handle()
  File "apps/frappe/frappe/handler.py", line 45, in handle
    data = execute_cmd(cmd)
  File "apps/frappe/frappe/handler.py", line 83, in execute_cmd
    return frappe.call(method, **frappe.form_dict)
  File "apps/frappe/frappe/__init__.py", line 1607, in call
    return fn(*args, **newargs)
  File "apps/frappe/frappe/integrations/oauth2_logins.py", line 58, in custom
    login_via_oauth2(provider, code, state, decoder=decoder_compat)
  File "apps/frappe/frappe/utils/oauth.py", line 115, in login_via_oauth2
    info = get_info_via_oauth(provider, code, decoder)
  File "apps/frappe/frappe/utils/oauth.py", line 161, in get_info_via_oauth
    frappe.throw(_("Email not verified with {0}").format(provider.title()))
  File "apps/frappe/frappe/__init__.py", line 525, in throw
    msgprint(
  File "apps/frappe/frappe/__init__.py", line 493, in msgprint
    _raise_exception()
  File "apps/frappe/frappe/__init__.py", line 442, in _raise_exception
    raise raise_exception(msg)
frappe.exceptions.ValidationError: Email not verified with Keycloak

Here is again my configuration:

Here is a small screenshot in Keycloak of the user I am using for logging in:

Is it a bug? What could be wrong?

Module

integrations

Version

APPLICATION VERSION
v14.26.0

CHART VERSIONS
6.0.38
(31 May, 2023)

Installation method

None

Relevant log output / Stack trace / Full Error Message.

Traceback (most recent call last):
  File "apps/frappe/frappe/app.py", line 66, in application
    response = frappe.api.handle()
  File "apps/frappe/frappe/api.py", line 54, in handle
    return frappe.handler.handle()
  File "apps/frappe/frappe/handler.py", line 45, in handle
    data = execute_cmd(cmd)
  File "apps/frappe/frappe/handler.py", line 83, in execute_cmd
    return frappe.call(method, **frappe.form_dict)
  File "apps/frappe/frappe/__init__.py", line 1607, in call
    return fn(*args, **newargs)
  File "apps/frappe/frappe/integrations/oauth2_logins.py", line 58, in custom
    login_via_oauth2(provider, code, state, decoder=decoder_compat)
  File "apps/frappe/frappe/utils/oauth.py", line 115, in login_via_oauth2
    info = get_info_via_oauth(provider, code, decoder)
  File "apps/frappe/frappe/utils/oauth.py", line 161, in get_info_via_oauth
    frappe.throw(_("Email not verified with {0}").format(provider.title()))
  File "apps/frappe/frappe/__init__.py", line 525, in throw
    msgprint(
  File "apps/frappe/frappe/__init__.py", line 493, in msgprint
    _raise_exception()
  File "apps/frappe/frappe/__init__.py", line 442, in _raise_exception
    raise raise_exception(msg)
frappe.exceptions.ValidationError: Email not verified with Keycloak

[MohammedNoureldin]

Well, apparently the message I get from ERPNext is just misleading. It turns out that the userinfo (API endpoint) was wrong, thus some information could not be found be ERPNext.

the settings that work for me are:

- Provider name: <anything you want> (in my case keycloak)

- Client ID: <from your IdP> (in my case erpnext)
- Client Secret: from your IdP

- Base URL: https://<idp domain>/realms/<realm name>

- Authorize URL: /protocol/openid-connect/auth
- Access Token URL: /protocol/openid-connect/token
- Redirect URL: /api/method/frappe.integrations.oauth2_logins.custom/<Provider name> (so for my case is /api/method/frappe.integrations.oauth2_logins.custom/keycloak)
- API Endpoint: https://<idp domain>/realms/<realm name>/protocol/openid-connect/userinfo

- Auth URL Data: {"response_type": "code", "scope": "openid profile email"}

- User ID Property: preferred_username

Now to explain what the problem exactly was:

In the previous configuration, it is important to note that most URLs are relative to the Base. However, there is also an endpoint (API Endpoint, or userinfo endpoint) which is an absolute URL. Using a relative URL instead of an absolute URL and vice versa will result in OIDC authentication not working.

In my case I used a relative path in API Endpoint instead of the absolute full path. As soon as I put the full URL in the endpoint, the problem was solved.

[dawidkellerman]

Thank you @MohammedNoureldin .
Your Post you saved me lots of time!

I had to make a change though I had to add my erpnext instance URL

- Provider name: <anything you want> (in my case keycloak)

- Client ID: <from your IdP> (in my case erpnext)
- Client Secret: from your IdP

- Base URL: https://<idp domain>/realms/<realm name>

- Authorize URL: /protocol/openid-connect/auth
- Access Token URL: /protocol/openid-connect/token
- Redirect URL:https://<erpnext domain>/api/method/frappe.integrations.oauth2_logins.custom/<Provider name> (so for my case is /api/method/frappe.integrations.oauth2_logins.custom/keycloak)
- API Endpoint: https://<idp domain>/realms/<realm name>/protocol/openid-connect/userinfo

- Auth URL Data: {"response_type": "code", "scope": "openid profile email"}

- User ID Property: preferred_username

I am about to try your frappe-oidc-extended
hope I will manage assuming its just another frappe app