Integrating Keycloak Sign-In (OAuth 2.0)
Using this module, users can directly log in or register at this HumHub installation with an account on an identity provider using Keycloak open source's application.
- If email is changed on the broker (IdP) or on Humhub, it can be automatically updated on Humhub or the broker
- Possibility to choose if user must be linked to the broker (IdP) from the broker's user ID or email
- Possibility to choose broker's (IdP) mapper name to use for Humhub's default username (on account creation)
- Can try auto login (only if anonymous registration is allowed)
cd my-humhub/protected/modules
git clone https://github.com/cuzy-app/humhub-modules-auth-keycloak.git auth-keycloak
cd auth-keycloak
composer install
And then enable module in Humhub's administration
Pretty URLs must be enabled (see documentation).
Create client on the broker (IdP) and configure it:
- Tab "Settings": "Access Type": choose
confidential
. Save settings. - Tab "Credentials": copy the secret key
- Tab "Mappers":
- "Add builtin" and check:
family name
,email
,given name
andusername
- Edit "username": in "Token Claim Name", replace
preferred_username
withid
- "Add builtin" and check:
Edit protected/config/common.php
and in the components
array, add:
'authClientCollection' => [
'clients' => [
'Keycloak' => [
'class' => 'humhub\modules\authKeycloak\authclient\Keycloak',
'authUrl' => 'https://idp-domain.tdl/auth/realms/master/protocol/openid-connect/auth',
'tokenUrl' => 'https://idp-domain.tdl/auth/realms/master/protocol/openid-connect/token',
'apiBaseUrl' => 'https://idp-domain.tdl/auth/realms/master/protocol/openid-connect',
'clientId' => 'xxxxxxxxxxx',
// Client secret is in the "Credentials" tab (if in the settings "Access Type" is set to "confidential")
'clientSecret' => 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxx',
// String attribute to match user tables with email or id
'idAttribute' => 'id',
// Keycloak mapper for username: 'preferred_username', 'sub' (to use Keycloak ID) or other custom Token Claim Name
'usernameMapper' => 'preferred_username',
// Title of the button (if autoLogin is disabled)
'title' => 'Connect with Keycloak',
// Automatic login (only if anonymous registration is allowed)
'autoLogin' => false,
// Hide username field in registration form
'hideRegistrationUsernameField' => false,
],
],
],
More options: see clients in authclient
folder
https://github.com/cuzy-app/humhub-modules-auth-keycloak
https://github.com/cuzy-app/humhub-modules-auth-keycloak/blob/main/docs/LICENCE.md