Saml or Oauth2 - Best bet for SSO and Plone 6 in 2022

Just checking in on the state of Single Single On and Plone.
Let's say I want to integrate something like Mattermost or Zulip with Plone 6 such that a user can use their Plone account to log into their chat/collaboration service. Between Saml and Oauth2 what's the best path to explore in 2022.

1 Like

We're using OpenID Connect with Plone and Zulip. I would choose OAuth2 based system over SAML2 because of the simplicity and possible API usage scenarios. If you're lacking IDP, Keycloak is a good choice (or some SaaS provider such as Okta).

Just to be clear, your setup uses Plone as an OpenID Connect auth provider and Zulip as the "client"?

No. We use common external identity provider for both Zulip and Plone. I think that IDP functionality is in itself quite demanding and wouldn't like it be a side quest for Plone to manage. With Keycloak for example you get social auth capabilities, federation, etc.

I do not think it is a good idea to turn Plone into an identity provider. I think somebody already wrote an use-case optimized add-on for Plone-as-OpenID-provider; if you really want to go this path I would look for it to see if you can build upon.

I would add an specialized software providing identities as an own service and use it in Plone and Zulip.

That makes a lot of sense.

@ju55i what package are you using to do OpenID Connect with Plone?

We're using pas.plugins.oidc and volto-oidc-addon. The latter one might be our own code. It has a description "Volto OIDC login integration on top of pas.plugins.oidc".

Thanks. I had not seen that plugin so I will take a look at it.

At Eau de Web we are also using pas.plugins.oidc.

@ju55i the volto-oidc-addon is an open source add-on? ... on a quick search I couldn't find it. Can you point some references to it if it's not private?


Looks like it is not open sourced. I'll try to see if we can publish it. Bureaucracy has proven to be a bit difficult in these cases.

1 Like

@ju55i we can talk more in front of a beer at Plone Conf. :slight_smile:

@ju55i @alecghica Did you met? Is this still current? Are there alternative Volto OIDC-addons yet?

We implemented pas.plugins.oidc locally years ago, but did not feel comfortable to publish it, because we needed to include a few hacks to adapt to our OIDC service provider.

But now we are building a service against Keycloak, and would prefer to use community pas.plugins.oidc instead (and contribute there what we need).

We still need some time to upgrade our Volto OIDC-addon to use the community plugin and, of course, to work on the latest Volto, not to mention changes in OIDC library we used (oidc-client-js => oidc-client-ts). It required uncomfortable many overrides: our approach was to do whole OIDC flow completely on top of Volto, and then, with ID token, create session with backend Plone too. That allowed browser to keep tokens valid and pass access_token to Plone when required. But that might require additional change to community pas.plugins.oidc...

1 Like

@datakurre we have successfully authenticated with KeyCloak using its OIDC interface with pas.plugins.oidc which now lives at GitHub - collective/pas.plugins.oidc: PAS plugin for OpenID Connect authentication

On Volto side, we just point the user to /api/acl_users/oidc/login. Our approach is to expose Plone under /api/ and do all the authentication and OIDC stuff on the backend.

1 Like

@erral With that setup, how does Volto get its auth_token, or is it able to reuse ac-cookie? Or does it implicitly call login endpoint to get its token with the cookie browser already got from the backend?

Anyway, definitely sounds so simple, that we have to try that, before continuing... :smile:

When returning from Keycloak the user is directed to a view in the backend /api/acl_users/oidc/callback which initiates the appropriate session, creates the authentication tickets and sets the relevant cookies:

See: pas.plugins.oidc/ at main · collective/pas.plugins.oidc · GitHub and pas.plugins.oidc/ at main · collective/pas.plugins.oidc · GitHub


And only now I realize, that of course the backend can also set the JWT cookie too, and everything just works at Volto. Thanks. Having the OIDC login on browser side would still allow browser to manage token renewal, but just using the backend as you did show would work very far for free :sweat_smile:

@datakurre yes, we met! :slight_smile: Conclusion was that your Volto add-on is something very specific to your setup, nothing generic. Otherwise we use the same setup as @erral described.

1 Like

We have also been looking into OIDC and have a test setup now running that authenticates to Keycloak. @mauritsvanrees added some fixes and documentation for keycloak to pas.pugins.oidc since the end of last year for this project and added a Challenge plugin to the add'on last week

Hi @erral. How you expose Plone under /api/?

I am trying to make an sso authentication to work in Volto, is already working in Zope but the urls I tried are not working: