2

How Mastodon configure login using SSO, such as openid with keycloak? I search in Github and configure Mastodon follow this guide, but it doesn't work.

This is my environment variable:

OIDC_ENABLED=true
OIDC_DISPLAY_NAME=SSO
OIDC_AUTH_ENDPOINT=https://SSO_URL/realms/mastodon/.well-known/openid-configuration
OIDC_ISSUER=https://SSO_URL/realms/mastodon
OIDC_DISCOVERY=true
OIDC_SCOPE="openid,profile"
OIDC_UID_FIELD=uid
OIDC_CLIENT_ID=masto
OIDC_REDIRECT_URI=https://MASTODON_URL/auth/auth/openid_connect/callback
OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true
OIDC_CLIENT_SECRET=***

I checked the error log via this command but it is empty.

docker-compose logs | grep ERROR

Even the text of the SSO button has not changed.

There is the screenshot of sso button

Tippy
  • 33
  • 5
  • Please share the error and logs of failure – Abhijeet May 02 '22 at 05:51
  • Hello, I have added the relevant configuration, I will be very happy if I can get your help or instance configuration or related blog about this question.Thank you! – Tippy May 02 '22 at 06:49
  • are you using decentral1se/hometown:v1.0.5_3.4.0_openid-sso image? – Abhijeet May 02 '22 at 11:23
  • No,i'm using official docker image tootsuite/mastodon.I saw this issue on GitHub so thought he had been merged to master.I'll try decentral1se/hometown:v1.0.5_3.4.0_openid-sso.Thank you! – Tippy May 02 '22 at 13:01
  • What should OIDC_REDIRECT_URI be set to?I set it to https://MASTODON_URL/auth/auth/openid_connect/callback but it returns 404 in this page. – Tippy May 02 '22 at 16:01
  • Redirect URI is URI to which the response will be sent. It can be app URI where you want to redirect after login – Abhijeet May 03 '22 at 05:31
  • The question has been resloved. It just because the container of keycloak was accessed directly rather than access traefik.Thank you for your help! – Tippy May 03 '22 at 16:54

2 Answers2

1

my config:

OIDC_ENABLED=true
OIDC_DISPLAY_NAME=My IDM
OIDC_DISCOVERY=true
OIDC_ISSUER=https://<keycloak_url>/auth/realms/<real>
OIDC_AUTH_ENDPOINT=https://<keycloak_url>/auth/realms/<real>/.well-known/openid-configuration
OIDC_SCOPE=openid,profile,email
OIDC_UID_FIELD=preferred_username
OIDC_CLIENT_ID=<client id>
OIDC_CLIENT_SECRET=<client secret>
OIDC_REDIRECT_URI=https://<mastodon URL>/auth/auth/openid_connect/callback
OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true

Tested with Mastondo 3.5.3 and Keycloak 7.0.1

Maybe, only change yours OIDC_SCOPE and OIDC_UID_FIELD environments values.

Erik Valdivieso
  • 11
  • 1
1

I cannot comment but Erik suggestion was really good, here is our minimal configuration using Keycloak in discovery mode:

# Enable OIDC
OIDC_ENABLED=true
# Name your button (ignored in current 3.5.3 but fix is done in upcoming releases)
OIDC_DISPLAY_NAME=Login with MySSO
# Where to find your Keycloak OIDC server
OIDC_ISSUER=https://<keycloak_domain>/realms/<my_realm>
# Use discovery to determing all OIDC endpoints
OIDC_DISCOVERY=true
# Scope you want to obtain from OIDC server
OIDC_SCOPE=openid,profile,email
# Field to be used for populating user's @alias
OIDC_UID_FIELD=preferred_username
# Client ID of the client you configured for Mastodon in Keycloak
OIDC_CLIENT_ID=<keycloak_client_id>
# Client secret of the client you configured for Mastodon in Keycloak (in production, use secrets Docker secrets in our case)
OIDC_CLIENT_SECRET=<keycloak_client_secret>
# Where OIDC server should come back after authentication
OIDC_REDIRECT_URI=https://<mastodon_domain>/auth/auth/openid_connect/callback
# Assume emails are verified by the OIDC server
OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true

So only difference is that we didn't have to add the OIDC_AUTH_ENDPOINT thanks to OIDC discovery.

Ulysseus European University
  • 11
  • 2