With this configuration we have both www.domain.com and www.domain.com/api pointing the first to Volto and the second to Plone, and we get to expose /api and make the OIDC login process work.
We have an issue with logout. When we go to localhost/api/acl_users/oidc/logout it fails complaining about the parameters. Maybe it relates to the keycloak version, 20.0.3.
The keycloak expects the folowing parameters:
* @param encodedIdToken Parameter "id_token_hint" as described in the specification.
* @param clientId Parameter "client_id" as described in the specification.
* @param postLogoutRedirectUri Parameter "post_logout_redirect_uri" as described in the specification with the URL to redirect after logout.
The plugin sends only redirect_uri as a parameter for the logout api endpoint.
I may be able to create a pull request if I learn how to get the encoded id token for the id_token_hint parameter.
My efforts were frustrated. I could not find the correct value to fill the missing parameter correctly.
@macagua we may need an issue in pas.plugin.oidc can you help me check if there is an alternative to work with the KeyCloak 20.0.3. Maybe some option in KeyCloak to use the 19.0.3 api? Or, can we confirm we need to fix the lib?
It looks like the logout is not working also with the 19.0.3 version.
I did created a PR, but a friend asked me about this other plugin: pas.plugins.authomatic · PyPI could you tell me the difference of the plugins please?
As far as I know. pas.plugins.authomatic is based on the Authomatic framework and implements many specific providers such as Github, Twitter, ... using OAuth1, OAuth2, Openid2.0 (different from OpenIdConnect).
pas.plugins.oidc uses the oic library, an implementation of the OpenID Connect framework (How OpenID Connect Works - OpenID Foundation). The OpenIdConnect framework is based on OAuth2.0 and was probably defined after the implementation of Authomatic.
Eventually they are similar in many ways, you can probably also use pas.plugins.authomatic with your own keycloak server, implementing a specific local provider, or you can use pas.plugins.oidc to authenticate some of the public OAuth2 providers (like Google or Github, for instance).
At the time, I started implementing and using pas.plugins.oidc because I preferred a well-defined generic framework over many implementations of specific providers. But it depends...
for the record, we are successfully using pas.plugins.oidc to authenticate with 3 different providers: EU Login (an European Commision's service), Keycloak and Google.