redirect org users to org dashboard

[gumaerc]

What are the relevant tickets?

Closes https://github.com/mitodl/hq/issues/8011

Description (What does it do?)

This PR modifies the custom login view in Learn to check if the user is part of any organizations (as determined by Keycloak and passed on by APISIX) and if so, skips onboarding and redirects them to the dashboard for their given organization

How can this be tested?

• Make sure you have Keycloak / APISIX configured as per the Keycloak README
• Create a new test user, but don't log in

Keycloak Config:

• Log into the Keycloak admin on the master realm using the login / password defined by KEYCLOAK_SVC_ADMIN / KEYCLOAK_SVC_ADMIN_PASSWORD
• Click "Manage Realms" in top left, and manage the ol-local realm (instead of the master realm)
• In Realm Settings (lower left) enable "Organizations"
• You should now have the Organizations tab, click that
• Add a new organization
• Browse to Client scopes
• Create a new client scope called organization
• Within that scope, go to the Mappings tab
• Create a new mapping ("Configure new mapping") and select "Organization Membership". Update its settings to match these:

• Click on Clients on the left side
• Click on the apisix client
• Click on Add Client Scope, then select the organization scope we just created and add it
• Go back to Organizations
• Select the org we created earlier
• Go to the Members tab
• Add your test user from earlier
• In an incognito window, log in as your test user
• Verify that it attempts to redirect you to the org dashboard with the slugified name of your org (you might just see a blank page if you don't have MITx Online integration set up and / or the org doesn't actually exist in MITx Online)

[ChristopherChudzicki]

Two things I have noticed:

1. This requires keycloak 26.3.3 (or higher, presumably; It did not work on 26.2.3)
2. I believe the setting KEYCLOAK_SCOPES="openid profile ol-profile organization:*" causes problems for people who have not yet enabled orgs.

To see (2) in effect, remove "organization" from client scope and try logging in via UI. You will see:

and an "invalid scope" error in keycloak logs

keycloak-1 | 2025-09-05 19:00:36,476 WARN [org.keycloak.events] (executor-thread-18) type="LOGIN_ERROR", realmId="160c333f-6b79-44a1-8bfc-e9ca019584bb", realmName="ol-local", clientId="apisix", userId="null", ipAddress="192.168.65.1", error="invalid_request", reason="Invalid scopes: openid profile ol-profile organization:*", response_type="code", redirect_uri="http://api.learn.odl.local:8065/login/.apisix/redirect", response_mode="query"

I think we should try to update the ol-local-realm.json realm export (I do not know how) or leave KEYCLOAK_SCOPES as-is for now.

[ChristopherChudzicki]

Thanks for all the help testing this. Keycloak 26.3.3 was the key for me.

Two requested changes:

1. Redirect with APP_BASE_URL
2. Do something about KEYCLOAK_SCOPES="openid profile ol-profile organization:*" breaking stuff.
   • IMO best would be to update the realm JSON... James mentioned in slack we can export the realm via https://www.keycloak.org/server/importExport
   • Even if we update it, existing (local) keycloaks would need to be manually updated, though, I think.

[ChristopherChudzicki]

This took me to http://api.learn.odl.local:8065/dashboard/organization/universityx which was 404 since it's an API url not an app URL.

Probably we want urljoin(settings.APP_BASE_URL, f"/dashboard/organization/{org_slug}")

[gumaerc]

@ChristopherChudzicki Thanks for the review. I took your suggestion for the redirect using APP_BASE_URL, thanks for that. As far as the organization:* Keycloak scope, based on our discussions I think we should just leave it out of the env for now. I left a comment there explaining how to enable it. Updating the realm JSON is beyond the scope of this PR, but we should likely do that separately.