Keycloak / Frappe OAuth2 Identity Provider integration

Hi all,

I’m currently working on integrating a frappe OAuth client into our central IAM (Keycloak) as an Identity Provider (goal is to login to ERPNext through Keycloak). I configured frappe as well as Keycloak accordingly and the integration / login is working - however Keycloak throws an Error while trying to link the internal user with the frappe user account (Identity Provider Link).

After some debugging I found out, that Keycloak parses the ID Token that comes from frappe during OAuth token exchange and tries to process the subject of the ID Token (“sub”-claim) (keycloak/OIDCIdentityProvider.java at main · keycloak/keycloak · GitHub). According to the Spec (and the Keycloak implementation - keycloak/BrokeredIdentityContext.java at main · keycloak/keycloak · GitHub) the sub-claim should never be null.
I introspected the ID Token that is generated by frappe and found the following value:

{
  "aud": "XXX",
  "iat": 1660949297,
  "at_hash": "XXX",
  "iss": "XXX",
  "sub": null,
  "name": "Guest",
  "given_name": "Guest",
  "family_name": null,
  "email": "guest@example.com",
  "picture": null,
  "roles": [
    "Guest"
  ]
}

So I see 2 problems here:

  1. The contents of the ID Token do not correspond to the user I authenticated with and instead contains Guest user data, which is definitely wrong. If I use the issued access token from frappe and call frappes user info endpoint I receive the correct user details however.
  2. Even for the Guest user a “sub”-claim with a null value seems to be against Spec.

Any ideas on how to proceed? This blocks me from finalizing the integration.

Regards,
Max

Are you using version 13?

it is fixed on version 14.

Backport to version 13 will be available soon.

4 Likes

Thanks! That fixed it :+1: