Saml or Oauth2 - Best bet for SSO and Plone 6 in 2022

Hi ramiroluz:

We use nginx to expose Volto and Plone to the public, and we use a configuration like this to do so: bobtemplates.cs/volto.tpl at master · codesyntax/bobtemplates.cs · GitHub

With this configuration we have both and pointing the first to Volto and the second to Plone, and we get to expose /api and make the OIDC login process work.



Thank you @erral

We intend to adapt this conf to test local.

What is plone at the end? (Our site is Plone). We use backend and frontend as server names.

proxy_pass http://${buildout:projectname}plone;

Our default.conf:

upstream backend {
  server backend:8080;
upstream frontend {
  server frontend:3000;

server {
  listen 80  default_server;
  server_name  plone.localhost;

  location ~ /\+\+api\+\+($|/.*) {
      rewrite ^/(\+\+api\+\+\/?)+($|/.*) /VirtualHostBase/http/$server_name/Plone/++api++/VirtualHostRoot/$2 break;
      proxy_pass http://backend;

  location ~ / {
      location ~* \.(js|jsx|css|less|swf|eot|ttf|otf|woff|woff2)$ {
          add_header Cache-Control "public";
          expires +1y;
          proxy_pass http://frontend;
      location ~* static.*\.(ico|jpg|jpeg|png|gif|svg)$ {
          add_header Cache-Control "public";
          expires +1y;
          proxy_pass http://frontend;

      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;
      proxy_redirect http:// https://;
      proxy_pass http://frontend;

We use this template to autogenerate the nginx configuration ${buildout:projectname}plone is generated from buildout, and its definition is on the first lines of the file: bobtemplates.cs/volto.tpl at master · codesyntax/bobtemplates.cs · GitHub

In your case you would need to point to http://backend, because that's the name of the Plone backend service.

1 Like

Thanks, I was wondering how the template was being rendered and the value. It unblocked me big. You have a beer if you like.

1 Like

We have an issue with logout. When we go to localhost/api/acl_users/oidc/logout it fails complaining about the parameters. Maybe it relates to the keycloak version, 20.0.3.

The keycloak expects the folowing parameters:
* @param encodedIdToken Parameter "id_token_hint" as described in the specification.
* @param clientId Parameter "client_id" as described in the specification.
* @param postLogoutRedirectUri Parameter "post_logout_redirect_uri" as described in the specification with the URL to redirect after logout.

The plugin sends only redirect_uri as a parameter for the logout api endpoint.

I may be able to create a pull request if I learn how to get the encoded id token for the id_token_hint parameter.

1 Like

My efforts were frustrated. I could not find the correct value to fill the missing parameter correctly.

@macagua we may need an issue in pas.plugin.oidc can you help me check if there is an alternative to work with the KeyCloak 20.0.3. Maybe some option in KeyCloak to use the 19.0.3 api? Or, can we confirm we need to fix the lib?

It looks like the logout is not working also with the 19.0.3 version.

It maybe a configuration problem?

@erral do you know if the logout works for you?

1 Like

Hi @ramiroluz, please open an issue or rather a PR at GitHub - collective/pas.plugins.oidc: PAS plugin for OpenID Connect authentication, explaining your use case as well as possible.

We are using the product in many situations, but some parts of the product are still under development.

Sorry for my late reply, I have not followed the forum lately.


1 Like

Will do. Thanks @mamico

I did created a PR, but a friend asked me about this other plugin: pas.plugins.authomatic · PyPI could you tell me the difference of the plugins please?

As far as I know. pas.plugins.authomatic is based on the Authomatic framework and implements many specific providers such as Github, Twitter, ... using OAuth1, OAuth2, Openid2.0 (different from OpenIdConnect).

pas.plugins.oidc uses the oic library, an implementation of the OpenID Connect framework (How OpenID Connect Works - OpenID Foundation). The OpenIdConnect framework is based on OAuth2.0 and was probably defined after the implementation of Authomatic.

Eventually they are similar in many ways, you can probably also use pas.plugins.authomatic with your own keycloak server, implementing a specific local provider, or you can use pas.plugins.oidc to authenticate some of the public OAuth2 providers (like Google or Github, for instance).

At the time, I started implementing and using pas.plugins.oidc because I preferred a well-defined generic framework over many implementations of specific providers. But it depends...


Nice thank you.

for the record, we are successfully using pas.plugins.oidc to authenticate with 3 different providers: EU Login (an European Commision's service), Keycloak and Google.


@erral A question:

When you configure the user login with Keycloak, have you been able to login and logout with the user created in Plone?

Because at the moment I can only login and logout with the administrator of the realms for Plone, I can only login and logout with users created in Keycloak.

So, you asked me if this is the expected behavior with the pas.plugins.oidc addon to allow login and logout for users created with Keycloak or if you created a user in Plone, with both should you be able to login and logout?

pas.plugins.oidc works as an additional user source for your Plone site.

You can keep login in in your site using your standard Plone users, and use oidc to authenticate your users in Keycloak and come back to Plone.

What you can't do is log in in the Kyecloak interface with your Plone users.

You will have 2 user sources: Plone and Keycloak. Keycloak will work as 'an authenticator',

1 Like

are you using KeyCloak with groups?
I was wondering if i can fully manage Plone groups this way.